Page 2 of 6 FirstFirst 123456 LastLast
Results 11 to 20 of 57

Thread: [LOGS] CMDService HELP me remove it...please

  1. 2006-02-25, 22:26 #11
    lewien
    lewien is offline
    Member
    Join Date
    Feb 2006
    Posts
    40

    Default

    I "spoke" too soon.

    Here's the MS scan results:

    Spyware Scan Details
    Start Date: 2/25/2006 11:32:50 AM
    End Date: 2/25/2006 11:41:02 AM
    Total Time: 8 mins 12 secs

    Detected Threats

    TV Media Display Adware more information...
    Details: TV Media Display is secretly installed on your computer to display advertising, usually pop-ups.
    Status: Removed
    Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

    Infected files detected
    c:\documents and settings\taylor newcomb\application data\tvmcwrd.dll
    c:\documents and settings\taylor newcomb\application data\tvmknwrd.dll


    CoolWebSearch.StartPage Browser Modifier more information...
    Details: CoolWebSearch StartPage changes Internet Explorers start page, however, it does not allow you to change the URL.
    Status: Removed
    Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

    Infected registry keys/values detected
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Page_bak


    AproposMedia Browser Modifier more information...
    Details: AproposMedia is a browser modifier that installs with PeopleOnPage (POP). AproposMedia displays pop-up advertisements and changes browser settings.
    Status: Removed
    Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

    Infected registry keys/values detected
    HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
    HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\LocalServer32 C:\Program Files\CxtPls\CxtPls.exe
    HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\ProgID
    HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\VersionIndependentProgID
    HKEY_CLASSES_ROOT\clsid\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}


    ShopAtHome Spyware more information...
    Details: ShopAtHome is a browser redirector that monitors your browsing behavior and online purchases.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected files detected
    C:\WINDOWS\Downloaded Program Files\GRInstall6.dll


    webHancer Spyware more information...
    Details: WebHancer is a spyware program that launches at Windows startup, monitors the Web sites you view, and sends their performance data back to webHancers servers.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected files detected
    c:\windows\winskw\jau5055.dat
    c:\windows\winskw\jsy5055.dat
    c:\windows\winskw\rge5055.dat
    c:\windows\winskw\sty5055.dat
    c:\windows\winskw\ydn5055.dat

    Infected folders detected
    c:\windows\winskw


    Comet Systems Adware more information...
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected files detected
    c:\windows\downloaded program files\dm.inf
    c:\windows\inf\dm.inf
    c:\windows\inf\dm.pnf


    Internet Enhancement Pak Adware more information...
    Details: Internet Enhancement Pak is adware that is bundled in free software products.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected files detected
    C:\WINDOWS\Downloaded Program Files\actsetup.inf

    Infected registry keys/values detected
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\VersionIndependentProgID actsetup.ActSetupObj
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} CActSetupObj Object
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} AppID
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 C:\WINDOWS\Downloaded Program Files\actsetup.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 ThreadingModel apartment
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus\1 131473
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus 0
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ProgID actsetup.ActSetupObj.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ToolboxBitmap32 C:\WINDOWS\Downloaded Program Files\actsetup.dll, 1
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 C:\WINDOWS\Downloaded Program Files\actsetup.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\TypeLib {3CA12D40-90E0-4E18-A5EA-9C27B38A9228}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Version 1.0
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\VersionIndependentProgID actsetup.ActSetupObj
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} CActSetupObj Object
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} AppID
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\system32\mfc42.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\system32\msvcrt.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\system32\olepro32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Contains\Files C:\WINDOWS\Downloaded Program Files\actsetup.dll
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InprocServer32 ThreadingModel apartment
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\DownloadInformation CODEBASE http://www.odysseusmarketing.com/actsetup.cab
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\DownloadInformation INF C:\WINDOWS\Downloaded Program Files\actsetup.inf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InstalledVersion 1,0,0,1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\InstalledVersion LastModified Thu, 27 Jan 2005 22:39:14 GMT
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} SystemComponent 0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BAB3E70B-A847-4A88-ACFC-778FCCC00287} Installer MSICD
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/actsetup.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/actsetup.dll .Owner {BAB3E70B-A847-4A88-ACFC-778FCCC00287}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/actsetup.dll {BAB3E70B-A847-4A88-ACFC-778FCCC00287}
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus\1 131473
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\MiscStatus 0
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ProgID actsetup.ActSetupObj.1
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\ToolboxBitmap32 C:\WINDOWS\Downloaded Program Files\actsetup.dll, 1
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\TypeLib {3CA12D40-90E0-4E18-A5EA-9C27B38A9228}
    HKEY_CLASSES_ROOT\clsid\{BAB3E70B-A847-4A88-ACFC-778FCCC00287}\Version 1.0


