hijackthis log
-
Re: hijackthis log
If I remember right I did dl it awhile ago. I think it was a trial. I went in and deleted the items that you posted. Here are the scans.
********
12:11 AM: | Start of Session, Thursday, November 17, 2005 |
12:11 AM: Spy Sweeper started
12:11 AM: Sweep initiated using definitions version 573
12:11 AM: Starting Memory Sweep
12:13 AM: Memory Sweep Complete, Elapsed Time: 00:01:43
12:13 AM: Starting Registry Sweep
12:13 AM: Found Adware: minigolf
12:13 AM: HKLM\software\microsoft\windows\currentversion\mod uleusage\c:/windows/wildapp.dll\ (2 subtraces) (ID = 135051)
12:13 AM: HKLM\software\microsoft\windows\currentversion\mod uleusage\c:/windows/minigolf_affiliate.exe\ (2 subtraces) (ID = 135052)
12:13 AM: Found Adware: screensavers
12:13 AM: HKLM\software\screensavers.com\ (11 subtraces) (ID = 140569)
12:13 AM: Found Adware: wildmedia
12:13 AM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)
12:13 AM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)
12:13 AM: Found Adware: starware cursorcafe
12:13 AM: HKCR\clsid\{009506e8-8cad-4ca9-81d4-d815e7e4330a}\ (2 subtraces) (ID = 726747)
12:13 AM: HKCR\clsid\{d099baaa-a587-4dfb-9b7e-f7ea0fc04355}\ (2 subtraces) (ID = 726762)
12:13 AM: HKCR\clsid\{ef98af7b-1f54-4079-91bc-3996deaba45a}\ (2 subtraces) (ID = 726777)
12:13 AM: HKLM\software\classes\clsid\{009506e8-8cad-4ca9-81d4-d815e7e4330a}\ (2 subtraces) (ID = 726847)
12:13 AM: HKLM\software\classes\clsid\{d099baaa-a587-4dfb-9b7e-f7ea0fc04355}\ (2 subtraces) (ID = 726862)
12:13 AM: HKLM\software\classes\clsid\{ef98af7b-1f54-4079-91bc-3996deaba45a}\ (2 subtraces) (ID = 726877)
12:13 AM: HKU\S-1-5-21-205194252-4159373444-726239912-1005\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
12:13 AM: Found Adware: sidesearch
12:13 AM: HKU\S-1-5-21-205194252-4159373444-726239912-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
12:13 AM: Registry Sweep Complete, Elapsed Time:00:00:11
12:13 AM: Starting Cookie Sweep
12:13 AM: Found Spy Cookie: 888 cookie
12:13 AM: neda vargas@888[2].txt (ID = 2019)
12:13 AM: Found Spy Cookie: reunion cookie
12:13 AM: neda vargas@affiliates.reunion[1].txt (ID = 3256)
12:13 AM: Found Spy Cookie: ask cookie
12:13 AM: neda vargas@ask[2].txt (ID = 2245)
12:13 AM: Found Spy Cookie: did-it cookie
12:13 AM: neda vargas@did-it[1].txt (ID = 2523)
12:13 AM: Found Spy Cookie: fe.lea.lycos.com cookie
12:13 AM: neda vargas@fe.lea.lycos[1].txt (ID = 2660)
12:13 AM: Found Spy Cookie: gostats cookie
12:13 AM: neda vargas@gostats[1].txt (ID = 2747)
12:13 AM: Found Spy Cookie: gotoast cookie
12:13 AM: neda vargas@gotoast[2].txt (ID = 2751)
12:13 AM: Found Spy Cookie: matchmaker cookie
12:13 AM: neda vargas@oreo.matchmaker[1].txt (ID = 2956)
12:13 AM: neda vargas@reunion[1].txt (ID = 3255)
12:13 AM: Found Spy Cookie: rn11 cookie
12:13 AM: neda vargas@rn11[2].txt (ID = 3261)
12:13 AM: Found Spy Cookie: ic-live cookie
12:13 AM: neda vargas@www.ic-live[1].txt (ID = 2822)
12:13 AM: Found Spy Cookie: nextag cookie
12:13 AM: neda vargas@www.nextag[2].txt (ID = 5015)
12:13 AM: neda vargas@www.reunion[1].txt (ID = 3256)
12:13 AM: Found Spy Cookie: web-stat cookie
12:13 AM: neda vargas@www.web-stat[2].txt (ID = 3649)
12:13 AM: Cookie Sweep Complete, Elapsed Time: 00:00:06
12:13 AM: Starting File Sweep
12:16 AM: Found Adware: ezula ilookup
12:16 AM: woinstall.exe (ID = 60697)
12:20 AM: backup-20040907-125027-417.inf (ID = 76065)
12:31 AM: File Sweep Complete, Elapsed Time: 00:18:31
12:31 AM: Full Sweep has completed. Elapsed time 00:20:36
12:31 AM: Traces Found: 58
12:33 AM: Removal process initiated
12:33 AM: Quarantining All Traces: wildmedia
12:33 AM: Quarantining All Traces: sidesearch
12:33 AM: Quarantining All Traces: ezula ilookup
12:33 AM: Quarantining All Traces: minigolf
12:33 AM: Quarantining All Traces: screensavers
12:33 AM: Quarantining All Traces: starware cursorcafe
12:33 AM: Quarantining All Traces: 888 cookie
12:33 AM: Quarantining All Traces: ask cookie
12:33 AM: Quarantining All Traces: did-it cookie
12:33 AM: Quarantining All Traces: fe.lea.lycos.com cookie
