View Full Version : Smitfraud-c et al - been 3 days...HELP PLEASE?
podinbristol
2006-11-27, 01:05
Please, I also been having problems for 3 nights now, trying to get rid of smitfraud-c and toolbar888 and other things. I have tried everything advised on the net, in forums etc. As advised to another poster in this forum, tried eTrust AV scanner, Ewido (AGV antivirus) HJT, SmitRem etc. All logs below.
I would be so grateful if anyone could have a look at these logs and see if they can help at all with any of this? Hope it makes sense? : )
Logs & reports:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 19:53:48 26/11/2006
+ Scan result:
C:\WINDOWS\system32\efcabaa.dll -> Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\drvwaw.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Ignored.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@microsoftuk.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
::Report end
Pocket Killbox version 2.0.0.881
Running on Windows XP as Compaq_Owner(Administrator)
was started @ Sunday, November 26, 2006, 2:39 PM
# 1 [Delete on Reboot]
Path = c:\windows\system32\qla.dll
# 2 [Delete on Reboot]
Path = c:\windows\system32\ishost.exe
PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:42:37 PM
Killbox Closed(Exit) @ 2:42:39 PM
__________________________________________________
smitRem © log file
version 3.2
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
"IE"="7.0000"
The current date is: 26/11/2006
The current time is: 16:59:17.65
Running from
C:\Documents and Settings\Compaq_Owner\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appinitdll check ........ Thank you Grinler!
dumphive.exe (C)2000-2004 Markus Stephany
REGEDIT4
[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
XP Firewall allowed access
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"="C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe:*:Enabled:CyberLink PowerCinema"
"C:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"="C:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
checking for drsmartload2 key
drsmartload2 key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
ismini.exe
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
Most recent HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 21:48:43, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvtid.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
I hope this all means something to someone! Many thanks.
c
Hi podinbristol
Rename HijackThis.exe to HJT.exe
Also do this:
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
Send:
- a fresh HijackThis log
- smitfraudfix report
podinbristol
2006-11-27, 20:33
Hi, thanks so much for your response. Unfortunately, in the absence of a response I read other similar posts and tried the fixes given..........
I already renamed HJT and ran Smitfix, but of course I will run it again. In the meantime I am sending you log files from Panda Active Scan which found 9 intances of spyware. A scan afterwards with VundoFix found nothing tho, and last log from HJT.
I also have a Combo Report and DrWeb report but is in .cvs format which cannot be attached, but can cut & paste it if it would help to see it?, and the Combo report exceeds the attachment limit.
Running SmitFix & HJT again.....many thanks...
Logfile of HijackThis v1.99.1
Scan saved at 18:16:32, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {2257A0A0-A274-4146-98EC-4C90ABD6248E} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D20BBD9B-F720-48D3-8C60-D3CF03CC2AC5} - C:\WINDOWS\system32\vturr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvtid.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
podinbristol
2006-11-27, 20:39
Here are logs of Smitfix and new HJT as requested.
Logfile of HijackThis v1.99.1
Scan saved at 18:37:45, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {2257A0A0-A274-4146-98EC-4C90ABD6248E} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D20BBD9B-F720-48D3-8C60-D3CF03CC2AC5} - C:\WINDOWS\system32\vturr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvtid.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
You're running HijackThis from a temp folder and that's a bad thing
Use this (http://downloads.malwareremoval.com/hijackthis_sfx.exe) link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Rename HijackThis.exe to HJT.exe after that.
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {2257A0A0-A274-4146-98EC-4C90ABD6248E} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {D20BBD9B-F720-48D3-8C60-D3CF03CC2AC5} - C:\WINDOWS\system32\vturr.dll (file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvtid.dll,startup
Close all windows including browser and press fix checked
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\gcqudubr.dll
C:\WINDOWS\system32\joiydvvt.dll
C:\WINDOWS\system32\jyqjjoda.dll
C:\WINDOWS\system32\mlvabxxa.dll
C:\WINDOWS\system32\oecypgrf.dll
C:\WINDOWS\system32\rjwtwbdl.dll
C:\WINDOWS\system32\rkyvdrss.dll
C:\WINDOWS\system32\rlgukqfs.dll
C:\WINDOWS\system32\xlcwwdro.dll
C:\WINDOWS\system32\drvtid.dll
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Re-scan with panda
Send:
- a fresh HijackThis log
- panda report
podinbristol
2006-11-28, 15:09
Hi Shaba,
Sorry for not getting back to you - the panda scan took over 2 hours and it was getting late. But, I was lucky that a friend who I didn't realise had virus/malware experience, came round last night and sorted it all out for me. Thank you so much for all your help, I sure have learnt a lot about this sort of thing!
My PC is now clean, except I get an error message at startup "error loading c:\windows\system32\drvtid.dll, specified module could not be found." My friend says its because its trying to reload the spyware which is no longer there. Would deleting that line from HJT sort it out? : )
podinbristol
2006-11-28, 15:13
latest HJT log. Does it all look ok to you? Thanks : )
Logfile of HijackThis v1.99.1
Scan saved at 13:10:40, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\HijackThis\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi
I don't see related line in log any more. However, I'd like to see panda report, too :)
podinbristol
2006-11-29, 19:36
Yes, I deleted that line in HJT!
BUT, look at the Panda scan attached! Ahhhh!
How can this happen again? I have Norton, AVG & Ewido, and I have not been anywhere even remotely dodgy!
Hi
Well, there's probably something that downloads it back.
Empty this folder:
C:\!KillBox\
Delete these:
C:\WINDOWS\system32\drvcul.dll
C:\WINDOWS\system32\drvfuh.dll
C:\WINDOWS\system32\drvlek.dll
Empty Recycle Bin
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Send:
- a fresh HijackThis log
- kaspersky report
podinbristol
2006-11-30, 00:29
Kaspersky scan:
KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Wednesday, November 29, 2006 10:17:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/11/2006
Kaspersky Anti-Virus database records: 246778
Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue
Scan TargetMy Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
Scan Statistics
Total number of scanned objects98442
Number of viruses found9
Number of infected objects39 / 0
Number of suspicious objects0
Duration of the scan process00:56:02
Infected Object NameVirus NameLast Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common
Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\LiveUpdate\2006-11-29_Log.ALUSchedulerSvc.LiveUpdate Object
is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\SrtETmp\B1B0F39B.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked
skipped
C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and
Settings\Compaq_Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and
Settings\Compaq_Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix.zip ZIP:
infected - 1 skipped
C:\Documents and Settings\Compaq_Owner\DoctorWeb\Quarantine\fsvupdt0.dll
Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Compaq_Owner\DoctorWeb\Quarantine\fsvupdtq.dll
Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local
Settings\History\History.IE5\MSHist012006112920061130\index.dat Object is
locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFBD7.tmp
Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFDD7.tmp
Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\My
Documents\SmitfraudFix\SmitfraudFix\Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Compaq_Owner\My
Documents\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Compaq_Owner\My Documents\SmitfraudFix.zip ZIP:
infected - 1 skipped
C:\Documents and Settings\Compaq_Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Owner\NTUSER.DAT.LOG Object is locked
skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked
skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked
skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p
skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object
is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked
skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked
skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked
skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked
skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked
skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked
skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked
skipped
C:\Program
Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object
is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log
Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log
Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log
Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP2\A0000024.exe
Infected: Trojan-Downloader.Win32.Zlob.bat skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP3\A0000058.exe
Infected: Trojan-Downloader.Win32.Zlob.bas skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000115.exe
Infected: Trojan-Downloader.Win32.Zlob.bat skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000136.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000138.dll
Infected: not-virus:Hoax.Win32.Renos.fw skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000139.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.dr skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000141.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000142.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000145.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000146.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP4\A0000150.dll
Infected: Trojan.Win32.BHO.o skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000171.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000172.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000173.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000174.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000175.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000176.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000177.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000178.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP5\A0000179.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000319.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000320.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000321.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000322.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000323.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000324.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000325.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000326.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP6\A0000327.dll
Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP7\change.log
Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8D40FD21-164E-4475-BED2-85BCE62CEE5A}.bin
Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped
C:\WINDOWS\temp\CLML_AGENT_LOG1.txt Object is locked skipped
C:\WINDOWS\temp\sqlite_r1v52r42JtfaYLR Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume
Information\_restore{D5F7A20F-1294-41E9-A947-A77075103E2E}\RP7\change.log
Object is locked skipped
Scan process completed.
-----------------------------------------
to follow.........
podinbristol
2006-11-30, 00:30
Logfile of HijackThis v1.99.1
Scan saved at 22:17:54, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\HijackThis\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Cheers M8
Hi
Empty this folder:
C:\Documents and Settings\Compaq_Owner\DoctorWeb\Quarantine
Empty Recycle Bin
Now re-scan with panda
Send panda report along with a fresh HijackThis log
podinbristol
2006-11-30, 19:04
Active Scan:
Incident Status Location
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adtech[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@microsoftwga.112.2o7[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@realmedia[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\My Documents\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\My Documents\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem\Process.exe
Possible Virus. Not disinfected C:\smitRem\swreg.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
---------------------------
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 17:00:56, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
c:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe
C:\Program Files\HijackThis\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
-------------------------------------------------
Hi
Logs look good.
