Need dire help - win32 desktophijack

[deki]

Hello everyone

And like i already don't have enough problems with my computer, another decides to worm in! A virus! win32.desktophijack...no idea how i got it...but i have tried everything, followed the norton sight on how to repair it, but the thing is, norton could not repair wininet.dll, nor could it be deleted, nor could i replace it with a healthy one from a friend's computer, trying to do it in dos mode did not work...and i know that such a thread has been created with the same virus, that's why i already have all the programs downloaded, ready to go

Anyway here is my log thing from hijack this, don't really know what most of it is trying to tell me. Help would be appreciated a lot! Also i have XP Pro, SP1 and i do not want to formatt! Also my desk top is completely depressing, red background and in a black box in the middle there is in caps, 'Danger: Spyware' constantly flashing then says i should download razespyware....ugh.

Logfile of HijackThis v1.99.1
Scan saved at 8:13:42 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dejan & Aneta\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A3567342-F52D-E42A-57ed-EDA392644311} - C:\WINDOWS\System32\msdocpy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.albasoul.com:8081/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://media.licenseacquisition.org/...ridge-c424.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126953879609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {BE5A7132-329F-4319-B781-2A83BFE51534} - http://akamai.downloadv3.com/binarie...1045_EN_XP.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[bricat]

Welcome to the Webuser forum. [img]/forums/images/graemlins/laugh.gif[/img]

Can you please post ALL of your log including the top piece
that tells us the version of HJT that you are using and your OS version.

[deki]

Ok done

[bricat]

Welcome to the Webuser forum. [img]/forums/images/graemlins/laugh.gif[/img]



<span style="color:blue">Step 1</span>

Configure Windows to Show all hidden files &amp; folders and ensure you're familiar with rebooting into Safe Mode.

Download SmitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to <span style="color:#3333FF">Panda ActiveScan</span> on your desktop.

Download and install the trial version of Ewido Security Suite from here.
Configure the program correctly by following the instructions here and then close the program after updating the reference files.
Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions here.
Otherwise, check for updates and download any new reference files before closing the program. We'll use it in Safe Mode later.


<span style="color:blue">Step 2</span>

Next, please reboot your computer in Safe Mode - Very Important !!

Run HJT again and checkmark the boxes next to the following:-


R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A3567342-F52D-E42A-57ed-EDA392644311} - C:\WINDOWS\System32\msdocpy.dll


Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked


<span style="color:blue">Step 3 </span>

Open the SmitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

<span style="color:blue">Step 4</span>

Open Ad-aware and do a full system scan. Remove all it finds.

<span style="color:blue">Step 5</span>

Now open Ewido Security Suite:

Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Warning: <span style="color:red">While the scan is in progress, do NOT open any folders or the Windows Control Panel !!</span>

<span style="color:blue">Step 6</span>

Next go to your Control Panel and click Display | Desktop | Customise Desktop | Website | Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, and do a full system scan.



Download WINPFIND.ZIP and extract it to your C:\ folder. This will create a folder called WinPFind
in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe.
Double-click on this file to launch the program. Once it is launched,
click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer
for known patterns so please be patient while it works as it can
take a while.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log in your next post.



Save the scan log and post it along with a new WINPFIND LOG and Ewido Log in your next reply to THIS thread. Let me know if any problems persist.

[deki]

Thanks a lot! So i've done that all, should it be removed? Or not yet?
About Panda Activescan...it found quite a malicious files, but i wasn't given an option to remove?? I'll post the log file of that too.