12:33 AM: Quarantining All Traces: gostats cookie
12:33 AM: Quarantining All Traces: gotoast cookie
12:33 AM: Quarantining All Traces: ic-live cookie
12:33 AM: Quarantining All Traces: matchmaker cookie
12:33 AM: Quarantining All Traces: nextag cookie
12:33 AM: Quarantining All Traces: reunion cookie
12:33 AM: Quarantining All Traces: rn11 cookie
12:33 AM: Quarantining All Traces: web-stat cookie
12:33 AM: Removal process completed. Elapsed time 00:00:04
********
12:09 AM: | Start of Session, Thursday, November 17, 2005 |
12:09 AM: Spy Sweeper started
12:10 AM: Your spyware definitions have been updated.
12:11 AM: | End of Session, Thursday, November 17, 2005 |
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" [file not found]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Mouse Suite 98 Daemon" = "ICO.EXE" ["Primax Electronics Ltd."]
"HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"WinPatrol" = ""C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" " ["BillP Studios"]
"Versato" = "C:\Program Files\Magic Wheel\MulMouse.exe" [empty string]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{B62502B0-FFD0-40a9-908E-9EE4FC493EBF}\(Default) = "myVersion Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\VsiBar.dll" ["Velocity Services, Inc."]
{CD292324-974F-4224-D074-CACA427AA030}\(Default) = "Neopets" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll" ["Velocity Services, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Magic Wheel\CPDll.dll" ["WayTech Development, Inc."]
"{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\CuteShell.dll" [empty string]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.exe" [file not found], [MS], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
-
Silentrunners came up clean, spysweeper quarantined everything it found.
How is your computer running now?
You can remove silentrunners now.
-
after I posted I scanned with spybot and it found newdotnet in HKEY_USERS? There are two of them. I tried to get rid of them but it still kept crashing the program. Do I have to go into safe mode for those?
My windows are still dragging.. am I describing it the right way? When I move the window it stretches or leaves trails. That is the same thing as dragging right? Would newdotnet cause all that or is it not strong enough to do that?
I really appreciate all your work on this. Do you still want me to remove silentrunners?
-
Try in safe mode, usually those things are registry clutter and harmless.
As far as you dragging problem that may not be a virus problem, I dragged this window here and it was not smooth either.
Did you install that xptheme program? I think you should uninstall that if you did it came bundled with some adware.
Last edited by Neal; 17-11-2005 at 10:20 PM.
-
I tried deleting in safe mode, I couldn't find it and I had regedit search for it and still couldn't find it. I scanned with spybot too in safe mode and asked it to fix it and it wouldn't do it. Here is the message I keep getting. 
How do I get it out of memory? I tried to run it at startup and it gives me the same message.
Ok, so it could be something else then? I just thought there was a problem because it wasn't doing it before and then it started dragging all of a sudden.
I did install the theme program. Sorry forgot to add that to the last post. I have deleted it now. I looked for silentrunners to uninstall and can't find it. Do you know how to do this?
Thank you!
-
Look in your start programs or add/remove program for silent runners or desktop.
Look in add/remove program for save now or just save or WhenUShop and remove if there.
Look for and delete these if found: may of been left over from that theme thing you installed.
From safe mode
C:\Program Files\Sync.exe
C:\Program Files\Uninst.exe
C:\Program Files\/Save.exe
Also:
http://www.new.net/support/uninstall6_90.exe.
· Download and save uninstall6_90.exe. to Local Disc C
· Click on Start.
· Click on Run.
· In the Open window type, C:\uninstall6_76.exe.
· Click on the OK button.
