|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
A-squared guard?
Is it ok to have the a-squared guard running as well as my resident a/v?
It doesn't seem to have caused any problems so far. I am using a-squared in place of Windows Defender,which suddenly refused to update. |
#2
|
||||
|
||||
Howdy tupenix,
It would be a bad idea for anyone to guess at what may or may not work without knowing much more about your system. Aside from not running two AV programs at any time, or two of any active monitoring programs at the same time, many can co-exist. Of more interest is Defender not updating, as that is not usual behavior. Post back a HijackThis scan and let's see what is loaded there. |
#3
|
|||
|
|||
Thanks for the reply.
Here's the HJT log you requested. I don't know if this is connected,but over the last few days my desktop icons keep reverting back to their "webpage" icons.When i try to change them back in "properties",nothing happens. Logfile of HijackThis v1.99.1 Scan saved at 00:28:04, on 22/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\BullGuard Software\BullGuard\bullguard.exe C:\Program Files\a-squared\a2guard.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\Abbie\My Documents\Unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/broadband R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer,Chimp O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe" O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - AutorunsDisabled - (no file) (HKCU) O15 - Trusted Zone: http://*.download.microsoft.com O15 - Trusted Zone: http://*.update.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143151602285 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/...x/HMAtchmt.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{74BEA0EF-D215-4D6A-A87F-30284B603FFA}: NameServer = 80.225.252.58 80.225.252.50 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing) O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe |
#4
|
||||
|
||||
No infection showing right now. I am not familiar enough with either BullGuard or a-squared, but it is not coincidence they use that word guard. You may want to open both and check settings to see what each places restrictions on. As I mentioned, you do not want to have two programs in active mode (both monitoring operation activities). You check on that, and let's take some additional looks. Please do the following.
Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts if needed. Also although you have already at some time run it, Go here for an online AV scan (requires IE to run). Scan "Local Disks" and when finished save the scan log and then post the log here. |
#5
|
|||
|
|||
Ok, i did the Silent Runners scan,but i could not get the Panda scan to work (i used IE) Even the links will not work from Google. (i even put the Panda scan site in the Trusted Zone)
Anyway here is the SR log; "Silent Runners.vbs", revision 45, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "BullGuard" = ""C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"" ["BullGuard Software"] "a-squared" = ""C:\Program Files\a-squared\a2guard.exe"" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "aČ Context Menu Shell Extension" -> {HKLM...CLSID} = "aČ Context Menu Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery" -> {HKLM...CLSID} = "Logitech Gallery" \InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" -> {HKLM...CLSID} = "aČ Context Menu Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" [null data] bgshellext\(Default) = "{F4BF1657-195F-4A0F-ACA2-9AE99D65BC0E}" -> {HKLM...CLSID} = "MyShellExt Class" \InProcServer32\(Default) = "C:\Program Files\BullGuard Software\BullGuard\BGShellExt.dll" ["BullGuard Ltd."] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] Default executables: -------------------- HKLM\Software\Classes\htafile\shell\open\command\ = (key not found) HKLM\Software\Classes\htafile\ Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Abbie\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" Enabled Scheduled Tasks: ------------------------ "Ad-Aware SE Personal" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" ["Lavasoft Sweden"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ BullGuard File Monitoring Service, BsFileSpy, "C:\WINDOWS\System32\svchost.exe -k bg5" {"C:\Program Files\BullGuard Software\BullGuard\BsFileSpy.dll" ["BullGuard Ltd."]} BullGuard Firewall Service, BsFirewall, "C:\WINDOWS\System32\svchost.exe -k bg5" {"C:\Program Files\BullGuard Software\BullGuard\BsFirewall.dll" ["BullGuard Ltd."]} BullGuard LiveUpdate, BGLiveSvc, ""C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe"" ["BullGuard Software"] BullGuard Main Service, BGMainSvc, "C:\WINDOWS\System32\svchost.exe -k bg5" {"C:\Program Files\BullGuard Software\BullGuard\BsMain.dll" ["BullGuard, Ltd."]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 66 seconds, including 18 seconds for message boxes) |
#6
|
||||
|
||||
It looks like some action has removed your HTA file opening association. I'll have to eview that repair. We'll forego online scanning for now. Please do the following.
Download the trial version of Ewido Security Suite from here and install it. When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu". Launch Ewido, (there should be an icon on your desktop, doubleclick it). The program will now go to the main screen. You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido. ewido manual updates http://www.ewido.net/en/download/updates/. Do not run a scan yet. ----------------------------------------------------------------- Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). Run Ewido now. Click on scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido. Reboot, and post the Ewido log back here please. |
#7
|
|||
|
|||
Ok,done.
Here's the Ewido report. NB,just to keep you up to date, the "icon" issue still persists,but i have'nt noticed any other weird things (apart from the Panda thing) Should i uninstall a-squared (just in case it's a software conflict?) --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 23:44:11, 22/05/2006 + Report-Checksum: E12B0A26 + Scan result: C:\Documents and Settings\Abbie\Desktop\maint\pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned with backup ::Report End |
#8
|
||||
|
||||
I don't know enough about that software to recommend keeping it for backup needs (as far as completely uninstalling), but surely make sure it is entirely disabled.
|
#9
|
|||
|
|||
Ok, diabled the a-squared guard.
How about the HTA file thing,and the icon problem? (thanks a lot for the help so-far Tom) |
#10
|
||||
|
||||
You are not forgotten - I am reviewing the correct methods to repair the registry entry for HTA. The source of the change to that is not clear (though that item found by Ewido gives a hint). Please do the following.
Go here and download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in this thread. |
#11
|
|||
|
|||
Ok Tom, i'm having to send this in two halves as there are too many characters in the full scan report.
(you must be some kind of genius if you can understand all this!!) NB,iv'e also noticed that "e-promter" (Hotmail notifier) keeps uninstalling itself. Windows OS and Versions Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 Checking Selected Standard Folders Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... Checking %WinDir% folder... UPX! 24/02/2006 02:20:30 21312 C:\WINDOWS\choice.exe aspack 06/03/2006 11:41:44 545280 C:\WINDOWS\flashax.exe Checking %System% folder... PEC2 23/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc PTech 10/04/2006 13:00:34 555824 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll PECompact2 04/05/2006 05:26:22 5818784 C:\WINDOWS\SYSTEM32\MRT.exe aspack 04/05/2006 05:26:22 5818784 C:\WINDOWS\SYSTEM32\MRT.exe aspack 04/08/2004 01:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll Umonitor 04/08/2004 01:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll winsync 23/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu Checking %System%\Drivers folder and sub-folders... Items found in C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS 127.0.0.1 abetterinternet.com #[Downloader.Stubby.A][Adware.Aurora] 127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede][Troj/Dloader-IG] 127.0.0.1 agentq.vpptechnologies.com 127.0.0.1 ax.web-nexus.net #[TROJ_QOOLAID.R] 127.0.0.1 belt.abetterinternet.com 127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application] 127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic] 127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic] 127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow] 127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A] 127.0.0.1 js.vpptechnologies.com 127.0.0.1 media-0.vpptechnologies.com 127.0.0.1 media-1.vpptechnologies.com 127.0.0.1 media-2.vpptechnologies.com #[SiteAdvisor.fish-screensaver.com] 127.0.0.1 media-4.vpptechnologies.com 127.0.0.1 media-5.vpptechnologies.com 127.0.0.1 media-6.vpptechnologies.com 127.0.0.1 media-8.vpptechnologies.com #[SiteAdvisor.fish-screensaver.com] 127.0.0.1 media-a.vpptechnologies.com 127.0.0.1 media-b.vpptechnologies.com 127.0.0.1 media-c.vpptechnologies.com 127.0.0.1 media-d.vpptechnologies.com 127.0.0.1 media-e.vpptechnologies.com 127.0.0.1 media-f.vpptechnologies.com 127.0.0.1 msxml.vpptechnologies.com 127.0.0.1 s.abetterinternet.com 127.0.0.1 st.abetterinternet.com 127.0.0.1 static.abetterinternet.com 127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com] 127.0.0.1 stech.web-nexus.net #[Trojan-Downloader.Win32.Qoologic.p] 127.0.0.1 stech.web-nexus.net #[Trojan-Downloader.Win32.Qoologic.p] 127.0.0.1 thinstall.abetterinternet.com 127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer] 127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d] 127.0.0.1 www.ad-w-a-r-e.com #[AdWare.Win32.Look2Me.ab] 127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent] 127.0.0.1 www.web-nexus.net 127.0.0.1 xml.vpptechnologies.com #[BlazeFind] qoologic 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.bak PTech 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.bak SAHAgent 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.bak abetterinternet.com 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.bak web-nex 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.bak ad-w-a-r-e.com 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS.bak qoologic 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn PTech 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn SAHAgent 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn abetterinternet.com 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn web-nex 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn ad-w-a-r-e.com 10/05/2006 22:34:54 420272 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.msn Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 23/05/2006 14:20:00 S 2048 C:\WINDOWS\bootstat.dat 27/03/2006 00:47:42 RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme 27/03/2006 00:47:42 RH 0 C:\WINDOWS\assembly\pubpol1.dat 29/03/2006 09:57:24 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ind ex37.dat 10/05/2006 01:29:56 HS 5 C:\WINDOWS\SYSTEM32\AuxDrv32ds_g.ods 30/03/2006 11:03:56 S 22339 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat 10/04/2006 13:01:22 S 7160 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat 23/05/2006 14:21:08 H 1024 C:\WINDOWS\SYSTEM32\config\default.LOG 23/05/2006 14:20:24 H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG 23/05/2006 14:22:12 H 1024 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG 21/05/2006 00:39:46 H 8192 C:\WINDOWS\SYSTEM32\config\SECURITY.tmp.LOG 23/05/2006 18:30:06 H 1024 C:\WINDOWS\SYSTEM32\config\software.LOG 21/05/2006 00:39:50 H 28672 C:\WINDOWS\SYSTEM32\config\software.tmp.LOG 23/05/2006 15:38:30 H 1024 C:\WINDOWS\SYSTEM32\config\system.LOG 21/05/2006 00:39:54 H 1024 C:\WINDOWS\SYSTEM32\config\system.tmp.LOG 16/05/2006 11:47:00 H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.da t.LOG 16/05/2006 13:45:00 S 341 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\Content\303572DF53 8EDD8B1D606185F1D559B8 16/05/2006 13:45:02 S 413 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\Content\79841F8EF0 0FBA86D33CC5A47696F165 04/05/2006 20:02:32 S 574 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\Content\9045902384 00AD963F77FAAAADC9BAB5 13/04/2006 11:04:30 S 558 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3 133FF765C39A53AD8FCFDD 16/05/2006 13:45:00 S 126 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\MetaData\303572DF5 38EDD8B1D606185F1D559B8 16/05/2006 13:45:02 S 98 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF 00FBA86D33CC5A47696F165 04/05/2006 20:02:32 S 136 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\MetaData\904590238 400AD963F77FAAAADC9BAB5 13/04/2006 11:04:30 S 146 C:\WINDOWS\SYSTEM32\config\systemprofile\Applicati on Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB 3133FF765C39A53AD8FCFDD 08/05/2006 23:10:30 H 81 C:\WINDOWS\SYSTEM32\GroupPolicy\Adm\admfiles.ini 05/05/2006 09:26:40 HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\00fd92e9-9afc-4d54-8ccc-d62a6a96eddd 05/05/2006 09:26:40 HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred 09/05/2006 10:53:36 H 39579 C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\lxbcma. GID 16/05/2006 22:54:22 H 6 C:\WINDOWS\TASKS\SA.DAT Checking for CPL files... Microsoft Corporation 04/08/2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl Microsoft Corporation 04/08/2004 01:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl Microsoft Corporation 04/08/2004 02:05:44 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Logitech Inc. 10/12/2002 18:30:54 114688 C:\WINDOWS\SYSTEM32\CamCpl.cpl Microsoft Corporation 04/08/2004 01:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 04/08/2004 01:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 04/08/2004 01:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation 04/08/2004 01:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 04/08/2004 01:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 04/08/2004 02:05:44 380416 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 04/08/2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl Sun Microsystems, Inc. 10/11/2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl Microsoft Corporation 04/08/2004 01:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl Microsoft Corporation 04/08/2004 01:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 04/08/2004 01:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl Microsoft Corporation 04/08/2004 01:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation 04/08/2004 01:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl Apple Computer, Inc. 26/08/1996 02:12:00 R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL Apple Computer, Inc. 03/06/1999 19:11:20 229376 C:\WINDOWS\SYSTEM32\QuickTime.cpl Microsoft Corporation 04/08/2004 01:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation 04/08/2004 01:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 04/08/2004 01:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 26/05/2005 05:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 04/08/2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl Microsoft Corporation 04/08/2004 01:56:58 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl Microsoft Corporation 04/08/2004 01:56:58 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl Microsoft Corporation 04/08/2004 01:56:58 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl Microsoft Corporation 04/08/2004 01:56:58 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl Microsoft Corporation 04/08/2004 01:56:58 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation 04/08/2004 01:56:58 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl Microsoft Corporation 04/08/2004 01:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl Microsoft Corporation 04/08/2004 01:56:58 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl Microsoft Corporation 04/08/2004 01:56:58 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl Microsoft Corporation 04/08/2004 01:56:58 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl Microsoft Corporation 04/08/2004 01:56:58 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl Microsoft Corporation 04/08/2004 01:56:58 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl Microsoft Corporation 04/08/2004 01:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl Microsoft Corporation 04/08/2004 01:56:58 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl Microsoft Corporation 04/08/2004 01:56:58 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl Microsoft Corporation 04/08/2004 01:56:58 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl Microsoft Corporation 26/05/2005 05:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... Checking files in %ALLUSERSPROFILE%\Application Data folder... 20/02/2006 15:43:06 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini Checking files in %USERPROFILE%\Startup folder... Checking files in %USERPROFILE%\Application Data folder... Items found in C:\Documents and Settings\Abbie\Application Data\.googlewebacchosts 24/04/2006 13:24:40 143 C:\Documents and Settings\Abbie\Application Data\.googlewebacchosts 20/02/2006 15:43:06 HS 62 C:\Documents and Settings\Abbie\Application Data\desktop.ini »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform] SV1 = Maxthon = IEAK [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Wi nZip {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{F 4BF1657-195F-4A0F-ACA2-9AE99D65BC0E} = C:\Program Files\BullGuard Software\BullGuard\BGShellExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\a2ContMenu {AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\bgshellext {F4BF1657-195F-4A0F-ACA2-9AE99D65BC0E} = C:\Program Files\BullGuard Software\BullGuard\BGShellExt.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\WinZip {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\WinZip {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll Last edited by tupenix; May 23rd, 2006 at 08:24 PM. |
#12
|
|||
|
|||
Part 2.....
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7} Google Toolbar Helper = c:\program files\google\googletoolbar1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} Favorites Band = %SystemRoot%\system32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] BullGuard "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services LexBceS 2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup location Common Startup command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE item Adobe Reader Speed Launch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccleaner key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item ccleaner hkey HKCU command "c:\documents and settings\abbie\my documents\ccleaner\ccleaner.exe" /AUTO inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item ccleaner hkey HKCU command "c:\documents and settings\abbie\my documents\ccleaner\ccleaner.exe" /AUTO inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostsMan key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item hm hkey HKLM command C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item hm hkey HKLM command C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpeedTouch USB Diagnostics key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item Dragdiag hkey HKLM command "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item Dragdiag hkey HKLM command "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item jusched hkey HKLM command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item jusched hkey HKLM command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item realsched hkey HKLM command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item realsched hkey HKLM command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Uniblue Quick Access key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item qaccess hkey HKCU inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item qaccess hkey HKCU inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 0 win.ini 2 bootini 0 services 2 startup 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer LinkResolveIgnoreLinkInfo 0 NoResolveSearch 1 NoRecentDocsMenu 0 NoFavoritesMenu 0 NoSMMyDocs 0 NoSMMyPictures 0 NoStartMenuMyMusic 0 NoRecentDocsHistory 0 NoRecentDocsNetHood 0 NoSMHelp 0 NoRun 0 NoInstrumentation 0 NoSimpleStartMenu 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ext\CLSID {17492023-C23A-453E-A040-C7C580BBF700} 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer NoDriveTypeAutoRun 145 NoWindowsUpdate 0 NoRecentDocsMenu 0 NoFavoritesMenu 0 NoSMMyDocs 0 NoSMMyPictures 0 NoStartMenuMyMusic 0 NoRecentDocsHistory 0 ClearRecentDocsOnExit 0 NoRecentDocsNetHood 0 NoSMHelp 0 NoRun 0 NoUserNameInStartMenu 0 NoInstrumentation 0 NoStartMenuPinnedList 0 ForceStartMenuLogoff 0 NoSharedDocuments 0 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Network NoFileSharing 0 NoFileSharingControl 0 NoPrintSharing 0 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\WindowsUpdate DisableWindowsUpdateAccess 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon = WgaLogon.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 23/05/2006 18:38:50 |
#13
|
||||
|
||||
Hmmm, not sure. You have been misusing msconfig to disable startup items, which can cause system conflicts in themselves (as you don't know what functions rely on those). I see some that are simple enough to disable the startup from within the program, which is the preferred method. I also see unusual registry and hosts changes that for now I am assuming is related to the C:\WINDOWS\choice.exe file shown loaded. If I understand that right, it is part of Enough is Enough! - an anti-spam program? Also some Google web account hosts (?) that I have yet to find a good review on. I do not know if that software can also cause confilcts, though here choice.exe has been loaded since March. Consider those items, and I will check still on the HTA change.
|
#14
|
||||
|
||||
Do this check now as well please.
Go to Start > Run and type: cmd.exe and ok. Copy and paste the below string after the prompt > dir /s /a "c:\MSHTA*.*" > c:\find.txt & start notepad c:\find.txt Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread. |
#15
|
|||
|
|||
Not sure i understand post-13.What is it exactly that you want me to do?
Are the hosts entries you mention because i use custom host file MVPS (Hostman)? And the registry entries to do with "tweaks" (RegScrub)? In msconfig,do you want me to enable all items? They are; ccleaner,hostsman,dragdiag,jusched and realsched.(should i select Normal Startup? Should i cancel my Google account? I think the choice.exe you refer to came with ie-spyad and iv'e never used it.(wouldn't know how!) Help! This morning i have had the "blue screen" come up twice. It says to disable a/v and backup,but i don't want to disable System Restore in case i need it! (i have disabled realtime a/v in Bullguard) Here's some info that came up on the Blue Screen; stop 0x00000024,0x001902fe,0xf72c43do,0xf72c40cc,0xf75a 1fa2. Ntfs.sys-address,f75a1fa2 base at f757d000 date stamp 41107eea. Meanwhile,here's the info re-cmd.exe; Volume in drive C has no label. Volume Serial Number is 7C8F-288B Directory of c:\WINDOWS\SYSTEM32 04/08/2004 01:56 29,184 mshta.exe 1 File(s) 29,184 bytes Directory of c:\WINDOWS\SYSTEM32\dllcache 04/08/2004 01:56 29,184 mshta.exe 1 File(s) 29,184 bytes Total Files Listed: 2 File(s) 58,368 bytes 0 Dir(s) 14,075,217,408 bytes free Last edited by tupenix; May 24th, 2006 at 10:23 AM. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
A-Squared scan findings | mattpg1 | Malware Removal | 2 | December 17th, 2007 04:12 AM |
A Squared Analysis | sweetwater | Malware Removal | 3 | May 16th, 2005 11:32 PM |
a-squared HiJackFree 1.0.0.18 | zack_rage | Malware Removal | 0 | February 11th, 2005 04:22 AM |
All times are GMT +1. The time now is 11:12 PM.