How are things running now?
podinbristol
2006-11-30, 23:55
All seems to be working fine now thanks : )
You've been brilliant; really clear instructions and quick responses, and I learnt how to deal with it better if it comes back. I can't thank you enough. X
You're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)
or
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.staff.uiuc.edu/~ehowes/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
podinbristol
2006-12-03, 19:52
Cheers M8, worked my way through everything and am about to create a restore point. One thing before I do..........nothing happens when I click ALT/CNTRL/DEL - following previous instructions I downloaded Process Explorer by Systinternals that replaced the default window, but now I get nothing. Any ideas.....? I would prefer the default process window back, as Process Explorer showed more information than I understood!
Thanx
Hi
Right-click this (http://www.kellys-korner-xp.com/regs_edits/taskmanager.reg)
link and choose save as/save target as. Save it on desktop. Doubleclick taskmanager.reg, click Yes and ok. Reboot. Did it help?
podinbristol
2006-12-05, 00:33
When I clicked on the Taskmanager icon on the desktop, it only gave the RUN or SAVE options, I selected RUN and a prompt came up to confirm saving to the registry, after OK a message said it was successfully added to the registry. After reboot though, nothing happened when I did Alt/Ctrl/Del.
I think I've done it twice now by mistake - but it did not prompt that it had already been added, or to overwrite it.....
No other big problems, but there seems to be a lot of process whirring (processor making a noise like running something) way past the normal time it takes to load after reboot, although I wasn't doing anything. Norton just installed updates, that's all that recently happened. And I have been working on a large document in PageMaker and photos in Photoshop......
Thanks.
Hi
Go to start -> run -> regedit -> ok
Go to this key
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion
and remove "TaskManager"-key if present. Did it help?
podinbristol
2006-12-07, 16:10
:sad: No key there. Still nothing when I do Alt/Ctrl/Del.
Hi
Please do a search:
"Run "Start">"Search">"All Files and Folders"> enter taskmgr.exe in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search".
Tell me whether or not you find taskmgr.exe.
podinbristol
2006-12-08, 17:54
it was found in two places:
c:\windows\system32 &
C:\windows/system32\dllcache
Hi
Submit c:\windows\system32\taskmgr.exe to VirusTotal (http://www.virustotal.com/en/indexf.html) and send results here.
podinbristol
2006-12-08, 20:24
\system32:
Complete scanning result of "taskmgr.exe", received in VirusTotal at 12.08.2006, 19:13:41 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.49 12.08.2006 no virus found
Authentium 4.93.8 12.07.2006 no virus found
Avast 4.7.892.0 12.08.2006 no virus found
AVG 386 12.08.2006 no virus found
BitDefender 7.2 12.08.2006 no virus found
CAT-QuickHeal 8.00 12.08.2006 no virus found
ClamAV devel-20060426 12.08.2006 no virus found
DrWeb 4.33 12.08.2006 no virus found
eSafe 7.0.14.0 12.07.2006 no virus found
eTrust-InoculateIT 23.73.80 12.08.2006 no virus found
eTrust-Vet 30.3.3238 12.08.2006 no virus found
Ewido 4.0 12.08.2006 no virus found
Fortinet 2.82.0.0 12.08.2006 no virus found
F-Prot 3.16f 12.07.2006 no virus found
F-Prot4 4.2.1.29 12.07.2006 no virus found
Ikarus T3.1.0.26 12.07.2006 no virus found
Kaspersky 4.0.2.24 12.08.2006 no virus found
McAfee 4914 12.08.2006 no virus found
Microsoft 1.1804 12.08.2006 no virus found
NOD32v2 1911 12.08.2006 no virus found
Norman 5.80.02 12.08.2006 no virus found
Panda 9.0.0.4 12.08.2006 no virus found
Prevx1 V2 12.08.2006 no virus found
Sophos 4.12.0 12.08.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.130 12.06.2006 no virus found
UNA 1.83 12.08.2006 no virus found
VBA32 3.11.1 12.08.2006 no virus found
VirusBuster 4.3.15:9 12.08.2006 no virus found
Aditional Information
File size: 135680 bytes
MD5: fc160ace21c81837692b339d230dd4be
SHA1: 28e0652d35fcd1e5abd1aa23bb5ee2b180a6693b
and \system32\dllcache:
same result.
Strange eh? :sad:
Hi
Yes, a bit strange
Problem could just be a wrong registry key value somewhere, but let's check this first:
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
podinbristol
2006-12-08, 21:17
Results:
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-08 19:15:59
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 841C5978 ZwAlertResumeThread
SSDT 8455EE58 ZwAlertThread
SSDT 84079A50 ZwAllocateVirtualMemory
SSDT 8420FF58 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT 841212A0 ZwCreateMutant
SSDT 841182E8 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT 83F4F118 ZwFreeVirtualMemory
SSDT 841D2060 ZwImpersonateAnonymousToken
SSDT 83F22118 ZwImpersonateThread
SSDT 840CB618 ZwMapViewOfSection
SSDT 83EB5308 ZwOpenEvent
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 83F55118 ZwOpenProcessToken
SSDT 83EE5118 ZwOpenThreadToken
SSDT 83ED8008 ZwResumeThread
SSDT 83F00118 ZwSetContextThread
SSDT 841F2ED8 ZwSetInformationProcess
SSDT 83F1B118 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 84074298 ZwSuspendProcess
SSDT 83F17118 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 83F19118 ZwTerminateThread
SSDT 83EC0118 ZwUnmapViewOfSection
SSDT 841D27A0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.12 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2B64 80503764 8 Bytes [ 78, 59, 1C, 84, 58, EE, 55, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D1C 8050391C 8 Bytes [ AC, 88, CC, F7, 18, 51, F5, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2EC4 80503AC4 8 Bytes [ D8, 2E, 1F, 84, 18, B1, F1, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2F28 80503B28 8 Bytes [ 98, 42, 07, 84, 18, 71, F1, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2F38 80503B38 8 Bytes [ 12, 88, CC, F7, 18, 91, F1, ... ]
.text ntdll.dll!NtClose 7C90D586 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 7C90D793 5 Bytes JMP 72033FC8
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 7E1F5415 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2080] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\Compaq_Owner\Desktop\avgas-setup-7.5.0.50.exe:SummaryInformation
ADS C:\Documents and Settings\Compaq_Owner\Desktop\avgas-setup-7.5.0.50.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Compaq_Owner\Desktop\eTrust Antivirus Web Scanner.url:favicon
ADS C:\Documents and Settings\Compaq_Owner\Desktop\Panda ActiveScan :favicon
ADS C:\Documents and Settings\Compaq_Owner\Favorites\Electric Proms Paul Weller - AV Forums.url:favicon
ADS C:\Documents and Settings\Compaq_Owner\Favorites\HotUKDeals - Main Page.url:favicon
ADS C:\Documents and Settings\Compaq_Owner\Favorites\MySpace.com.url:favicon
ADS C:\Documents and Settings\Compaq_Owner\Favorites\Smitfraud-c et al - been 3 days...HELP PLEASE - Safer Networking Forums.url:favicon
ADS C:\Documents and Settings\Compaq_Owner\Favorites\Understanding and Using Firewalls.url:favicon
ADS C:\Documents and Settings\Compaq_Owner\Favorites\VIRUSTOTAL - Free Online Virus and Malware Scan.url:favicon
ADS C:\Documents and Settings\Compaq_Owner\Favorites\VoucherCodes.com - Free voucher codes, discount codes, coupons & promotional codes.url:favicon
ADS ...
---- EOF - GMER 1.0.12 ----
Hi
I must do some further research now and maybe also ask for help; I'll reply ASAP I have something new to report :)
Hi
Open Process Explorer
In Process Explorer go Options->uncheck Replace Task Manager
Did it help?
podinbristol
2006-12-09, 18:29
;)
I cannot find Process Explorer! I tried search for process*.* but did not find it, and still nothing happens at Alt/Ctrl/Del, can you advise?
:oops:
podinbristol
2006-12-09, 18:32
Perhaps it is simply that process explorer replaced taskmanager, process explorer is now deleted and now I have nothing?
Not that I know..... : )
Hi
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
Doubleclick fix.reg, press Yes and ok.
Reboot
Does Task Manager work now?
podinbristol
2006-12-10, 14:54
:sad: Followed instructions and rebooted - but still nothing.......over to you ;)
Are you sure that you had all this text on your reg file?