Panda

Incident Status Location

Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\GLF9GLF9.EXE
Dialerialer.BKJ No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\ICD1.tmp\internazionale_ver15.INF
Adware:adware/sahagent No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\isearchtech1007.sah
Adware:adware/adsmart No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\pi.sys
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\1FR7L9SE\jrfWfAlSogNjzKsjAid8[1].chm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\1FR7L9SE\VLlXm07Q5hg_f4PZ1onb[1].chm
Virus:Trj/Downloader.EVH Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\GP4NW70B\html[1].chm
Virus:Trj/Downloader.EVH Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\GP4NW70B\html[2].chm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\INYN6HYF\7KMff1blVEztCHtqPXlS[1].chm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\TKC31L4P\5mVCr8ueBfCe20Dd9U8g[1].chm
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\UBU7Y12V\CAAZG9IJ.HTM
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\UD07UHM5\mGdE1mrqaBIuKFWju4Tm[1].chm
Adware:adware/ncase No disinfected C:\temp\salmau.dat
Dialerialer.B No disinfected C:\WINDOWS\Downloaded Program Files\EGAUTH.inf
Dialerialer.BKJ No disinfected C:\WINDOWS\Downloaded Program Files\internazionale_ver15.INF
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\50CTKQC3\log[1].rar
Adware:adware/wupd No disinfected C:\WINDOWS\system32\ide21201.vxd
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\system32\oleext.dll
Adware:adware/searchforit No disinfected C:\WINDOWS\system32\SYSsfitb.dll
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\tsuninst.exe
Dialer:dialer.b No disinfected C:\WINDOWS\tmlpcert2005


EWIDO

HKLM\SOFTWARE\AKSoft -&gt; Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\AKSoft\X-Tractor -&gt; Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -&gt; Spyware.WebRebates : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Policies\AMeOpt -&gt; Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\salm -&gt; Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Polic ies\AMeOpt -&gt; Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\salm -&gt; Spyware.180Solutions : Cleaned with backup
[720] C:\WINDOWS\System32\birdihuy32.dll -&gt; TrojanProxy.Small.ct : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@112.2o7[1].txt -&gt; Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@ad.yieldmanager[1].txt -&gt; Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@burstnet[1].txt -&gt; Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@com[2].txt -&gt; Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@cz3.clickzs[2].txt -&gt; Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@cz5.clickzs[2].txt -&gt; Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@forum.statcounter[1].txt -&gt; Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@goldenpalace[1].txt -&gt; Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@grandonline[2].txt -&gt; Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@image.masterstats[1].txt -&gt; Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@ivwbox[2].txt -&gt; Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@rotator.adjuggler[2].txt -&gt; Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@sales.liveperson[2].txt -&gt; Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@www.grandonline[1].txt -&gt; Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Cookies\dejan &amp; aneta@ysbweb[1].txt -&gt; Spyware.Cookie.Ysbweb : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\iinstall.exe -&gt; TrojanDownloader.IstBar.lq : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\PLOOHDHF.dll -&gt; Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\sahagent.exe -&gt; Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\update.exe -&gt; Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\H8ONPHWD\WinAntiVirus2005ProInst all[1].cab/UWA5PLP_0001_0721NetInstaller.exe -&gt; Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\UBU7Y12V\ysb_regular[1].cab/ysbactivex.dll -&gt; TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temporary Internet Files\Content.IE5\ZF17BXWW\ibar[1].js -&gt; TrojanDownloader.IstBar.ad : Cleaned with backup
C:\ied_s7.cab/ied_s7_c_28.exe -&gt; TrojanDownloader.Mediket.r : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWA5PLP_0001_0721NetInstaller.exe -&gt; Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\system32\70tovmto.ini -&gt; Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\birdihuy.dll -&gt; Spyware.AdultStore : Cleaned with backup
C:\WINDOWS\system32\birdihuy32.dll -&gt; TrojanProxy.Small.ct : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\50CTKQC3\sfbho13[1].dll -&gt; Spyware.SideFind : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C5ABKHEF\istbar_mainstream[1].dll -&gt; TrojanDownloader.IstBar.ge : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GDINOLQN\sidefind[1].exe -&gt; TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\msclock32.dll -&gt; Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\msfwe1.exe -&gt; Trojan.MulDrop.1732 : Cleaned with backup