    WinSoftware.Winfixer Potentially Unwanted Software more information...
    Details: Winfixer is known to be installed through inappropriate bundling and without users consent. It is a software that scans the users system for damaged files and attempts to fix it if the user pays a fee.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected files detected
    C:\WINDOWS\system32\drivers\d_kmd.sys


    EliteMedia Adware more information...
    Details: Opens attributed popup advertisements. Adds their website to the Trusted Zones list.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected files detected
    C:\WINDOWS\eliteunstall.exe


    Bitlocker Browser Modifier more information...
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected files detected
    c:\windows\system32\nsb3af.dll
    c:\windows\system32\nsc441.dll
    c:\windows\system32\nsl3c.dll
    c:\windows\system32\nsm9c.dll

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
    HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7} The Gimp
    HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24.1
    HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24.1\CLSID {01EB5130-FC0C-4d75-B9CE-4801B1B854F5}
    HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24.1 bitlocker
    HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24
    HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24\CLSID {01EB5130-FC0C-4d75-B9CE-4801B1B854F5}
    HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24\CurVer Le.Toy24.1
    HKEY_LOCAL_MACHINE\Software\Classes\Le.Toy24 bitlocker
    HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp.1
    HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp.1\CLSID {10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
    HKEY_CLASSES_ROOT\ONONE.Thegimp.1
    HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp.1 The Gimp
    HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp
    HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp\CLSID {10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
    HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp\CurVer ONONE.Thegimp.1
    HKEY_LOCAL_MACHINE\Software\Classes\ONONE.Thegimp The Gimp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker affilate_id Justin
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker request_queue
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker version 1.32
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker db_number 2
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ONONE.Thegimp.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker popup_delay 2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker refresh_time 60
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker related_pop_type popunder
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ezula_maxdup 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker rand_context_distortion 5
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker navigation_error http://69.42.87.219/e.html
    HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker popup_time_distortion 2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ezula_maxhilight 7
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker rand_contextual_pop_type popunder
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker popup_ctx_delay 25
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ezula_enabled true
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker random_contextual_enabled true
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker program_push_enabled true
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker icon_drop_enabled true
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker related_popups_enabled true
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker internal_affiliate_id 766
    HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\InprocServer32 C:\WINDOWS\system32\nsm9C.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker country_id 225
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker install_timestamp 1138590229
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_refresh_time 1139681991
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_ezulasync 1138232405
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker push_list
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_push_time 1138590152
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker pushed_already
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker date 20060211182546
    HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\InprocServer32 ThreadingModel Apartment
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker update_url http://new.trafficsector.com/smb/adm...ilent.1.32.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker ctx_popup_shown
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker next_ctx_popup_time 1139682984
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker last_ezula_update_ID 566
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker next_related_time 1139682731
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker installation_id fb577dc9-3b2a-4211-9718-91a507ec4bcf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Bit1ocker user_id 97901
    HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\ProgID ONONE.Thegimp.1
    HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\TypeLib {82910CE3-D86A-435a-A519-6A8C369855D3}
    HKEY_LOCAL_MACHINE\Software\Classes\clsid\{10049D2A-2965-4e4f-8C7E-CB33AD95FEB7}\VersionIndependentProgID ONONE.Thegimp