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
podinbristol
2006-12-11, 01:48
I just checked the file again (edit) and it definitely has all the text (I cut and pasted it). Sorry :sad:
Hi
Go to start -> run -> regedit -> ok
Browse to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Right-click that key and choose Export. Save it as txt file and copy/paste contents of that file into this thread, please :)
podinbristol
2006-12-11, 15:41
:)
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Class Name: <NO CLASS>
Last Write Time: 26/11/2006 - 13:40
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 90 04 34 00 ..............4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 00 00 07 00 ....½.ïþ........
00000040 0b 00 00 00 00 00 07 00 - 0b 00 00 00 3f 00 00 00 ............?...
00000050 02 00 00 00 04 00 01 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 44 00 00 00 01 00 56 00 ........D.....V.
00000070 61 00 72 00 46 00 69 00 - 6c 00 65 00 49 00 6e 00 a.r.F.i.l.e.I.n.
00000080 66 00 6f 00 00 00 00 00 - 24 00 04 00 00 00 54 00 f.o.....$.....T.
00000090 72 00 61 00 6e 00 73 00 - 6c 00 61 00 74 00 69 00 r.a.n.s.l.a.t.i.
000000a0 6f 00 6e 00 00 00 00 00 - 09 04 e4 04 f0 03 00 00 o.n..... .ä.ð...
000000b0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000000c0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000000d0 cc 03 00 00 01 00 30 00 - 34 00 30 00 39 00 30 00 Ì.....0.4.0.9.0.
000000e0 34 00 45 00 34 00 00 00 - 4a 00 19 00 01 00 43 00 4.E.4...J.....C.
000000f0 6f 00 6d 00 6d 00 65 00 - 6e 00 74 00 73 00 00 00 o.m.m.e.n.t.s...
00000100 43 00 72 00 79 00 73 00 - 74 00 61 00 6c 00 20 00 C.r.y.s.t.a.l. .
00000110 53 00 51 00 4c 00 20 00 - 44 00 65 00 73 00 69 00 S.Q.L. .D.e.s.i.
00000120 67 00 6e 00 65 00 72 00 - 20 00 37 00 2e 00 30 00 g.n.e.r. .7...0.
00000130 00 00 00 00 88 00 34 00 - 01 00 43 00 6f 00 6d 00 ......4...C.o.m.
00000140 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
00000150 00 00 00 00 53 00 65 00 - 61 00 67 00 61 00 74 00 ....S.e.a.g.a.t.
00000160 65 00 20 00 53 00 6f 00 - 66 00 74 00 77 00 61 00 e. .S.o.f.t.w.a.
00000170 72 00 65 00 20 00 49 00 - 6e 00 66 00 6f 00 72 00 r.e. .I.n.f.o.r.
00000180 6d 00 61 00 74 00 69 00 - 6f 00 6e 00 20 00 4d 00 m.a.t.i.o.n. .M.
00000190 61 00 6e 00 61 00 67 00 - 65 00 6d 00 65 00 6e 00 a.n.a.g.e.m.e.n.
000001a0 74 00 20 00 47 00 72 00 - 6f 00 75 00 70 00 2c 00 t. .G.r.o.u.p.,.
000001b0 20 00 49 00 6e 00 63 00 - 2e 00 00 00 ae 00 45 00 .I.n.c.....®.E.
000001c0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
000001d0 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000001e0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000001f0 74 00 20 00 28 00 63 00 - 29 00 20 00 31 00 39 00 t. .(.c.). .1.9.
00000200 39 00 31 00 2d 00 31 00 - 39 00 39 00 10 00 00 00 9.1.-.1.9.9.....
00000210 00 00 00 00 ....
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: DisableHeapLookAside
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 54 09 00 00 54 02 00 00 - 00 02 00 00 8c 03 34 00 T ..T.........4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 02 00 a8 11 ....½.ïþ......¨.
00000040 2e 04 00 00 02 00 a8 11 - 2e 04 00 00 3f 00 00 00 ......¨.....?...
00000050 20 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ...............
00000060 00 00 00 00 00 00 00 00 - ec 02 00 00 01 00 53 00 ........ì.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 c8 02 00 00 e.I.n.f.o...È...
00000090 01 00 30 00 30 00 30 00 - 30 00 30 00 34 00 62 00 ..0.0.0.0.0.4.b.
000000a0 30 00 00 00 38 00 10 00 - 01 00 43 00 6f 00 6d 00 0...8.....C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 4f 00 72 00 m.e.n.t.s...O.r.
000000c0 69 00 67 00 6e 00 61 00 - 6c 00 20 00 56 00 65 00 i.g.n.a.l. .V.e.
000000d0 72 00 73 00 69 00 6f 00 - 6e 00 00 00 42 00 11 00 r.s.i.o.n...B...
000000e0 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
000000f0 4e 00 61 00 6d 00 65 00 - 00 00 00 00 53 00 41 00 N.a.m.e.....S.A.
00000100 50 00 20 00 41 00 47 00 - 2c 00 20 00 57 00 61 00 P. .A.G.,. .W.a.
00000110 6c 00 6c 00 64 00 6f 00 - 72 00 66 00 00 00 00 00 l.l.d.o.r.f.....
00000120 5a 00 19 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 Z.....F.i.l.e.D.
00000130 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
00000140 6f 00 6e 00 00 00 00 00 - 53 00 41 00 50 00 20 00 o.n.....S.A.P. .
00000150 46 00 72 00 6f 00 6e 00 - 74 00 65 00 6e 00 64 00 F.r.o.n.t.e.n.d.
00000160 20 00 66 00 6f 00 72 00 - 20 00 57 00 69 00 6e 00 .f.o.r. .W.i.n.
00000170 64 00 6f 00 77 00 73 00 - 00 00 00 00 3c 00 0e 00 d.o.w.s.....<...
00000180 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000190 73 00 69 00 6f 00 6e 00 - 00 00 00 00 34 00 35 00 s.i.o.n.....4.5.
000001a0 32 00 30 00 2e 00 32 00 - 2e 00 30 00 2e 00 31 00 2.0...2...0...1.
000001b0 30 00 37 00 30 00 00 00 - 32 00 09 00 01 00 49 00 0.7.0...2. ...I.
000001c0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001d0 61 00 6d 00 65 00 00 00 - 46 00 45 00 57 00 46 00 a.m.e...F.E.W.F.
000001e0 52 00 4f 00 4e 00 54 00 - 00 00 00 00 7a 00 2b 00 R.O.N.T.....z.+.
000001f0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000200 70 00 79 00 72 00 69 00 - 67 00 68 00 02 00 00 00 p.y.r.i.g.h.....
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 04 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 03 00 00 00 00 00 01 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 33 00 00 00 23 00 - 54 02 00 00 00 02 00 00 .3...#.T.......
00000260 8c 03 34 00 00 00 56 00 - 53 00 5f 00 56 00 45 00 ..4...V.S._.V.E.
00000270 52 00 53 00 49 00 4f 00 - 4e 00 5f 00 49 00 4e 00 R.S.I.O.N._.I.N.
00000280 46 00 4f 00 00 00 00 00 - bd 04 ef fe 00 00 01 00 F.O.....½.ïþ....
00000290 03 00 9e 11 26 04 00 00 - 03 00 9e 11 26 04 00 00 ....&.......&...
000002a0 3f 00 00 00 20 00 00 00 - 04 00 00 00 01 00 00 00 ?... ...........
000002b0 00 00 00 00 00 00 00 00 - 00 00 00 00 ec 02 00 00 ............ì...
000002c0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000002d0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000002e0 c8 02 00 00 01 00 30 00 - 30 00 30 00 30 00 30 00 È.....0.0.0.0.0.
000002f0 34 00 62 00 30 00 00 00 - 38 00 10 00 01 00 43 00 4.b.0...8.....C.
00000300 6f 00 6d 00 6d 00 65 00 - 6e 00 74 00 73 00 00 00 o.m.m.e.n.t.s...
00000310 4f 00 72 00 69 00 67 00 - 6e 00 61 00 6c 00 20 00 O.r.i.g.n.a.l. .
00000320 56 00 65 00 72 00 73 00 - 69 00 6f 00 6e 00 00 00 V.e.r.s.i.o.n...
00000330 42 00 11 00 01 00 43 00 - 6f 00 6d 00 70 00 61 00 B.....C.o.m.p.a.
00000340 6e 00 79 00 4e 00 61 00 - 6d 00 65 00 00 00 00 00 n.y.N.a.m.e.....
00000350 53 00 41 00 50 00 20 00 - 41 00 47 00 2c 00 20 00 S.A.P. .A.G.,. .
00000360 57 00 61 00 6c 00 6c 00 - 64 00 6f 00 72 00 66 00 W.a.l.l.d.o.r.f.
00000370 00 00 00 00 5a 00 19 00 - 01 00 46 00 69 00 6c 00 ....Z.....F.i.l.
00000380 65 00 44 00 65 00 73 00 - 63 00 72 00 69 00 70 00 e.D.e.s.c.r.i.p.
00000390 74 00 69 00 6f 00 6e 00 - 00 00 00 00 53 00 41 00 t.i.o.n.....S.A.