WinPFind

Checking %WinDir% folder...
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 9/2/2004 12:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
SAHAgent 5/5/2005 6:50:34 PM 35 C:\WINDOWS\SYSTEM32\bln02nqv.ini
PEC2 8/23/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
SAHAgent 5/5/2005 8:27:18 PM 2907 C:\WINDOWS\SYSTEM32\gah95on6.ini
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
SAHAgent 9/10/2005 4:51:26 PM 35 C:\WINDOWS\SYSTEM32\ocsk4qja.ini
SAHAgent 9/10/2005 4:51:26 PM 35 C:\WINDOWS\SYSTEM32\ohrg6f6s.ini
UPX! 8/29/2002 3:41:18 AM 16384 C:\WINDOWS\SYSTEM32\oleext.dll
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 9/10/2005 4:55:22 PM 3007 C:\WINDOWS\SYSTEM32\ur5qgss3.ini
winsync 8/23/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/20/2005 10:58:40 PM S 2048 C:\WINDOWS\bootstat.dat
9/18/2005 12:37:00 PM H 54156 C:\WINDOWS\QTFont.qfn
7/28/2005 11:43:12 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\inf\oem17.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.PNF
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.PNF
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.inf
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.PNF
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.inf
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.PNF
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\LastGood\INF\oem17.inf
9/18/2005 11:04:24 AM H 0 C:\WINDOWS\LastGood\INF\oem17.PNF
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.inf
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.PNF
7/30/2005 3:09:42 PM HS 11690 C:\WINDOWS\system32\KGyGaAvL.sys
9/19/2005 3:36:02 PM RHS 12288 C:\WINDOWS\system32\shdocnv.dll
9/20/2005 10:59:08 PM H 948 C:\WINDOWS\system32\vsconfig.xml
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem16.CAT
9/20/2005 11:54:32 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/20/2005 10:58:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/20/2005 10:59:30 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/20/2005 11:53:28 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/20/2005 11:51:38 PM H 1024 C:\WINDOWS\system32\config\system.LOG
8/1/2005 7:17:14 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6c31e89a-7a94-443c-b6a5-d61ec4bced23
8/1/2005 7:17:14 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFi les\CX_25203.CAT
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0001\DriverFi les\CX_25203.CAT
9/20/2005 10:58:42 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 5/26/2003 5:12:14 AM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10/3/2003 3:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/1/2005 7:13:40 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\Dejan &amp; Aneta\Start Menu\Programs\Startup\desktop.ini
8/25/2005 7:09:00 PM 1536 C:\Documents and Settings\Dejan &amp; Aneta\Start Menu\Programs\Startup\LimeWire On Startup.lnk

Checking files in %USERPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\Dejan &amp; Aneta\Application Data\desktop.ini
8/15/2005 9:58:04 PM 24072 C:\Documents and Settings\Dejan &amp; Aneta\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\En codeDivXExt
{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Sy mantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Wi nZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Ya hoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\Symantec.Norton.Antivirus.IEC ontextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&amp;Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&amp;Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &amp;Radio : C:\WINDOWS\System32\msdxm.ocx
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&amp;Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &amp;Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &amp;Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &amp;Links : %SystemRoot%\system32\SHELL32.dll
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ATIPTA "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer
NoDriveTypeAutoRun 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



OK, so after all that...i did another ad aware smart scan, and still i get some malicious stuff, like 'Malware.Psguard' so does this mean not everything is entirely removed?? Coz i removed that desktop...also Norton still tells me i have the virus?? Something called World Antispy keeps on installing itself on my computer too.

[bricat]

<span style="color:green">Download Killbox from here.

Double-click killbox.exe on your desktop.
Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:</span>

C:\WINDOWS\Downloaded Program Files\EGAUTH.inf
C:\WINDOWS\Downloaded Program Files\internazionale_ver15.INF
C:\WINDOWS\system32\ide21201.vxd
C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\system32\SYSsfitb.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\tmlpcert2005
C:\WINDOWS\RMAgentOutput.dll
C:\WINDOWS\SYSTEM32\bln02nqv.ini
C:\WINDOWS\SYSTEM32\gah95on6.ini
C:\WINDOWS\SYSTEM32\ocsk4qja.ini
C:\WINDOWS\SYSTEM32\ohrg6f6s.ini
C:\WINDOWS\SYSTEM32\ur5qgss3.ini


<span style="color:green">Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES</span>

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.



then run the panda scan again and post the log from it. and a fresh winpfind log.

[deki]

I done all that....with Panda Active scan, i only scan my C: drive because it always stop when i try to scan My Computer...

Panda log
Incident Status Location

Dialerialer.B No disinfected C:\!Submit\EGAUTH.inf
Dialerialer.BKJ No disinfected C:\!Submit\internazionale_ver15.INF
Adware:Adware/IST.ISTBar No disinfected C:\!Submit\tsuninst.exe
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\GLF9GLF9.EXE
Dialerialer.BKJ No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\ICD1.tmp\internazionale_ver15.INF
Adware:adware/sahagent No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\isearchtech1007.sah
Adware:adware/adsmart No disinfected C:\Documents and Settings\Dejan &amp; Aneta\Local Settings\Temp\pi.sys
Adware:adware/ncase No disinfected C:\temp\salmau.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\50CTKQC3\log[1].rar
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll

WinPFind

Checking %WinDir% folder...
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 9/2/2004 12:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
PEC2 8/23/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/21/2005 12:36:26 PM S 2048 C:\WINDOWS\bootstat.dat
9/18/2005 12:37:00 PM H 54156 C:\WINDOWS\QTFont.qfn
7/28/2005 11:43:12 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\inf\oem17.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.PNF
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.PNF
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.inf
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.PNF
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.inf
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.PNF
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\LastGood\INF\oem17.inf
9/18/2005 11:04:24 AM H 0 C:\WINDOWS\LastGood\INF\oem17.PNF
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.inf
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.PNF
7/30/2005 3:09:42 PM HS 11690 C:\WINDOWS\system32\KGyGaAvL.sys
9/19/2005 3:36:02 PM RHS 12288 C:\WINDOWS\system32\shdocnv.dll
9/21/2005 12:36:56 PM H 948 C:\WINDOWS\system32\vsconfig.xml
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem16.CAT
9/21/2005 2:16:30 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/21/2005 12:36:28 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/21/2005 12:37:38 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/21/2005 2:16:54 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/21/2005 2:14:00 PM H 1024 C:\WINDOWS\system32\config\system.LOG
8/1/2005 7:17:14 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6c31e89a-7a94-443c-b6a5-d61ec4bced23
8/1/2005 7:17:14 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFi les\CX_25203.CAT
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0001\DriverFi les\CX_25203.CAT
9/21/2005 12:36:28 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 5/26/2003 5:12:14 AM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10/3/2003 3:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/1/2005 7:13:40 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
9/21/2005 11:39:02 AM 0 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\think.lgo

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\Dejan &amp; Aneta\Start Menu\Programs\Startup\desktop.ini
8/25/2005 7:09:00 PM 1536 C:\Documents and Settings\Dejan &amp; Aneta\Start Menu\Programs\Startup\LimeWire On Startup.lnk

Checking files in %USERPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\Dejan &amp; Aneta\Application Data\desktop.ini
8/15/2005 9:58:04 PM 24072 C:\Documents and Settings\Dejan &amp; Aneta\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\En codeDivXExt
{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Sy mantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Wi nZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Ya hoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\Symantec.Norton.Antivirus.IEC ontextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&amp;Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&amp;Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &amp;Radio : C:\WINDOWS\System32\msdxm.ocx
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&amp;Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &amp;Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &amp;Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &amp;Links : %SystemRoot%\system32\SHELL32.dll
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ATIPTA "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
Panda_cleaner_41898 C:\WINDOWS\System32\ActiveScan\pavdr.exe 41898

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer
NoDriveTypeAutoRun 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



Btw, Norton still found the Virus in my wininet.dll file, this time it showed them twice!

[bricat]

<span style="color:green">This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.</span>


<span style="color:blue">Download CCLEANER


then run the scan under the windows tab.</span>


then DEFRAG your C:\ drive.

to help speed up your system.

then let us know how the computer is running.

[deki]

I did all that
Norton hasn't given me any messages....ad aware found a malware psguard though?? I get only one pop up advertisement as opposed to the two.
Glad i did that defrag, everything looks great Thanks a lot for your help really appreciate it! *thumbs up* [img]/forums/images/graemlins/laugh.gif[/img]

[bricat]

if you are still getting psguard showing, delete the copy of SMITREM.ZIP that you d/loaded earlier and download it again from the same link, it has been updated yesterday.

and run the smitrem.zip again in SAFE MODE.

let us know how you go.