· After removal, you may be prompted to reboot. Please reboot if not prompted.
Post a new HJT log please with feed back please.
-
I think I found the silent runners. was it just the files with the vbs at the end? I didn't see any other part of that program anywhere. I'm starting to think my computer is a huge black hole lol.
I didn't find anything with save now or save or whenushop anywhere. I didn't find the items in program files either. I downloaded and ran the uninstall. Is that new.net? It said it uninstalled it but spybot still finds the two objects. When I click on the uninstall6_60, it didn't have anything to type in. Is it different for all computers?
I don't notice any difference. Maybe its a problem with power or something? It drags like it does in safe mode and in safe mode there is less power right?
Well here is the hijack log 
Logfile of HijackThis v1.99.1
Scan saved at 1:19:47 AM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Neda Vargas\Desktop\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://neopets.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: myVersion Class - {B62502B0-FFD0-40a9-908E-9EE4FC493EBF} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {AE8EF38E-64E0-472c-B9B4-E29643D152C1} - C:\WINDOWS\Downloaded Program Files\VsiBar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Versato] C:\Program Files\Magic Wheel\MulMouse.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: BINGOOO - {1DEF565C-31E7-427F-A39C-CAF9E1E5A9F2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.4.3...-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.3.3.3...-ob-assets.cab
O16 - DPF: Big Shot Roulette TM by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.3.1.3...-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: EZ Win Bingo by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.3.3...-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.2.5.2...-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.3.2.3...-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.4.37...-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.2...-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.2.2...-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.4.2.3...-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.4.2.3...-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.3...-ob-assets.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.4...-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.4.1.4...-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.3.4.4...-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.4.1.5...-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.2...-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.3.3.2...-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://game1.pogo.com/applet-6.4.0.3...-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.3.4.6...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.4.0.4...-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.0.3...-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.4.2.2...-ob-assets.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://register.voiceglo.com/neoblue.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {AE8EF38E-64E0-472C-B9B4-E29643D152C1} (Neopets) - http://toolbar.neopets.com/getCab.aspx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral4.sel.sony.com/...ad/sonyctl.CAB
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
-
Hi,
* Download finditnt2000xp.zip
* Unzip the contents of finditnt2000xp.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy the entire contents of output.txt into your next post.
* DON'T delete/modify any files yet
Download http://www.bleepingcomputer.com/files/winpfind.php
Extract WinPFind.zip to your c:\ folder.
Reboot your computer into Safe Mode
Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
-
Hi
Here is the first item.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\Neda Vargas\Desktop\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is A004-ACC6
Directory of C:\WINDOWS\System32
11/17/2005 06:34 AM 20,992 Thumbs.db
06/22/2004 05:02 PM 508 KrwH5f.117
04/17/2004 11:21 PM 434 MtyJ62.fg8
12/03/2002 05:38 PM <DIR> Microsoft
3 File(s) 21,934 bytes
1 Dir(s) 4,122,873,856 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is A004-ACC6
Directory of C:\WINDOWS\System32
11/17/2005 06:34 AM 20,992 Thumbs.db
06/22/2004 05:02 PM 508 KrwH5f.117
04/17/2004 11:21 PM 434 MtyJ62.fg8
12/03/2002 05:05 PM 488 WindowsLogon.manifest
12/03/2002 05:05 PM 488 logonui.exe.manifest
12/03/2002 05:05 PM 749 cdplayer.exe.manifest
12/03/2002 05:05 PM 749 wuaucpl.cpl.manifest
12/03/2002 05:05 PM 749 sapi.cpl.manifest
12/03/2002 05:05 PM 749 ncpa.cpl.manifest
12/03/2002 05:05 PM 749 nwc.cpl.manifest
08/02/1999 04:11 PM 57,344 CGZipLibrary.dll
12/02/1998 09:11 AM 143,360 Unzip32.dll
01/31/1998 01:25 PM 133,120 zip32.dll
13 File(s) 360,479 bytes
0 Dir(s) 4,122,869,760 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C has no label.
Volume Serial Number is A004-ACC6
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C has no label.
Volume Serial Number is A004-ACC6
Directory of C:\WINDOWS\System32
01/28/2005 12:44 PM 258,296 SET7.tmp
01/28/2005 12:44 PM 224,768 SET28.tmp
01/28/2005 12:44 PM 1,027,072 SET37.tmp
01/28/2005 12:44 PM 3,371,008 SET86.tmp
08/11/2004 12:45 AM 2,362,104 SET53.tmp
08/11/2004 12:45 AM 150,016 SET44.tmp
08/11/2004 12:45 AM 229,376 SET41.tmp
08/11/2004 12:45 AM 253,688 SET21.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
9 File(s) 7,878,905 bytes
0 Dir(s) 4,122,869,760 bytes free
------------------ User Agent ----------------
------------- Keys Under Notify -------------
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
thumbs.db Thu Nov 17 2005 6:34:44a A.SH. 20,992 20.50 K
1 item found: 1 file, 0 directories.
Total of file sizes: 20,992 bytes 20.50 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\Cemetary Gates.scr: .aspack
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\ntdll.dll: .aspack
-------------- HKLM Run Key ----------------
�
-
Here is the second
it won't fit in one post and couldn't fig out how to post in a file.
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
UPX! 08/21/2005 8:16:58 PM 405957898 C:\Program Files\42a02816
PEC2 08/21/2005 8:16:58 PM 405957898 C:\Program Files\42a02816
PEC2 07/31/2003 8:49:44 AM 11846936 C:\Program Files\animation shop.exe
UPX! 09/07/2004 10:49:06 AM 160768 C:\Program Files\HijackThis.exe
PECompact2 10/03/2005 10:28:42 PM 9017618 C:\Program Files\RhapsodyReal.exe
UPX! 11/15/2005 2:19:34 AM 1232903 C:\Program Files\s_t_i_n_g_e_r.exe
Checking %WinDir% folder...
UPX! 12/22/2003 6:05:24 AM 41984 C:\WINDOWS\Clock Screen Saver.scr
UPX! 03/26/2004 7:26:58 PM 459776 C:\WINDOWS\glophone.exe
UPX! 03/26/2004 7:26:58 PM 89746 C:\WINDOWS\iaxclient.dll
aspack 11/05/2001 11:04:54 AM 392053 C:\WINDOWS\ITSSNO~1.SCR
PECompact2 11/13/2005 6:58:48 PM 16444251 C:\WINDOWS\lpt$vpn.943
qoologic 11/13/2005 6:58:48 PM 16444251 C:\WINDOWS\lpt$vpn.943
SAHAgent 11/13/2005 6:58:48 PM 16444251 C:\WINDOWS\lpt$vpn.943
UPX! 05/14/2005 9:12:14 PM 78667 C:\WINDOWS\QWClockScreenSaverInstall101.exe
UPX! 05/03/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 05/15/2005 10:45:38 PM 80384 C:\WINDOWS\Snowy.SCR
aspack 08/16/2001 11:49:52 AM 333870 C:\WINDOWS\Sylvester And Tweety.scr
UPX! 09/04/2005 12:40:22 AM 170053 C:\WINDOWS\tsc.exe
PECompact2 11/13/2005 6:58:48 PM 16444251 C:\WINDOWS\VPTNFILE.943
qoologic 11/13/2005 6:58:48 PM 16444251 C:\WINDOWS\VPTNFILE.943
SAHAgent 11/13/2005 6:58:48 PM 16444251 C:\WINDOWS\VPTNFILE.943
UPX! 09/04/2005 12:40:22 AM 1044560 C:\WINDOWS\vsapi32.dll
aspack 09/04/2005 12:40:22 AM 1044560 C:\WINDOWS\vsapi32.dll
Checking %System% folder...
UPX! 03/26/2004 7:26:58 PM 222208 C:\WINDOWS\SYSTEM32\actskn43.ocx
aspack 10/08/2004 11:30:50 AM 436150 C:\WINDOWS\SYSTEM32\Cemetary Gates.scr
PEC2 08/29/2002 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 08/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 11/01/2005 9:34:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/01/2005 9:34:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 08/03/2004 11
36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 08/03/2004 1144 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 08/29/2002 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
UPX! 10/23/2005 3:13:56 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 10/23/2005 3:13:56 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 10/23/2005 3:13:56 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 10/23/2005 3:13:56 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 08/03/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/20/2005 12:24:58 AM S 2048 C:\WINDOWS\bootstat.dat
11/15/2005 7
50 AM H 54156 C:\WINDOWS\QTFont.qfn
11/17/2005 6:35:54 AM HS 92672 C:\WINDOWS\Thumbs.db
11/13/2005 11:35:12 PM HS 41472 C:\WINDOWS\Cursors\Thumbs.db
11/13/2005 11:35:10 PM HS 15360 C:\WINDOWS\Cursors\Ghooost\Thumbs.db
11/13/2005 11:35:10 PM HS 13824 C:\WINDOWS\Cursors\Oseaonic\Thumbs.db
11/13/2005 11:35:10 PM HS 20992 C:\WINDOWS\Cursors\Steel Dagger\Thumbs.db
11/13/2005 11:35:12 PM HS 23552 C:\WINDOWS\Cursors\WorldOfWarCraft\Thumbs.db
11/13/2005 11:35:12 PM HS 26624 C:\WINDOWS\Cursors\WOW\Thumbs.db
11/17/2005 6:34:38 AM HS 6656 C:\WINDOWS\Downloaded Program Files\Thumbs.db
11/13/2005 11:32:12 PM HS 6144 C:\WINDOWS\Fonts\Thumbs.db
11/19/2005 10:42:50 AM H 0 C:\WINDOWS\inf\oem19.inf
11/17/2005 6:34:44 AM HS 20992 C:\WINDOWS\system32\Thumbs.db
10/05/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
09/28/2005 10:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/20/2005 12:25:18 AM H 12288 C:\WINDOWS\system32\config\default.LOG
11/20/2005 12:25:28 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/20/2005 12:25:00 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
11/20/2005 12:40:02 AM H 90112 C:\WINDOWS\system32\config\software.LOG
11/20/2005 12:25:06 AM H 1011712 C:\WINDOWS\system32\config\system.LOG
11/08/2005 10:43:42 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DA T.LOG
10/06/2005 1:44:26 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c8f31c14-d9b2-45e0-8af4-03b5619f7698