000003a0 50 00 20 00 46 00 72 00 - 6f 00 6e 00 74 00 65 00 P. .F.r.o.n.t.e.
000003b0 6e 00 64 00 20 00 66 00 - 6f 00 72 00 20 00 57 00 n.d. .f.o.r. .W.
000003c0 69 00 6e 00 64 00 6f 00 - 77 00 73 00 00 00 00 00 i.n.d.o.w.s.....
000003d0 3c 00 0e 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 <.....F.i.l.e.V.
000003e0 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
000003f0 34 00 35 00 31 00 30 00 - 2e 00 33 00 2e 00 30 00 4.5.1.0...3...0.
00000400 2e 00 31 00 30 00 36 00 - 32 00 00 00 32 00 09 00 ..1.0.6.2...2. .
00000410 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000420 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 46 00 45 00 l.N.a.m.e...F.E.
00000430 57 00 46 00 52 00 4f 00 - 4e 00 54 00 00 00 00 00 W.F.R.O.N.T.....
00000440 7a 00 2b 00 01 00 4c 00 - 65 00 67 00 61 00 6c 00 z.+...L.e.g.a.l.
00000450 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
00000460 02 00 00 00 00 00 00 00 - 01 00 00 00 4c 00 00 00 ............L...
00000470 3c fd 06 00 04 00 00 00 - 00 00 00 00 65 05 00 00 <ý..........e...
00000480 02 00 00 00 03 00 00 00 - 00 00 01 00 53 00 65 00 ............S.e.
00000490 72 00 76 00 69 00 63 00 - 65 00 20 00 50 00 61 00 r.v.i.c.e. .P.a.
000004a0 63 00 6b 00 20 00 33 00 - 00 00 23 00 54 02 00 00 c.k. .3...#.T...
000004b0 00 02 00 00 20 03 34 00 - 00 00 56 00 53 00 5f 00 .... .4...V.S._.
000004c0 56 00 45 00 52 00 53 00 - 49 00 4f 00 4e 00 5f 00 V.E.R.S.I.O.N._.
000004d0 49 00 4e 00 46 00 4f 00 - 00 00 00 00 bd 04 ef fe I.N.F.O.....½.ïþ
000004e0 00 00 01 00 00 00 04 00 - f0 03 00 00 00 00 04 00 ........ð.......
000004f0 f0 03 00 00 3f 00 00 00 - 00 00 00 00 04 00 01 00 ð...?...........
00000500 01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000510 7e 02 00 00 01 00 53 00 - 74 00 72 00 69 00 6e 00 ~.....S.t.r.i.n.
00000520 67 00 46 00 69 00 6c 00 - 65 00 49 00 6e 00 66 00 g.F.i.l.e.I.n.f.
00000530 6f 00 00 00 5a 02 00 00 - 01 00 30 00 34 00 30 00 o...Z.....0.4.0.
00000540 39 00 30 00 34 00 45 00 - 34 00 00 00 2e 00 07 00 9.0.4.E.4.......
00000550 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
00000560 4e 00 61 00 6d 00 65 00 - 00 00 00 00 53 00 41 00 N.a.m.e.....S.A.
00000570 50 00 20 00 41 00 47 00 - 00 00 00 00 5a 00 19 00 P. .A.G.....Z...
00000580 01 00 46 00 69 00 6c 00 - 65 00 44 00 65 00 73 00 ..F.i.l.e.D.e.s.
00000590 63 00 72 00 69 00 70 00 - 74 00 69 00 6f 00 6e 00 c.r.i.p.t.i.o.n.
000005a0 00 00 00 00 53 00 41 00 - 50 00 20 00 46 00 72 00 ....S.A.P. .F.r.
000005b0 6f 00 6e 00 74 00 65 00 - 6e 00 64 00 20 00 66 00 o.n.t.e.n.d. .f.
000005c0 6f 00 72 00 20 00 57 00 - 69 00 6e 00 64 00 6f 00 o.r. .W.i.n.d.o.
000005d0 77 00 73 00 00 00 00 00 - 36 00 0b 00 01 00 46 00 w.s.....6.....F.
000005e0 69 00 6c 00 65 00 56 00 - 65 00 72 00 73 00 69 00 i.l.e.V.e.r.s.i.
000005f0 6f 00 6e 00 00 00 00 00 - 34 00 2e 00 30 00 2e 00 o.n.....4...0...
00000600 30 00 2e 00 31 00 30 00 - 30 00 38 00 00 00 00 00 0...1.0.0.8.....
00000610 2c 00 06 00 01 00 49 00 - 6e 00 74 00 65 00 72 00 ,.....I.n.t.e.r.
00000620 6e 00 61 00 6c 00 4e 00 - 61 00 6d 00 65 00 00 00 n.a.l.N.a.m.e...
00000630 46 00 52 00 4f 00 4e 00 - 54 00 00 00 5e 00 1d 00 F.R.O.N.T...^...
00000640 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000650 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
00000660 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
00000670 74 00 20 00 a9 00 20 00 - 31 00 39 00 39 00 33 00 t. .©. .1.9.9.3.
00000680 2d 00 31 00 39 00 39 00 - 37 00 20 00 53 00 41 00 -.1.9.9.7. .S.A.
00000690 50 00 20 00 41 00 47 00 - 00 00 00 00 28 00 00 00 P. .A.G.....(...
000006a0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 54 00 72 00 ..L.e.g.a.l.T.r.
000006b0 61 00 64 00 02 00 00 00 - 00 00 00 00 01 00 00 00 a.d.............
000006c0 4c 00 00 00 3c fd 06 00 - 04 00 00 00 00 00 00 00 L...<ý..........
000006d0 65 05 00 00 02 00 00 00 - 03 00 00 00 00 00 01 00 e...............
000006e0 53 00 65 00 72 00 76 00 - 69 00 63 00 65 00 20 00 S.e.r.v.i.c.e. .
000006f0 50 00 61 00 63 00 6b 00 - 20 00 33 00 00 00 23 00 P.a.c.k. .3...#.
00000700 54 02 00 00 00 02 00 00 - 18 03 34 00 00 00 56 00 T.........4...V.
00000710 53 00 5f 00 56 00 45 00 - 52 00 53 00 49 00 4f 00 S._.V.E.R.S.I.O.
00000720 4e 00 5f 00 49 00 4e 00 - 46 00 4f 00 00 00 00 00 N._.I.N.F.O.....
00000730 bd 04 ef fe 00 00 01 00 - 00 00 04 00 dd 03 00 00 ½.ïþ........Ý...
00000740 00 00 04 00 dd 03 00 00 - 3f 00 00 00 00 00 00 00 ....Ý...?.......
00000750 04 00 01 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000760 00 00 00 00 78 02 00 00 - 01 00 53 00 74 00 72 00 ....x.....S.t.r.
00000770 69 00 6e 00 67 00 46 00 - 69 00 6c 00 65 00 49 00 i.n.g.F.i.l.e.I.
00000780 6e 00 66 00 6f 00 00 00 - 54 02 00 00 01 00 30 00 n.f.o...T.....0.
00000790 34 00 30 00 39 00 30 00 - 34 00 45 00 34 00 00 00 4.0.9.0.4.E.4...
000007a0 2e 00 07 00 01 00 43 00 - 6f 00 6d 00 70 00 61 00 ......C.o.m.p.a.
000007b0 6e 00 79 00 4e 00 61 00 - 6d 00 65 00 00 00 00 00 n.y.N.a.m.e.....
000007c0 53 00 41 00 50 00 20 00 - 41 00 47 00 00 00 00 00 S.A.P. .A.G.....
000007d0 5a 00 19 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 Z.....F.i.l.e.D.
000007e0 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
000007f0 6f 00 6e 00 00 00 00 00 - 53 00 41 00 50 00 20 00 o.n.....S.A.P. .
00000800 46 00 72 00 6f 00 6e 00 - 74 00 65 00 6e 00 64 00 F.r.o.n.t.e.n.d.
00000810 20 00 66 00 6f 00 72 00 - 20 00 57 00 69 00 6e 00 .f.o.r. .W.i.n.
00000820 64 00 6f 00 77 00 73 00 - 00 00 00 00 34 00 0a 00 d.o.w.s.....4...
00000830 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000840 73 00 69 00 6f 00 6e 00 - 00 00 00 00 34 00 2e 00 s.i.o.n.....4...
00000850 30 00 2e 00 30 00 2e 00 - 39 00 38 00 39 00 00 00 0...0...9.8.9...
00000860 2c 00 06 00 01 00 49 00 - 6e 00 74 00 65 00 72 00 ,.....I.n.t.e.r.
00000870 6e 00 61 00 6c 00 4e 00 - 61 00 6d 00 65 00 00 00 n.a.l.N.a.m.e...
00000880 46 00 52 00 4f 00 4e 00 - 54 00 00 00 5e 00 1d 00 F.R.O.N.T...^...
00000890 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
000008a0 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000008b0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000008c0 74 00 20 00 a9 00 20 00 - 31 00 39 00 39 00 33 00 t. .©. .1.9.9.3.
000008d0 2d 00 31 00 39 00 39 00 - 37 00 20 00 53 00 41 00 -.1.9.9.7. .S.A.
000008e0 50 00 20 00 41 00 47 00 - 00 00 00 00 28 00 00 00 P. .A.G.....(...
000008f0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 54 00 72 00 ..L.e.g.a.l.T.r.
00000900 61 00 64 00 65 00 6d 00 - 02 00 00 00 00 00 00 00 a.d.e.m.........
00000910 01 00 00 00 4c 00 00 00 - 3c fd 06 00 04 00 00 00 ....L...<ý......
00000920 00 00 00 00 65 05 00 00 - 02 00 00 00 03 00 00 00 ....e...........
00000930 00 00 01 00 53 00 65 00 - 72 00 76 00 69 00 63 00 ....S.e.r.v.i.c.
00000940 65 00 20 00 50 00 61 00 - 63 00 6b 00 20 00 33 00 e. .P.a.c.k. .3.
00000950 00 00 23 00 ..#.
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
podinbristol
2006-12-11, 15:44
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 58 02 00 00 54 02 00 00 - 00 02 00 00 6c 07 34 00 X...T.......l.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 05 00 05 00 ....½.ïþ........
00000040 07 00 a8 07 05 00 05 00 - 07 00 a8 07 3f 00 00 00 ..¨.......¨.?...
00000050 00 00 00 00 04 00 04 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - cc 06 00 00 01 00 53 00 ........Ì.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 54 03 00 00 e.I.n.f.o...T...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 42 00 ..0.4.0.9.0.4.B.
000000a0 30 00 00 00 18 00 00 00 - 01 00 43 00 6f 00 6d 00 0.........C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 4c 00 16 00 m.e.n.t.s...L...
000000c0 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
000000d0 4e 00 61 00 6d 00 65 00 - 00 00 00 00 4d 00 69 00 N.a.m.e.....M.i.
000000e0 63 00 72 00 6f 00 73 00 - 6f 00 66 00 74 00 20 00 c.r.o.s.o.f.t. .
000000f0 43 00 6f 00 72 00 70 00 - 6f 00 72 00 61 00 74 00 C.o.r.p.o.r.a.t.
00000100 69 00 6f 00 6e 00 00 00 - 68 00 20 00 01 00 46 00 i.o.n...h. ...F.
00000110 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000120 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000130 4d 00 69 00 63 00 72 00 - 6f 00 73 00 6f 00 66 00 M.i.c.r.o.s.o.f.
00000140 74 00 20 00 45 00 78 00 - 63 00 68 00 61 00 6e 00 t. .E.x.c.h.a.n.
00000150 67 00 65 00 20 00 53 00 - 65 00 72 00 76 00 65 00 g.e. .S.e.r.v.e.
00000160 72 00 20 00 53 00 65 00 - 74 00 75 00 70 00 00 00 r. .S.e.t.u.p...
00000170 36 00 0b 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 6.....F.i.l.e.V.
00000180 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000190 35 00 2e 00 35 00 2e 00 - 31 00 39 00 36 00 30 00 5...5...1.9.6.0.
000001a0 2e 00 37 00 00 00 00 00 - 2c 00 06 00 01 00 49 00 ..7.....,.....I.
000001b0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001c0 61 00 6d 00 65 00 00 00 - 53 00 65 00 74 00 75 00 a.m.e...S.e.t.u.
000001d0 70 00 00 00 9c 00 3c 00 - 01 00 4c 00 65 00 67 00 p.....<...L.e.g.
000001e0 61 00 6c 00 43 00 6f 00 - 70 00 79 00 72 00 69 00 a.l.C.o.p.y.r.i.
000001f0 67 00 68 00 74 00 00 00 - 43 00 6f 00 70 00 79 00 g.h.t...C.o.p.y.
00000200 72 00 69 00 67 00 68 00 - 74 00 20 00 02 00 00 00 r.i.g.h.t. .....
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 05 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 03 00 00 00 02 00 00 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 34 00 00 00 23 00 - .4...#.
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 58 02 00 00 54 02 00 00 - 00 02 00 00 44 02 34 00 X...T.......D.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 01 00 01 00 ....½.ïþ........
00000040 0c 00 00 00 01 00 01 00 - 0c 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 44 00 00 00 00 00 56 00 ........D.....V.
00000070 61 00 72 00 46 00 69 00 - 6c 00 65 00 49 00 6e 00 a.r.F.i.l.e.I.n.
00000080 66 00 6f 00 00 00 00 00 - 24 00 04 00 00 00 54 00 f.o.....$.....T.
00000090 72 00 61 00 6e 00 73 00 - 6c 00 61 00 74 00 69 00 r.a.n.s.l.a.t.i.
000000a0 6f 00 6e 00 00 00 00 00 - 09 04 b0 04 a4 01 00 00 o.n..... .°.¤...
000000b0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000000c0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000000d0 80 01 00 00 01 00 30 00 - 34 00 30 00 39 00 30 00 ......0.4.0.9.0.
000000e0 34 00 42 00 30 00 00 00 - 40 00 20 00 01 00 43 00 4.B.0...@. ...C.
000000f0 6f 00 6d 00 70 00 61 00 - 6e 00 79 00 4e 00 61 00 o.m.p.a.n.y.N.a.
00000100 6d 00 65 00 00 00 00 00 - 44 00 65 00 4c 00 6f 00 m.e.....D.e.L.o.
00000110 72 00 6d 00 65 00 20 00 - 4d 00 61 00 70 00 70 00 r.m.e. .M.a.p.p.
00000120 69 00 6e 00 67 00 00 00 - 44 00 22 00 01 00 50 00 i.n.g...D."...P.
00000130 72 00 6f 00 64 00 75 00 - 63 00 74 00 4e 00 61 00 r.o.d.u.c.t.N.a.
00000140 6d 00 65 00 00 00 00 00 - 52 00 65 00 67 00 20 00 m.e.....R.e.g. .
00000150 28 00 44 00 4c 00 69 00 - 62 00 62 00 79 00 5c 00 (.D.L.i.b.b.y.\.
00000160 6d 00 73 00 66 00 29 00 - 00 00 00 00 34 00 14 00 m.s.f.).....4...
00000170 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000180 73 00 69 00 6f 00 6e 00 - 00 00 00 00 31 00 2e 00 s.i.o.n.....1...
00000190 30 00 31 00 2e 00 30 00 - 30 00 31 00 32 00 00 00 0.1...0.0.1.2...
000001a0 38 00 14 00 01 00 50 00 - 72 00 6f 00 64 00 75 00 8.....P.r.o.d.u.
000001b0 63 00 74 00 56 00 65 00 - 72 00 73 00 69 00 6f 00 c.t.V.e.r.s.i.o.
000001c0 6e 00 00 00 31 00 2e 00 - 30 00 31 00 2e 00 30 00 n...1...0.1...0.
000001d0 30 00 31 00 32 00 00 00 - 34 00 12 00 01 00 49 00 0.1.2...4.....I.
000001e0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001f0 61 00 6d 00 65 00 00 00 - 4d 00 4e 00 47 00 52 00 a.m.e...M.N.G.R.
00000200 45 00 47 00 33 00 32 00 - 00 00 00 00 02 00 00 00 E.G.3.2.........
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 04 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 03 00 00 00 00 00 01 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 33 00 00 00 23 00 - .3...#.
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: GlobalFlag
Type: REG_SZ
Data: 0x00200000
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: GlobalFlag
Type: REG_SZ
Data: 0x00200000
podinbristol
2006-12-11, 15:45
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: DisableHeapLookAside
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: DisableHeapLookAside
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 b4 02 34 00 ............´.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 35 00 07 00 ....½.ïþ....5...
00000040 00 00 00 00 35 00 07 00 - 00 00 00 00 3f 00 00 00 ....5.......?...
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 12 02 00 00 01 00 53 00 ..............S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 ee 01 00 00 e.I.n.f.o...î...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 62 00 ..0.4.0.9.0.4.b.
000000a0 30 00 00 00 42 00 11 00 - 01 00 43 00 6f 00 6d 00 0...B.....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 50 00 65 00 - 6f 00 70 00 6c 00 65 00 ....P.e.o.p.l.e.
000000d0 53 00 6f 00 66 00 74 00 - 2c 00 20 00 49 00 6e 00 S.o.f.t.,. .I.n.
000000e0 63 00 2e 00 00 00 00 00 - 28 00 00 00 01 00 46 00 c.......(.....F.
000000f0 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000100 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000110 2a 00 05 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 *.....F.i.l.e.V.
00000120 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000130 37 00 2e 00 35 00 33 00 - 00 00 00 00 9c 00 3c 00 7...5.3.......<.
00000140 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000150 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
00000160 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
00000170 74 00 20 00 a9 00 20 00 - 31 00 39 00 38 00 38 00 t. .©. .1.9.8.8.