    IBIS Toolbar Adware more information...
    Details: IBIS Toolbar is an Internet Explorer search redirector.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0 Toolbar Library
    HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\0\win32 C:\PROGRA~1\Toolbar\toolbar.dll
    HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\FLAGS 4
    HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\HELPDIR C:\PROGRA~1\Toolbar\
    HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0 Toolbar Library
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\0\win32 C:\PROGRA~1\Toolbar\toolbar.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\FLAGS 4
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}\1.0\HELPDIR C:\PROGRA~1\Toolbar\


    Virtual Bouncer Adware more information...
    Status: Removed
    Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

    Infected files detected
    c:\windows\system32\innervbinstall.log


    TopRebates.WebRebates Adware more information...
    Details: TopRebates is a browser toolbar that can display pop-up advertisements and monitor your Web browsing activities.
    Status: Removed
    Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

    Infected files detected
    c:\windows\artmmp.ini


    DelFin.Media Viewer Adware more information...
    Details: DelFin Media Viewer, also called PromulGate, is an adware-based media player.
    Status: Quarantined
    Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

    Infected files detected
    c:\documents and settings\all users\application data\pcsvc\adverts\dmv_pop_dp-us-t.dfn
    c:\documents and settings\all users\application data\pcsvc\adverts\ink_inkline002-t.dfn
    c:\documents and settings\all users\application data\pcsvc\adverts\ink_inkline006-t.dfn
    c:\documents and settings\all users\application data\pcsvc\adverts\ink_inkline023-t.dfn
    c:\documents and settings\all users\application data\pcsvc\adverts\qf_040226-a203.dfn

    Infected folders detected
    c:\documents and settings\all users\application data\pcsvc
    c:\documents and settings\all users\application data\pcsvc\adverts


    Claria.GAIN Adware more information...
    Details: Claria.GAIN displays pop-up advertisements based on collected information about you and your Web browsing activities. Claria.GAIN is bundled with advertisement-supported programs from Claria and other companies.
    Status: Removed
    Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

    Infected files detected
    c:\windows\gatorpatch.log


    PowerReg Scheduler Potentially Unwanted Software more information...
    Details: PowerReg Scheduler is a registration system used by some legitimate software programs.
    Status: Quarantined
    Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

    Infected files detected
    C:\Documents and Settings\Taylor Newcomb\Start Menu\Programs\Startup\PowerReg Scheduler.exe


    Detected Spyware Cookies
    No spyware cookies were found during this scan.
  2. 2006-02-26, 17:04 #12
    lewien
    lewien is offline
    Member
    Join Date
    Feb 2006
    Posts
    40

    Default more information

    ykoiwq.exe keeps getting blocked by ewido. ~every 15 minutes.

    File: ykoiwq.exe
    path: c:\windows\system32
    Infection Downloader.Qoologic.aw

    When i get this I hit "ok" and let ewido Block & Clean
  3. 2006-03-02, 07:02 #13
    illukka
    illukka is offline
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    hi

    this is very odd, a safe mode scan with updated ewido should be enough to clean this infection

    try it again, then post the scan results and a fresh hjt log
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
  4. 2006-03-04, 20:23 #14
    lewien
    lewien is offline
    Member
    Join Date
    Feb 2006
    Posts
    40

    Default Re ran the current version of ewido in safemode

    Re ran the current version of ewido in safemode

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 1:16:57 PM, 3/4/2006
    + Report-Checksum: AE736C24

    + Scan result:

    HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Error during cleaning
    HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Error during cleaning
    HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Error during cleaning
    HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Error during cleaning
    HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Error during cleaning
    HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Error during cleaning
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@com[2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@ehg-communityconnect.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\Taylor Newcomb\Cookies\taylor newcomb@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
    C:\WINDOWS\system32\kcbsfvf.exe -> Downloader.Qoologic.aw : Cleaned with backup
    C:\WINDOWS\system32\qvyap.dat -> Downloader.Qoologic.aw : Cleaned with backup
    C:\WINDOWS\system32\ykoiwq.exe -> Downloader.Qoologic.aw : Cleaned with backup
    C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll -> Trojan.VB.aft : Cleaned with backup


    ::Report End
  5. 2006-03-04, 20:24 #15
    lewien
    lewien is offline
    Member
    Join Date
    Feb 2006
    Posts
    40

    Default HijackThis log anfter ewide scan and reboot "normal"

    Logfile of v1.99.1
    Scan saved at 1:20:23 PM, on 3/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\AIM95\aim.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://launch.yahoo.com/
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094677901601
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1139682212216
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  6. 2006-03-05, 07:36 #16
    illukka
    illukka is offline
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    hi

    that looks good, can you post me a startuplist from hiajckthis:

    open hjt, click open misc tools section
    scroll until you see "generate startuplist log"
    put checkmarks to both boxes , than click the "generate startuplist log"-button
    save the log and post its contents here
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
  7. 2006-03-05, 17:46 #17
    lewien
    lewien is offline
    Member
    Join Date
    Feb 2006
    Posts
    40

    Default Startup List From Hijack.....

    StartupList report, 3/5/2006, 10:45:24 AM
    StartupList version: 1.52.2
    Started from : C:\Program Files\HijackThis\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    C:\WINDOWS\system32\MsiExec.exe
    C:\Program Files\HijackThis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Taylor Newcomb\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\System32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
    Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [AutorunsDisabled]
    sms_msn = C:\WINDOWS\system32\sms_msn.exe
    sms_msn40 = C:\WINDOWS\system32\sms_msn40.exe

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    [AutorunsDisabled]
    2524408 = C:\PROGRA~1\2524408\2524408.exe
    Cenygvy = C:\WINDOWS\system32\n?pdb.exe
    Lerm = "C:\Program Files\saar\elat.exe" -vt tzt
    irssyncd = C:\WINDOWS\system32\irssyncd.exe

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

    [{4b218e3e-bc98-4770-93d3-2731b9329278}] *
    StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: *Registry key not found*
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    (no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab

    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
    CODEBASE = http://go.microsoft.com/fwlink/?linkid=48835

    [YInstStarter Class]
    InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
    CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeup...tent/opuc2.cab

    [WUWebControl Class]
    InProcServer32 = C:\WINDOWS\system32\wuweb.dll
    CODEBASE = http://v5.windowsupdate.microsoft.co...?1094677901601

    [MUWebControl Class]
    InProcServer32 = C:\WINDOWS\system32\muweb.dll
    CODEBASE = http://update.microsoft.com/microsof...?1139682212216

    [Housecall ActiveX 6.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
    CODEBASE = http://eu-housecall.trendmicro-europ...vex/hcImpl.cab

    [Groove Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\GrooveAX.dll
    CODEBASE = http://www.nick.com/common/groove/gx/GrooveAX27.cab

    [Java Plug-in]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab

    [{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
    CODEBASE = http://v4.windowsupdate.microsoft.co...578.2812731481

    [Java Plug-in]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    CODEBASE = http://java.sun.com/update/1.3.1/jin...ndows-i586.cab

    [Java Plug-in]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [Java Plug-in 1.5.0_06]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
    CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

    [IWinAmpActiveX Class]
    InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AmpX.dll
    CODEBASE = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    NameSpace #4: C:\WINDOWS\system32\pnrpnsp.dll
    NameSpace #5: C:\WINDOWS\system32\pnrpnsp.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
  8. 2006-03-05, 17:47 #18
    lewien
    lewien is offline
    Member
    Join Date
    Feb 2006
    Posts
    40

    Default page 2.....................