10/06/2005 1:44:26 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
11/20/2005 12:23:46 AM H 6 C:\WINDOWS\Tasks\SA.DAT
11/13/2005 11:36:02 PM HS 12800 C:\WINDOWS\Web\Thumbs.db
11/13/2005 11:36:02 PM HS 74752 C:\WINDOWS\Web\Wallpaper\Thumbs.db
Checking for CPL files...
Microsoft Corporation 08/03/2004 1158 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 08/03/2004 1158 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 08/03/2004 1158 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 08/03/2004 1158 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 08/03/2004 1158 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 08/03/2004 1158 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 08/03/2004 1158 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 08/03/2004 1158 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 08/03/2004 1158 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 08/03/2004 1158 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 08/29/2002 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 08/03/2004 1158 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 08/29/2002 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 08/03/2004 1158 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 08/03/2004 1158 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 08/03/2004 1158 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 08/03/2004 1158 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 07/27/2003 9:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Sony Corporation 08/06/2002 5:00:00 PM 53248 C:\WINDOWS\SYSTEM32\SNSetup.cpl
Microsoft Corporation 08/03/2004 1158 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 08/29/2002 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 08/03/2004 1158 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/04/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 08/03/2004 1158 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 05/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
YAMAHA CORPORATION 09/18/2002 2:54:26 PM 249856 C:\WINDOWS\SYSTEM32\yacxgc.cpl
Microsoft Corporation 05/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
YAMAHA CORPORATION 09/18/2002 2:54:26 PM 249856 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFi les\yacxgc.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
12/03/2002 5:07:40 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/03/2002 838 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
12/03/2002 5:07:40 PM HS 84 C:\Documents and Settings\Neda Vargas\Start Menu\Programs\Startup\desktop.ini
09/07/2004 2:11:26 PM 650 C:\Documents and Settings\Neda Vargas\Start Menu\Programs\Startup\SpywareGuard.lnk
Checking files in %USERPROFILE%\Application Data folder...
12/03/2002 838 AM HS 62 C:\Documents and Settings\Neda Vargas\Application Data\desktop.ini
11/09/2004 9:57:14 PM 0 C:\Documents and Settings\Neda Vargas\Application Data\dm.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
ESB{E85C2EEC-0D77-4E5D-98C5-BFB60504DC05} =
ESB{7A1079AF-0067-4AA4-9C46-DB8269D84369} =
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AV G Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AV G7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Cu teFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\CuteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Ya hoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\CuteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{B62502B0-FFD0-40a9-908E-9EE4FC493EBF}
myVersion Class = C:\WINDOWS\Downloaded Program Files\VsiBar.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{CD292324-974F-4224-D074-CACA427AA030}
Neopets = C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{AE8EF38E-64E0-472c-B9B4-E29643D152C1} = Neopets : C:\WINDOWS\Downloaded Program Files\VsiBar.dll
{CD292324-974F-4224-D074-CACA427AA030} = Neopets : C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1DEF565C-31E7-427F-A39C-CAF9E1E5A9F2}
ButtonText = BINGOOO :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{AE8EF38E-64E0-472c-B9B4-E29643D152C1} = Neopets : C:\WINDOWS\Downloaded Program Files\VsiBar.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{CD292324-974F-4224-D074-CACA427AA030} = Neopets : C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