00000180 2d 00 31 00 39 00 39 00 - 38 00 20 00 50 00 65 00 -.1.9.9.8. .P.e.
00000190 6f 00 70 00 6c 00 65 00 - 53 00 6f 00 66 00 74 00 o.p.l.e.S.o.f.t.
000001a0 2c 00 20 00 49 00 6e 00 - 63 00 2e 00 20 00 20 00 ,. .I.n.c... . .
000001b0 41 00 6c 00 6c 00 20 00 - 52 00 69 00 67 00 68 00 A.l.l. .R.i.g.h.
000001c0 74 00 73 00 20 00 52 00 - 65 00 73 00 65 00 72 00 t.s. .R.e.s.e.r.
000001d0 76 00 65 00 64 00 00 00 - 3c 00 0a 00 01 00 4f 00 v.e.d...<.....O.
000001e0 72 00 69 00 67 00 69 00 - 6e 00 61 00 6c 00 46 00 r.i.g.i.n.a.l.F.
000001f0 69 00 6c 00 65 00 6e 00 - 61 00 6d 00 65 00 00 00 i.l.e.n.a.m.e...
00000200 70 00 73 00 64 00 6d 00 - 74 00 2e 00 10 00 00 00 p.s.d.m.t.......
00000210 00 00 00 00 ....
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: DisableHeapLookAside
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: DisableHeapLookAside
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\salwrap.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 00 07 00 00 54 02 00 00 - 00 02 00 00 84 07 34 00 ....T.........4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 05 00 05 00 ....½.ïþ........
00000040 07 00 a8 07 05 00 05 00 - 07 00 a8 07 3f 00 00 00 ..¨.......¨.?...
00000050 00 00 00 00 04 00 04 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - e4 06 00 00 01 00 53 00 ........ä.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 60 03 00 00 e.I.n.f.o...`...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 42 00 ..0.4.0.9.0.4.B.
000000a0 30 00 00 00 18 00 00 00 - 01 00 43 00 6f 00 6d 00 0.........C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 4c 00 16 00 m.e.n.t.s...L...
000000c0 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
000000d0 4e 00 61 00 6d 00 65 00 - 00 00 00 00 4d 00 69 00 N.a.m.e.....M.i.
000000e0 63 00 72 00 6f 00 73 00 - 6f 00 66 00 74 00 20 00 c.r.o.s.o.f.t. .
000000f0 43 00 6f 00 72 00 70 00 - 6f 00 72 00 61 00 74 00 C.o.r.p.o.r.a.t.
00000100 69 00 6f 00 6e 00 00 00 - 68 00 20 00 01 00 46 00 i.o.n...h. ...F.
00000110 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000120 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000130 4d 00 69 00 63 00 72 00 - 6f 00 73 00 6f 00 66 00 M.i.c.r.o.s.o.f.
00000140 74 00 20 00 45 00 78 00 - 63 00 68 00 61 00 6e 00 t. .E.x.c.h.a.n.
00000150 67 00 65 00 20 00 53 00 - 65 00 72 00 76 00 65 00 g.e. .S.e.r.v.e.
00000160 72 00 20 00 53 00 65 00 - 74 00 75 00 70 00 00 00 r. .S.e.t.u.p...
00000170 36 00 0b 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 6.....F.i.l.e.V.
00000180 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000190 35 00 2e 00 35 00 2e 00 - 31 00 39 00 36 00 30 00 5...5...1.9.6.0.
000001a0 2e 00 37 00 00 00 00 00 - 2c 00 06 00 01 00 49 00 ..7.....,.....I.
000001b0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001c0 61 00 6d 00 65 00 00 00 - 53 00 65 00 74 00 75 00 a.m.e...S.e.t.u.
000001d0 70 00 00 00 9e 00 3d 00 - 01 00 4c 00 65 00 67 00 p.....=...L.e.g.
000001e0 61 00 6c 00 43 00 6f 00 - 70 00 79 00 72 00 69 00 a.l.C.o.p.y.r.i.
000001f0 67 00 68 00 74 00 00 00 - 43 00 6f 00 70 00 79 00 g.h.t...C.o.p.y.
00000200 72 00 69 00 67 00 68 00 - 74 00 20 00 02 00 00 00 r.i.g.h.t. .....
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 05 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 00 00 00 00 00 00 00 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 33 00 00 00 24 00 - 54 02 00 00 00 02 00 00 .3...$.T.......
00000260 a4 08 34 00 00 00 56 00 - 53 00 5f 00 56 00 45 00 ¤.4...V.S._.V.E.
00000270 52 00 53 00 49 00 4f 00 - 4e 00 5f 00 49 00 4e 00 R.S.I.O.N._.I.N.
00000280 46 00 4f 00 00 00 00 00 - bd 04 ef fe 00 00 01 00 F.O.....½.ïþ....
00000290 05 00 05 00 07 00 a8 07 - 05 00 05 00 07 00 a8 07 ......¨.......¨.
000002a0 3f 00 00 00 00 00 00 00 - 04 00 04 00 01 00 00 00 ?...............
000002b0 00 00 00 00 00 00 00 00 - 00 00 00 00 04 08 00 00 ................
000002c0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000002d0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000002e0 f0 03 00 00 01 00 30 00 - 34 00 30 00 39 00 30 00 ð.....0.4.0.9.0.
000002f0 34 00 42 00 30 00 00 00 - 18 00 00 00 01 00 43 00 4.B.0.........C.
00000300 6f 00 6d 00 6d 00 65 00 - 6e 00 74 00 73 00 00 00 o.m.m.e.n.t.s...
00000310 4c 00 16 00 01 00 43 00 - 6f 00 6d 00 70 00 61 00 L.....C.o.m.p.a.
00000320 6e 00 79 00 4e 00 61 00 - 6d 00 65 00 00 00 00 00 n.y.N.a.m.e.....
00000330 4d 00 69 00 63 00 72 00 - 6f 00 73 00 6f 00 66 00 M.i.c.r.o.s.o.f.
00000340 74 00 20 00 43 00 6f 00 - 72 00 70 00 6f 00 72 00 t. .C.o.r.p.o.r.
00000350 61 00 74 00 69 00 6f 00 - 6e 00 00 00 68 00 20 00 a.t.i.o.n...h. .
00000360 01 00 46 00 69 00 6c 00 - 65 00 44 00 65 00 73 00 ..F.i.l.e.D.e.s.
00000370 63 00 72 00 69 00 70 00 - 74 00 69 00 6f 00 6e 00 c.r.i.p.t.i.o.n.
00000380 00 00 00 00 4d 00 69 00 - 63 00 72 00 6f 00 73 00 ....M.i.c.r.o.s.
00000390 6f 00 66 00 74 00 20 00 - 45 00 78 00 63 00 68 00 o.f.t. .E.x.c.h.
000003a0 61 00 6e 00 67 00 65 00 - 20 00 53 00 65 00 72 00 a.n.g.e. .S.e.r.
000003b0 76 00 65 00 72 00 20 00 - 53 00 65 00 74 00 75 00 v.e.r. .S.e.t.u.
000003c0 70 00 00 00 36 00 0b 00 - 01 00 46 00 69 00 6c 00 p...6.....F.i.l.
000003d0 65 00 56 00 65 00 72 00 - 73 00 69 00 6f 00 6e 00 e.V.e.r.s.i.o.n.
000003e0 00 00 00 00 35 00 2e 00 - 35 00 2e 00 31 00 39 00 ....5...5...1.9.
000003f0 36 00 30 00 2e 00 37 00 - 00 00 00 00 2c 00 06 00 6.0...7.....,...
00000400 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000410 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 53 00 65 00 l.N.a.m.e...S.e.
00000420 74 00 75 00 70 00 00 00 - a6 00 41 00 01 00 4c 00 t.u.p...¦.A...L.
00000430 65 00 67 00 61 00 6c 00 - 43 00 6f 00 70 00 79 00 e.g.a.l.C.o.p.y.
00000440 72 00 69 00 67 00 68 00 - 74 00 00 00 43 00 6f 00 r.i.g.h.t...C.o.
00000450 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 20 00 p.y.r.i.g.h.t. .
00000460 02 00 00 00 00 00 00 00 - 01 00 00 00 4c 00 00 00 ............L...
00000470 3c fd 06 00 05 00 00 00 - 00 00 00 00 65 05 00 00 <ý..........e...
00000480 02 00 00 00 00 00 00 00 - 00 00 00 00 53 00 65 00 ............S.e.
00000490 72 00 76 00 69 00 63 00 - 65 00 20 00 50 00 61 00 r.v.i.c.e. .P.a.
000004a0 63 00 6b 00 20 00 33 00 - 00 00 24 00 54 02 00 00 c.k. .3...$.T...
000004b0 00 02 00 00 18 04 34 00 - 00 00 56 00 53 00 5f 00 ......4...V.S._.
000004c0 56 00 45 00 52 00 53 00 - 49 00 4f 00 4e 00 5f 00 V.E.R.S.I.O.N._.
000004d0 49 00 4e 00 46 00 4f 00 - 00 00 00 00 bd 04 ef fe I.N.F.O.....½.ïþ
000004e0 00 00 01 00 05 00 05 00 - 07 00 a8 07 05 00 05 00 ..........¨.....
000004f0 07 00 a8 07 3f 00 00 00 - 00 00 00 00 04 00 04 00 ..¨.?...........
00000500 01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000510 78 03 00 00 01 00 53 00 - 74 00 72 00 69 00 6e 00 x.....S.t.r.i.n.
00000520 67 00 46 00 69 00 6c 00 - 65 00 49 00 6e 00 66 00 g.F.i.l.e.I.n.f.
00000530 6f 00 00 00 54 03 00 00 - 01 00 30 00 34 00 30 00 o...T.....0.4.0.
00000540 39 00 30 00 34 00 42 00 - 30 00 00 00 18 00 00 00 9.0.4.B.0.......
00000550 01 00 43 00 6f 00 6d 00 - 6d 00 65 00 6e 00 74 00 ..C.o.m.m.e.n.t.
00000560 73 00 00 00 4c 00 16 00 - 01 00 43 00 6f 00 6d 00 s...L.....C.o.m.
00000570 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
00000580 00 00 00 00 4d 00 69 00 - 63 00 72 00 6f 00 73 00 ....M.i.c.r.o.s.
00000590 6f 00 66 00 74 00 20 00 - 43 00 6f 00 72 00 70 00 o.f.t. .C.o.r.p.
000005a0 6f 00 72 00 61 00 74 00 - 69 00 6f 00 6e 00 00 00 o.r.a.t.i.o.n...
000005b0 68 00 20 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 h. ...F.i.l.e.D.
000005c0 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
000005d0 6f 00 6e 00 00 00 00 00 - 4d 00 69 00 63 00 72 00 o.n.....M.i.c.r.
000005e0 6f 00 73 00 6f 00 66 00 - 74 00 20 00 45 00 78 00 o.s.o.f.t. .E.x.
000005f0 63 00 68 00 61 00 6e 00 - 67 00 65 00 20 00 53 00 c.h.a.n.g.e. .S.
00000600 65 00 72 00 76 00 65 00 - 72 00 20 00 53 00 65 00 e.r.v.e.r. .S.e.
00000610 74 00 75 00 70 00 00 00 - 36 00 0b 00 01 00 46 00 t.u.p...6.....F.
00000620 69 00 6c 00 65 00 56 00 - 65 00 72 00 73 00 69 00 i.l.e.V.e.r.s.i.
00000630 6f 00 6e 00 00 00 00 00 - 35 00 2e 00 35 00 2e 00 o.n.....5...5...
00000640 31 00 39 00 36 00 30 00 - 2e 00 37 00 00 00 00 00 1.9.6.0...7.....
00000650 2c 00 06 00 01 00 49 00 - 6e 00 74 00 65 00 72 00 ,.....I.n.t.e.r.
00000660 6e 00 61 00 6c 00 4e 00 - 61 00 6d 00 65 00 00 00 n.a.l.N.a.m.e...
00000670 53 00 65 00 74 00 75 00 - 70 00 00 00 9a 00 3b 00 S.e.t.u.p.....;.
00000680 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000690 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000006a0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000006b0 74 00 20 00 02 00 00 00 - 00 00 00 00 01 00 00 00 t. .............
000006c0 4c 00 00 00 3c fd 06 00 - 05 00 00 00 00 00 00 00 L...<ý..........
000006d0 65 05 00 00 02 00 00 00 - 00 00 00 00 00 00 00 00 e...............
000006e0 53 00 65 00 72 00 76 00 - 69 00 63 00 65 00 20 00 S.e.r.v.i.c.e. .
000006f0 50 00 61 00 63 00 6b 00 - 20 00 33 00 00 00 24 00 P.a.c.k. .3...$.
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 04 03 34 00 ..............4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 1c 00 08 00 ....½.ïþ........
00000040 00 00 00 00 00 00 08 00 - 00 00 00 00 3f 00 00 00 ............?...
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 64 02 00 00 01 00 53 00 ........d.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 40 02 00 00 e.I.n.f.o...@...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 62 00 ..0.4.0.9.0.4.b.
000000a0 30 00 00 00 44 00 12 00 - 01 00 43 00 6f 00 6d 00 0...D.....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 43 00 6f 00 - 72 00 65 00 6c 00 20 00 ....C.o.r.e.l. .
000000d0 43 00 6f 00 72 00 70 00 - 6f 00 72 00 61 00 74 00 C.o.r.p.o.r.a.t.
000000e0 69 00 6f 00 6e 00 00 00 - 4e 00 13 00 01 00 46 00 i.o.n...N.....F.
000000f0 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000100 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000110 43 00 6f 00 72 00 65 00 - 6c 00 20 00 53 00 65 00 C.o.r.e.l. .S.e.
00000120 74 00 75 00 70 00 20 00 - 57 00 69 00 7a 00 61 00 t.u.p. .W.i.z.a.
00000130 72 00 64 00 00 00 00 00 - 2c 00 06 00 01 00 46 00 r.d.....,.....F.
00000140 69 00 6c 00 65 00 56 00 - 65 00 72 00 73 00 69 00 i.l.e.V.e.r.s.i.
00000150 6f 00 6e 00 00 00 00 00 - 38 00 2e 00 30 00 32 00 o.n.....8...0.2.
00000160 38 00 00 00 46 00 13 00 - 01 00 49 00 6e 00 74 00 8...F.....I.n.t.
00000170 65 00 72 00 6e 00 61 00 - 6c 00 4e 00 61 00 6d 00 e.r.n.a.l.N.a.m.
00000180 65 00 00 00 43 00 6f 00 - 72 00 65 00 6c 00 20 00 e...C.o.r.e.l. .
00000190 53 00 65 00 74 00 75 00 - 70 00 20 00 57 00 69 00 S.e.t.u.p. .W.i.
000001a0 7a 00 61 00 72 00 64 00 - 00 00 00 00 6c 00 24 00 z.a.r.d.....l.$.
000001b0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
000001c0 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000001d0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000001e0 74 00 20 00 a9 00 20 00 - 31 00 39 00 39 00 37 00 t. .©. .1.9.9.7.
000001f0 2c 00 20 00 43 00 6f 00 - 72 00 65 00 6c 00 20 00 ,. .C.o.r.e.l. .
00000200 43 00 6f 00 72 00 70 00 - 6f 00 72 00 08 00 00 00 C.o.r.p.o.r.....
00000210 00 00 00 00 ....
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 38 03 34 00 ............8.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 02 00 0a 00 ....½.ïþ........
00000040 01 00 0a 00 02 00 0a 00 - 01 00 0a 00 00 00 00 00 ................
00000050 00 00 00 00 04 00 01 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 98 02 00 00 01 00 53 00 ..............S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 74 02 00 00 e.I.n.f.o...t...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 45 00 ..0.4.0.9.0.4.E.
000000a0 34 00 00 00 4a 00 15 00 - 01 00 43 00 6f 00 6d 00 4...J.....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 53 00 79 00 - 6d 00 61 00 6e 00 74 00 ....S.y.m.a.n.t.
000000d0 65 00 63 00 20 00 43 00 - 6f 00 72 00 70 00 6f 00 e.c. .C.o.r.p.o.
000000e0 72 00 61 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 r.a.t.i.o.n.....
000000f0 60 00 1c 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 `.....F.i.l.e.D.
00000100 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
00000110 6f 00 6e 00 00 00 00 00 - 53 00 79 00 6d 00 61 00 o.n.....S.y.m.a.
00000120 6e 00 74 00 65 00 63 00 - 20 00 53 00 79 00 6d 00 n.t.e.c. .S.y.m.
00000130 65 00 76 00 65 00 6e 00 - 74 00 20 00 49 00 6e 00 e.v.e.n.t. .I.n.
00000140 73 00 74 00 61 00 6c 00 - 6c 00 65 00 72 00 00 00 s.t.a.l.l.e.r...
00000150 34 00 0a 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 4.....F.i.l.e.V.
00000160 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000170 31 00 30 00 2e 00 32 00 - 2e 00 31 00 30 00 2e 00 1.0...2...1.0...
00000180 31 00 00 00 30 00 08 00 - 01 00 49 00 6e 00 74 00 1...0.....I.n.t.
00000190 65 00 72 00 6e 00 61 00 - 6c 00 4e 00 61 00 6d 00 e.r.n.a.l.N.a.m.
000001a0 65 00 00 00 53 00 45 00 - 56 00 49 00 4e 00 53 00 e...S.E.V.I.N.S.
000001b0 54 00 00 00 7e 00 2d 00 - 01 00 4c 00 65 00 67 00 T...~.-...L.e.g.
000001c0 61 00 6c 00 43 00 6f 00 - 70 00 79 00 72 00 69 00 a.l.C.o.p.y.r.i.
000001d0 67 00 68 00 74 00 00 00 - 43 00 6f 00 70 00 79 00 g.h.t...C.o.p.y.
000001e0 72 00 69 00 67 00 68 00 - 74 00 20 00 28 00 43 00 r.i.g.h.t. .(.C.
000001f0 29 00 20 00 53 00 79 00 - 6d 00 61 00 6e 00 74 00 ). .S.y.m.a.n.t.
00000200 65 00 63 00 20 00 43 00 - 6f 00 72 00 01 00 00 00 e.c. .C.o.r.....
00000210 00 00 00 00 ....
....
podinbristol
2006-12-11, 15:46
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Class Name: <NO CLASS>
Last Write Time: 26/11/2006 - 13:40
Value 0
Name: Debugger
Type: REG_SZ
Data: "C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\C3HP1WMM\PROCESSEXPLORER[1]\PROCEXP.EXE"
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.DLL
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: DisableHeapLookAside
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: DisableHeapLookAside
Type: REG_SZ
Data: 1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: CheckAppHelp
Type: REG_DWORD
Data: 0x1
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:30
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 7c 03 34 00 ............|.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 00 00 01 00 ....½.ïþ........
00000040 09 00 26 00 00 00 01 00 - 09 00 26 00 3f 00 00 00 .&..... .&.?...
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - dc 02 00 00 01 00 53 00 ........Ü.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 b8 02 00 00 e.I.n.f.o...¸...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 62 00 ..0.4.0.9.0.4.b.
000000a0 30 00 00 00 66 00 27 00 - 01 00 43 00 6f 00 6d 00 0...f.'...C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 42 00 75 00 m.e.n.t.s...B.u.
000000c0 73 00 69 00 6e 00 65 00 - 73 00 73 00 20 00 49 00 s.i.n.e.s.s. .I.
000000d0 6e 00 74 00 65 00 6c 00 - 6c 00 69 00 67 00 65 00 n.t.e.l.l.i.g.e.
000000e0 6e 00 63 00 65 00 20 00 - 6f 00 6e 00 20 00 45 00 n.c.e. .o.n. .E.
000000f0 76 00 65 00 72 00 79 00 - 20 00 44 00 65 00 73 00 v.e.r.y. .D.e.s.
00000100 6b 00 74 00 6f 00 70 00 - 00 00 00 00 48 00 14 00 k.t.o.p.....H...
00000110 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
00000120 4e 00 61 00 6d 00 65 00 - 00 00 00 00 43 00 6f 00 N.a.m.e.....C.o.
00000130 67 00 6e 00 6f 00 73 00 - 20 00 49 00 6e 00 63 00 g.n.o.s. .I.n.c.
00000140 6f 00 72 00 70 00 6f 00 - 72 00 61 00 74 00 65 00 o.r.p.o.r.a.t.e.
00000150 64 00 00 00 60 00 1c 00 - 01 00 46 00 69 00 6c 00 d...`.....F.i.l.
00000160 65 00 44 00 65 00 73 00 - 63 00 72 00 69 00 70 00 e.D.e.s.c.r.i.p.
00000170 74 00 69 00 6f 00 6e 00 - 00 00 00 00 43 00 6f 00 t.i.o.n.....C.o.
00000180 67 00 6e 00 6f 00 73 00 - 20 00 47 00 65 00 6e 00 g.n.o.s. .G.e.n.
00000190 65 00 72 00 69 00 63 00 - 20 00 49 00 6e 00 73 00 e.r.i.c. .I.n.s.
000001a0 74 00 61 00 6c 00 6c 00 - 61 00 74 00 69 00 6f 00 t.a.l.l.a.t.i.o.
000001b0 6e 00 00 00 38 00 0c 00 - 01 00 46 00 69 00 6c 00 n...8.....F.i.l.
000001c0 65 00 56 00 65 00 72 00 - 73 00 69 00 6f 00 6e 00 e.V.e.r.s.i.o.n.
000001d0 00 00 00 00 31 00 2c 00 - 20 00 30 00 2c 00 20 00 ....1.,. .0.,. .
000001e0 33 00 38 00 2c 00 20 00 - 39 00 00 00 30 00 08 00 3.8.,. .9...0...
000001f0 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000200 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 01 00 00 00 l.N.a.m.e.......
00000210 00 00 00 00 ....
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: Debugger
Type: REG_SZ
Data: ntsd -d
Value 1
Name: GlobalFlag
Type: REG_SZ
Data: 0x000010F0
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE
Class Name: <NO CLASS>
Last Write Time: 06/12/2005 - 00:25
Value 0
Name: ApplicationGoo
Type: REG_BINARY
Data:
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 a4 02 34 00 ............¤.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 00 00 01 00 ....½.ïþ........
00000040 01 00 00 00 00 00 01 00 - 01 00 00 00 3f 00 00 00 ............?...
00000050 00 00 00 00 01 00 01 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 04 02 00 00 01 00 53 00 ..............S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 e0 01 00 00 e.I.n.f.o...à...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 45 00 ..0.4.0.9.0.4.E.
000000a0 34 00 00 00 20 00 00 00 - 01 00 43 00 6f 00 6d 00 4... .....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 58 00 18 00 - 01 00 46 00 69 00 6c 00 ....X.....F.i.l.
000000d0 65 00 44 00 65 00 73 00 - 63 00 72 00 69 00 70 00 e.D.e.s.c.r.i.p.
000000e0 74 00 69 00 6f 00 6e 00 - 00 00 00 00 49 00 4e 00 t.i.o.n.....I.N.
000000f0 53 00 54 00 41 00 4c 00 - 4c 00 20 00 4d 00 46 00 S.T.A.L.L. .M.F.
00000100 43 00 20 00 41 00 70 00 - 70 00 6c 00 69 00 63 00 C. .A.p.p.l.i.c.
00000110 61 00 74 00 69 00 6f 00 - 6e 00 00 00 30 00 08 00 a.t.i.o.n...0...
00000120 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000130 73 00 69 00 6f 00 6e 00 - 00 00 00 00 31 00 2e 00 s.i.o.n.....1...
00000140 30 00 2e 00 30 00 30 00 - 31 00 00 00 30 00 08 00 0...0.0.1...0...
00000150 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000160 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 49 00 4e 00 l.N.a.m.e...I.N.
00000170 53 00 54 00 41 00 4c 00 - 4c 00 00 00 24 00 00 00 S.T.A.L.L...$...
00000180 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000190 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000001a0 28 00 00 00 01 00 4c 00 - 65 00 67 00 61 00 6c 00 (.....L.e.g.a.l.
000001b0 54 00 72 00 61 00 64 00 - 65 00 6d 00 61 00 72 00 T.r.a.d.e.m.a.r.
000001c0 6b 00 73 00 00 00 00 00 - 40 00 0c 00 01 00 4f 00 k.s.....@.....O.
000001d0 72 00 69 00 67 00 69 00 - 6e 00 61 00 6c 00 46 00 r.i.g.i.n.a.l.F.
000001e0 69 00 6c 00 65 00 6e 00 - 61 00 6d 00 65 00 00 00 i.l.e.n.a.m.e...
000001f0 49 00 4e 00 53 00 54 00 - 41 00 4c 00 4c 00 2e 00 I.N.S.T.A.L.L...
00000200 45 00 58 00 45 00 00 00 - 30 00 08 00 08 00 00 00 E.X.E...0.......
00000210 00 00 00 00
Hi
That key what we tried to delete with reg files exists. Don't know why reg file failed.
Let's trythis:
Go to start -> run -> regedit -> ok
Browse to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Right-click that key and choose delete
Reboot
Did it help?
podinbristol
2006-12-12, 23:32
;)
It's back! All fine now, thanks for getting to the bottom of this!
Could I just ask you one more question please? Digressing slightly, but still on this thread...?
Where is the line between having too much antivirus & malware software etc that slows your system, and not enough to keep you clear? I mean, lots of posts advise against having similar applications running together, but how much is too much?
I have Norton Protection Centre (with antivirus/spy plus firewall) I also have AVG 7.5 (although only trial). Is it worth buying AVG to run with Norton, and what about all the other free anti-* software you recommend in this thread? I run AdAware frequently, plus HJT and SpyBot - is this enough protection for me?
Thanking you again. : )
Hi
Just one firewall and antivirus active at the same time. AVG anti-spyware is ok with or without real-time protection.
If you already have purchased Norton then there's no need to uninstall it and install free av.
I'd add MVPS hosts file and spywareblaster to your protection, otherwise sounds good to me :)
And for that Process Explorer, you seemed to run it from temp folder which is always bad thing. Please always save all your downloads to permanent folder in the futute :)
podinbristol
2006-12-15, 22:59
:)
I have been reading about firewalls etc, and tried a recommended .exe called LeakTest which showed a vulnerability, and found Norton only blocks inbound, not outbound - is that a problem?
: )
Hi
Well, no firewall blocks everything. Failing in that test doesn't mean that Norton doesn't block any outbound traffic :)
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.