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
    Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
    Accton EN1207D/2242A Adapter Driver: System32\DRIVERS\ACC07D.SYS (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
    ewido security suite driver: \??\C:\Program Files\ewido anti-malware\guard.sys (system)
    ewido security suite guard: C:\Program Files\ewido anti-malware\ewidoguard.exe (autostart)
    NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver: system32\DRIVERS\FA312nd5.sys (manual start)
    Netgear FA311/312 NDIS 5.0 Miniport Driver: system32\DRIVERS\FA31xND5.SYS (manual start)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    FltMgr: system32\drivers\fltmgr.sys (system)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
    GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
    IIS Admin: C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
    IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
    IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
    RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (manual start)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (manual start)
    Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    FTP Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
    Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    nv4: System32\DRIVERS\nv4_mini.sys (manual start)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
    Peer Networking Group Authentication: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
    Peer Networking Identity Manager: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
    Peer Networking: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Peer Name Resolution Protocol: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
    Microsoft IntelliPoint Filter Driver: system32\DRIVERS\point32.sys (manual start)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: system32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver: System32\DRIVERS\SMC1211.SYS (manual start)
    Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
    SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
    SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
    Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{8BFD85C8-8C48-42D5-AE05-990D2CA37821} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
    Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
    USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
    Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
    VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
    ViaIde: System32\DRIVERS\viaide.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    World Wide Web Publishing: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    IBM PC Camera: System32\DRIVERS\C-itnt.sys (manual start)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 36,008 bytes
    Report generated in 0.751 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  9. 2006-03-05, 21:19 #19
    illukka
    illukka is offline
    Expert-Emeritus illukka's Avatar
    Join Date
    Nov 2005
    Location
    The Pits Of Hell
    Posts
    1,289

    Default

    hi

    have you disabled some startup entries with msconfig or similar tool?

    please run msconfig again, re-enable everything
    then post a new hijackthis log
    I Am A Proud Member of ASAP Since 2004

    To Ride, Shoot Straight And Speak TheTruth

    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
  10. 2006-03-06, 04:11 #20
    lewien
    lewien is offline
    Member
    Join Date
    Feb 2006
    Posts
    40

    Default ok.....this is fun ...

    Yes I've used MSCONFIG to remove items from my computer. I followed your instructions and ran MSCONFIG and enabled everything........ewido and my MS Spyware went nuts after a rebot....here's my logs...........


    Spyware Scan Details
    Start Date: 3/5/2006 8:38:08 PM
    End Date: 3/5/2006 8:45:34 PM
    Total Time: 7 mins 26 secs

    Detected Threats

    ShopAtHome Spyware more information...
    Details: ShopAtHome is a browser redirector that monitors your browsing behavior and online purchases.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SAHAgent


    zSearch Adware more information...
    Details: zSearch is an Internet Explorer Toolbar that tracks your surfing and searching habits.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run zSearch


    Twain Tech Adware more information...
    Details: Twain Tech is an adware based Internet Explorer browser helper object that displays targeted advertisements based on your browsing patterns.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wast


    180Solutions.SearchAssistant Adware more information...
    Details: 180Solutions.SearchAssistant monitors your current Web browsing activity and displays pop-up advertisements related to the Internet sites you are viewing.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msbb


    eXact.BullseyeNetwork Adware more information...
    Details: eXact.BullseyeNetwork displays pop-up advertisements.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BullsEye Network


    eBates.WebSearch Adware more information...
    Details: eBates.WebSearch is a shopping tool that opens pop-up windows and modifies Internet Explorers home search pages.
    Status: Removed
    High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run websearch


    TopRebates.WebRebates Adware more information...
    Details: TopRebates is a browser toolbar that can display pop-up advertisements and monitor your Web browsing activities.
    Status: Quarantined
    Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

    Infected registry keys/values detected
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run webrebates
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WebRebates0


    Detected Spyware Cookies
    No spyware cookies were found during this scan.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules