viruses, spyware, probably both! please help!

milhouse247 · #1 06-07-05, 04:43

I was looking up lyrics to a 50 cent song (guilty pleasure) and must have inadvertantly clicked on something that downloaded many viruses onto my computer. Since then I have gotten the Aurora popups, and AVG has been going crazy telling me about the infections. I tried running all of my antivirus programs and spyware stuff, but nothing seems to work. Any help would be greatly appreciated!

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:53 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\system32\hakukj.exe
C:\WINDOWS\system32\cioadmin.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ciaund.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nss25.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hakukj.exe reg_run
O4 - HKLM\..\Run: [335f3Eg] cioadmin.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [gggait] c:\windows\system32\pxoncq.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [I0upROMtS] ciaund.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1118357720718
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0029.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

<hr width=100% size=1>Milhouse

John_McKenna · #2 07-07-05, 13:02

Can you post a fresh HJT log please Millhouse so we can see what else you've contracted in the last 2 days since generating the log.

This is the fourth major infection you've had in the last 2 months.......

Time to look at your surfing habits me thinks. Your free credits are running out on Webuser [img]/images/forums/icons/wink.gif[/img]

<hr width=100% size=1>My help is ALWAYS FREE but if you'd like to donate towards the fight against Spyware click here.[/b]

"Learn all there is to be learnt"

milhouse247 · #3 07-07-05, 14:37

Yeah, I know, this computer gets infected quite a bit. I guess that is what I get for having to share it with my little (17 year old) brother. So I can guess where these viruses are coming from. Any help would be appreciated. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:35:10 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hakukj.exe
C:\WINDOWS\system32\cioadmin.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ciaund.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nss25.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hakukj.exe reg_run
O4 - HKLM\..\Run: [335f3Eg] cioadmin.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [gggait] c:\windows\system32\pxoncq.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [I0upROMtS] ciaund.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1118357720718
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0029.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

<hr width=100% size=1>Milhouse

John_McKenna · #4 07-07-05, 20:19

Those pesky younger brothers......We'll address some suitable steps once you're clean.

Step 1

Configure Windows to and ensure you're familiar with rebooting into <A target="_blank" HREF=http://www.bleepingcomputer.com/forums/index.php?showtutorial=61>Safe Mode.

Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.

Step 2

I need you to disable some of that real time protection before beginning.

I'm not too familiar with Ewido's inner workings but you should be able to right click on the System Tray icon and select the relevant option to disable the trojan guard.

Please open Microsoft AntiSpyware.
- Click on Tools | Settings.
- In the left pane, click on Real-time Protection.
- Under Startup Options uncheck: Enable the microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
- After unchecking these, click on the Save button and close microsoft AntiSpyware.
- Right click on the microsoft AntiSpyware icon on the taskbar and select Shutdown microsoft AntiSpyware.
You'll need to renable the above real-time protections after you get the all clear.

Step 3

Run HJT again and checkmark the boxes next to the following:-

O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nss25.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hakukj.exe reg_run
4 - HKLM\..\Run: [335f3Eg] cioadmin.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [gggait] c:\windows\system32\pxoncq.exe r
O4 - HKCU\..\Run: [I0upROMtS] ciaund.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0029.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked

Step 4

Please now reboot into Safe Mode.

Delete the following files and folder in bold:

C:\WINDOWS\system32\richedtr.dll
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\system32\hakukj.exe
C:\WINDOWS\system32\cioadmin.exe <--check in C:\Windows folder if not here
C:\WINDOWS\system32\ciaund.exe <--check in C:\Windows folder if not here
C:\WINDOWS\system32\pxoncq.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe

C:\Program Files\Cas <--folder

Step 5

Then click on Start | Run and type cleanmgr into the run box.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin ONLY are checkmarked and click 'OK'.
Then click on Start | Run, and type %temp% and press the ok button.
This will open up the temp directory that your machine uses.
Please delete all files that are found there.

Step 6

While still in Safe Mode, open Ewido Security Suite.

- Click on Scanner
- Make sure the following boxes are checked before scanning:
-- Binder
-- Crypter
-- Archives
- Click on Start Scan
- Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

- Click Save report.
- Save the report to your desktop.

Warning: While the scan is in progress, do NOT open any folders or the Windows Control Panel !!

Step 7

Reboot and run an online virus scan at <A target="_blank" HREF=http://www.kaspersky.com/beta?product=161744315>Kasperskey Online</A>

* Save the scan log for posting please.

Step 8

Reboot once more and post a fresh HJT log, Ewido report and Kasperskey scan log.

<hr width=100% size=1>My help is ALWAYS FREE but if you'd like to donate towards the fight against Spyware click here.[/b]

"Learn all there is to be learnt"

milhouse247 · #5 07-07-05, 22:15

I couldn't find most of the files that you told me to delete. I looked in the system32 folder and even searched for them, but to no avail. couldn't find these files:
C:\WINDOWS\system32\richedtr.dll
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\system32\cioadmin.exe <--check in C:\Windows folder if not here
C:\WINDOWS\system32\ciaund.exe <--check in C:\Windows folder if not here
C:\WINDOWS\system32\pxoncq.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe

Here are my many logs, in this order: HJT, ewido, kaspersky...

Logfile of HijackThis v1.99.1
Scan saved at 5:08:39 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\radc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hakukj.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1118357720718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:21:33 PM, 7/7/2005
+ Report-Checksum: 77E189D8

+ Date of database: 6/25/2005
+ Version of scan engine: v3.0

+ Duration: 33 min
+ Scanned Files: 33330
+ Speed: 16.76 Files/Second
+ Infected files: 14
+ Removed files: 14
+ Files put in quarantine: 14
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Kyle\Cookies\kyle@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@adremote.timeinc[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@adultchan[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@citi.bridgetrack[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@playboy[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kyle\Cookies\kyle@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-57989841-1979792683-725345543-1003\Dc25\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\RECYCLER\S-1-5-21-57989841-1979792683-725345543-1003\Dc25\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup

::Report End

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, July 07, 2005 17:07:13
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/07/2005
Kaspersky Anti-Virus database records: 129707
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 35020
Number of viruses found: 12
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 2440 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\radc.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\WTUV8XYZ\AutoUpdaterInstaller[1].exe/data0000.bin Infected: Trojan-Downloader.Win32.Apropo.g
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\WTUV8XYZ\AutoUpdaterInstaller[1].exe/data0002.bin Infected: Trojan-Downloader.Win32.Apropo.u
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\WTUV8XYZ\AutoUpdaterInstaller[1].exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP14\A0002469.exe Infected: Trojan-Downloader.Win32.IstBar.jm
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP14\A0002478.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002538.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002559.exe Infected: Trojan-Downloader.Win32.Apropo.ac
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002560.exe Infected: Trojan-Downloader.Win32.Agent.ed
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002571.exe Infected: Trojan-Downloader.Win32.Apropo.ae
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002574.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002575.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002576.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002577.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002578.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002579.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002580.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002646.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002655.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP15\A0002666.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP16\A0010817.exe Infected: Trojan-Downloader.Win32.Apropo.ac
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP16\A0010818.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP16\A0010819.exe Infected: Trojan-Downloader.Win32.Agent.ed
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP16\A0010836.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{D67F8867-EB25-4D13-B6DD-C091B843492B}\RP2\A0000053.exe Infected: Trojan-Downloader.Win32.Apropo.ae
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen
C:\WINDOWS\system32\cxtpls_loader.exe Infected: Trojan-Downloader.Win32.Apropo.ae
C:\WINDOWS\system32\dacqcnc.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\system32\hakukj.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\system32\nkecepe.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\WINDOWS\system32\redit.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\WINDOWS\system32\wuqyq.dat Infected: Trojan-Downloader.Win32.Qoologic.u

Scan process completed.

<hr width=100% size=1>Milhouse

John_McKenna · #6 07-07-05, 22:21

Despite Ewido and KAV both picking up Qoologic trojans, they're still present in your HJT log.

Download rkfiles.zip from Safe Mode - Very Important !!
Double-click rkfiles.bat inside the folder.
It will scan for a while, so please be patient.
Wait until the DOS window closes and reboot back to normal mode.
It will generate a log file which can be located at C:\log.txt.
Post the contents of C:\log.txt in your next reply please.

<hr width=100% size=1>My help is ALWAYS FREE but if you'd like to donate towards the fight against Spyware click here.[/b]

"Learn all there is to be learnt"

milhouse247 · #7 07-07-05, 22:52

C:\Documents and Settings\Kyle\Desktop\Computer Programs\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

<hr width=100% size=1>Milhouse

milhouse247 · #8 13-07-05, 12:14

Is there anything else I should be doing to fix my computer, it has been awhile since I have heard from you. Hopefully everything is ok on your end. Here is my current HJT log, thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:11:01 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hakukj.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...mp;clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1118357720718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

John_McKenna · #9 13-07-05, 13:51

Sorry Milhouse, the forum's been down for the last few days for an upgrade. Rkfiles revealed one hidden file that needs to go but I think there's more.

Download WinPFind.zip from here and extract it to your C:\ folder.
This will create a folder called WinPFind in the C:\ folder.
Important! Reboot in Safe Mode !!
Double-click WinPFind.exe inside c:\WinPFind to launch the program.
Then click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log from your clipboard in your next reply.

milhouse247 · #10 13-07-05, 14:57

Here is the log you requested. Also, just out of curiousity, why did this forum get rid of the option to be emailed when a reply has been posted? That was very handy. But anyway, thanks for the help so far, and hopefully I can get out of your hair quickly. [img]/forums/images/graemlins/smile.gif[/img]

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

This scan can take 30 minutes or more depending on your operating system and the software installed. Please be patient while the scan completes.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! C:\WINDOWS\tsc.exe
UPX! C:\WINDOWS\RMAgentOutput.dll
UPX! C:\WINDOWS\vsapi32.dll
aspack C:\WINDOWS\vsapi32.dll
abetterinternet.com C:\WINDOWS\mnava.dll

Checking %System% folder...
PEC2 C:\WINDOWS\system32\DivX.dll
aspack C:\WINDOWS\system32\dacqcnc.exe
aspack C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\nkecepe.dll
aspack C:\WINDOWS\system32\ntdll.dll
aspack C:\WINDOWS\system32\supdate.dll
KavSvc C:\WINDOWS\system32\nkecepe.dll
KavSvc C:\WINDOWS\system32\supdate.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll
PECompact2 C:\WINDOWS\system32\MRT.exe
PECompact2 C:\WINDOWS\system32\DivX.dll
69.59.186.63 C:\WINDOWS\system32\nkecepe.dll
69.59.186.63 C:\WINDOWS\system32\supdate.dll
209.66.67.134 C:\WINDOWS\system32\nkecepe.dll
209.66.67.134 C:\WINDOWS\system32\supdate.dll
66.63.167.97 C:\WINDOWS\system32\supdate.dll
66.63.167.77 C:\WINDOWS\system32\supdate.dll

Checking %System%\Drivers folder and sub-folders...
UPX! C:\WINDOWS\system32\drivers\avg7core.sys
PTech C:\WINDOWS\system32\drivers\mtlstrm.sys
aspack C:\WINDOWS\system32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/4/2005 C:\WINDOWS\WindowsShell.Manifest
6/9/2005 C:\WINDOWS\Downloaded Program Files\desktop.ini
6/4/2005 C:\WINDOWS\Fonts\desktop.ini
6/9/2005 C:\WINDOWS\inf\oem1.inf
6/30/2005 C:\WINDOWS\inf\oem5.inf
7/13/2005 C:\WINDOWS\LastGood\INF\oem6.inf
7/13/2005 C:\WINDOWS\LastGood\INF\oem6.PNF
6/9/2005 C:\WINDOWS\Offline Web Pages\desktop.ini
6/4/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1 .cab
6/4/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2 .cab
6/4/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3 .cab
6/9/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5 .cab
6/9/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6 .cab
6/4/2005 C:\WINDOWS\repair\ntuser.dat
6/4/2005 C:\WINDOWS\system32\cdplayer.exe.manifest
6/4/2005 C:\WINDOWS\system32\logonui.exe.manifest
6/4/2005 C:\WINDOWS\system32\ncpa.cpl.manifest
6/4/2005 C:\WINDOWS\system32\nwc.cpl.manifest
6/4/2005 C:\WINDOWS\system32\sapi.cpl.manifest
6/4/2005 C:\WINDOWS\system32\WindowsLogon.manifest
6/4/2005 C:\WINDOWS\system32\wuaucpl.cpl.manifest
7/13/2005 C:\WINDOWS\system32\config\default.LOG
7/13/2005 C:\WINDOWS\system32\config\SAM.LOG
7/13/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/13/2005 C:\WINDOWS\system32\config\software.LOG
7/13/2005 C:\WINDOWS\system32\config\system.LOG
6/4/2005 C:\WINDOWS\system32\config\TempKey.LOG
6/4/2005 C:\WINDOWS\system32\config\userdiff.LOG
7/13/2005 C:\WINDOWS\system32\config\systemprofile\ntuser.da t.LOG
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Applicati on Data\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HQBKDER\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CHM7O9QJ\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GDMF4X6R\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OX6FSXYV\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\SendTo\de sktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.in i
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.in i
6/4/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
6/9/2005 C:\WINDOWS\system32\GroupPolicy\Adm\admfiles.ini
6/9/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\25b8ad64-956d-4e13-b38e-0fa6ff13c46c
6/9/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\fc45e6dd-b5a4-41c3-8457-8a1415a72948
6/9/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/13/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers »»»»»»»»»»»»»»»»»»»»»»»
*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
*\shellex\ContextMenuHandlers\mygkgngm
{5869373a-52fc-47cc-84cd-ec4df457f38b} = C:\WINDOWS\system32\ikrvr.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers »»»»»»
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D 2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24 F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24 F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66 742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9 DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
SoundMan SOUNDMAN.EXE
NeroCheck C:\WINDOWS\system32\\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
KavSvc C:\WINDOWS\system32\hakukj.exe reg_run
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
SoundMan SOUNDMAN.EXE
NeroCheck C:\WINDOWS\system32\\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
KavSvc C:\WINDOWS\system32\hakukj.exe reg_run
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\PostBootRem inder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts

Search