BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Undetectable virus - Non-Stop Pop-Ups
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Undetectable virus - Non-Stop Pop-Ups  
Forum Quick Jump
 
New Topic Locked Topic Printable version of : Undetectable virus - Non-Stop Pop-Ups
[ << Previous Thread | Next Thread >> ]

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/2/2005 6:43 AM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Somebody please help????  IE is constantly opening up whenever I’m logged into the internet.  It goes to websites that automatically download more viruses, media players, toolbars etc.  The funny thing is that it does not appear in the task bar.  It has been going on for like 1 week now and my computer has been slowing down dramatically.  I run Spybot S&D + Tea Time, Ad-Aware, and Norton Anti Virus….I must of done about 10 full system scans in the last week…..I delete all items, but the pop-ups keep coming!  I’ve done like 4 system restores but the virus follows me through to the old restore point.   Does somebody know what this virus is called?  How come it is undetectable?  How did I get it?  Below is my HijackThis log, can somebody help me???
 
 
Logfile of HijackThis v1.99.1
Scan saved at 10:40:30 PM, on 11/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\sp2update00.exe
C:\WINDOWS\system32\yloy\sdat.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\J.P. DeLuca\Desktop\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [sdat] C:\WINDOWS\system32\yloy\sdat.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122692227411
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C62EEC3F-D535-11D1-A663-006008AC53FC} (EngageTreeView Class) - http://cartman.engagenet.com/aem/Controls/EngageTree.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://secure.nypa.gov/secure/cds/CGC/en/CSGProxy.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\k862lijo18oc.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/2/2005 3:39 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Hey and welcome smile
 
 
 
 
Next, please reboot your computer in Safe Mode by doing the following:
Restart the computer.
 
As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.
You’ll be greeted by a black screen. Wait for it – something should appear in a minute or two...
 
 
 
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver
File Types, put a checkmark in -  All Files
Actions. Adware, Dialers, Hacktools, use dropdown menu and select – Delete
Click – Apply and OK
Click on the drive you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all
 
Reboot
 
 
 
 
Please download L2mfix.exe:
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
From the l2mfix folder on your desktop  Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
 
IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!


Regards - Touch
 
Do not post your log file in a thread started by someone else.
Start a new topic.

Back to Top
 

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/3/2005 8:21 AM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Touch you’re the man!  Thanks for helping me out.  So I ran the scanner cureit in safe mode and now 4 hours later, I’m 183 files lighter.  5 were incurable???? I don’t understand why my Norton Anti Virus 2005, which is fully up to date, didn’t catch any of those b*stard files?  Should I get something else when my subscription is up?  What about the Spy Bot – Tea Timer which is supposed to prevent anything new from installing itself?  Is there a way from adding these 183 found files to a black list to prevent them from getting me again?
 
Anyway I rebooted in normal mode and there are still pop ups…..a lot less.  When I go to the Yahoo home page, I get re-routed to some Russian website called (newshot.ru).  My Spy Bot Tea Timer went nuts after the re boot and I said accept to al but it kept flashing because of my blacklist which kept blocking stuff eventually I shut it off.
 
So now ran the 12mfix log and here it is:
 
 
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g8lmli3118.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
 
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
 
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access   NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access   NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read          BUILTIN\Users
(ID-IO) ALLOW  Read          BUILTIN\Users
(ID-NI) ALLOW  Full access             BUILTIN\Administrators
(ID-IO) ALLOW  Full access             BUILTIN\Administrators
(ID-NI) ALLOW  Full access             NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access             NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access             CREATOR OWNER
 
 
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{18325B46-CD38-6FC3-521C-FBC1E88795CD}"=""
 
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
@=""
"{6af09ec9-b429-11d4-a1fb-0090960218cb}"="My Bluetooth Places"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{88A9ADAF-FC96-45BE-A6C1-0AA57C361CE3}"=""
"{FB112208-A094-4CDB-B6B4-49FA816C8ACF}"=""
 
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\CLSID\{88A9ADAF-FC96-45BE-A6C1-0AA57C361CE3}]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{88A9ADAF-FC96-45BE-A6C1-0AA57C361CE3}\Implemented Categories]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{88A9ADAF-FC96-45BE-A6C1-0AA57C361CE3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{88A9ADAF-FC96-45BE-A6C1-0AA57C361CE3}\InprocServer32]
@="C:\\WINDOWS\\system32\\mgjetoledb40.dll"
"ThreadingModel"="Apartment"
 
Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\CLSID\{FB112208-A094-4CDB-B6B4-49FA816C8ACF}]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{FB112208-A094-4CDB-B6B4-49FA816C8ACF}\Implemented Categories]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{FB112208-A094-4CDB-B6B4-49FA816C8ACF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
 
[HKEY_CLASSES_ROOT\CLSID\{FB112208-A094-4CDB-B6B4-49FA816C8ACF}\InprocServer32]
@="C:\\WINDOWS\\system32\\SamRedir.dll"
"ThreadingModel"="Apartment"
 
**********************************************************************************
Files Found are not all bad files:
 
C:\WINDOWS\SYSTEM32\
   adwerkz.dll    Fri Oct 21 2005   3:05:50p  A....        184,320   180.00 K
   browseui.dll   Fri Sep  2 2005   6:52:04p  A....      1,019,904   996.00 K
   cdfview.dll    Fri Sep  2 2005   6:52:04p  A....        151,040   147.50 K
   cdosys.dll     Fri Sep  9 2005   8:53:42p  A....      2,067,968     1.97 M
   danim.dll      Fri Sep  2 2005   6:52:04p  A....      1,053,696     1.00 M
   dxtrans.dll    Fri Sep  2 2005   6:52:04p  A....        205,312   200.50 K
   extmgr.dll     Fri Sep  2 2005   6:52:04p  .....         55,808    54.50 K
   g840li~1.dll   Thu Nov  3 2005  12:02:10a  ..S.R        237,098   231.54 K
   g8lmli~1.dll   Wed Nov  2 2005   8:57:24p  ..S.R        236,349   230.81 K
   iepeers.dll    Fri Sep  2 2005   6:52:04p  A....        251,392   245.50 K
   inseng.dll     Fri Sep  2 2005   6:52:04p  A....         96,256    94.00 K
   jdoae.dll      Thu Nov  3 2005  12:03:52a  A....         10,240    10.00 K
   linkinfo.dll   Wed Aug 31 2005   8:41:54p  A....         19,968    19.50 K
   linkin~1.dll   Wed Aug 31 2005   8:49:30p  A....         16,384    16.00 K
   linkin~2.dll   Wed Aug 31 2005   8:49:30p  A....         16,384    16.00 K
   mshtml.dll     Tue Oct  4 2005   4:26:00p  A....      3,015,168     2.88 M
   mshtmled.dll   Fri Sep  2 2005   6:52:06p  A....        448,512   438.00 K
   msrating.dll   Fri Sep  2 2005   6:52:06p  A....        146,432   143.00 K
   mstime.dll     Fri Sep  2 2005   6:52:06p  A....        530,432   518.00 K
   msxml3a.dll    Tue Nov  1 2005   8:53:40p  A....         24,576    24.00 K
   netman.dll     Mon Aug 22 2005   1:29:46p  A....        197,632   193.00 K
   netman~2.dll   Mon Aug 22 2005   1:36:34p  A....        154,624   151.00 K
   netman~3.dll   Mon Aug 22 2005   1:36:34p  A....        154,624   151.00 K
   nsl33.dll      Sat Oct 22 2005   7:03:56a  A....        146,944   143.50 K
   nsw4a.dll      Fri Oct 21 2005   9:03:56p  A....        146,944   143.50 K
   pipnetsh.dll   Wed Nov  2 2005   8:59:10p  ..S.R        237,098   231.54 K
   pngfilt.dll    Fri Sep  2 2005   6:52:06p  A....         39,424    38.50 K
   qlink32.dll    Mon Sep 19 2005   3:24:20p  A....        200,704   196.00 K
   quartz.dll     Mon Aug 29 2005  10:54:26p  A....      1,287,168     1.23 M
   quartz~1.dll   Tue Aug 30 2005   8:14:00a  A....      1,227,776     1.17 M
   rastmon.dll    Tue Nov  1 2005   8:53:42p  A....        417,792   408.00 K
   samredir.dll   Thu Nov  3 2005  12:03:38a  .....        236,349   230.81 K
   sdksfsg.dll    Thu Nov  3 2005  12:03:52a  A....         46,080    45.00 K
   shdocvw.dll    Fri Sep  2 2005   6:52:06p  A....      1,483,776     1.41 M
   shell32.dll    Thu Sep 22 2005  10:05:30p  A....      8,450,560     8.06 M
   shell3~2.dll   Thu Sep 22 2005  10:27:32p  A....      8,348,672     7.96 M
   shell3~3.dll   Thu Sep 22 2005  10:27:32p  A....      8,348,672     7.96 M
   shell3~4.dll   Thu Sep 22 2005  10:27:32p  A....      8,348,672     7.96 M
   shlwapi.dll    Fri Sep  2 2005   6:52:06p  A....        473,600   462.50 K
   shlwap~2.dll   Wed Aug 31 2005   8:49:30p  A....        409,088   399.50 K
   shlwap~3.dll   Wed Aug 31 2005   8:49:30p  A....        409,088   399.50 K
   umpnpmgr.dll   Mon Aug 22 2005  10:35:42p  A....        123,392   120.50 K
   umpnpm~2.dll   Mon Aug 22 2005  10:51:10p  A....        111,104   108.50 K
   umpnpm~3.dll   Mon Aug 22 2005  10:51:10p  A....        111,104   108.50 K
   urlmon.dll     Fri Sep  2 2005   6:52:06p  A....        608,768   594.50 K
   urlmon~2.dll   Fri Sep  2 2005   2:19:16p  A....        457,216   446.50 K
   wininet.dll    Fri Sep  2 2005   6:52:06p  A....        658,432   643.00 K
   winsrv.dll     Wed Aug 31 2005   8:41:54p  A....        291,840   285.00 K
   wivowfax.dll   Thu Oct 27 2005  10:12:48p  A....         45,056    44.00 K
 
49 items found:  49 files (3 H/S), 0 directories.
   Total of file sizes:  52,959,438 bytes     50.50 M
Locate .tmp files:
 
C:\WINDOWS\SYSTEM32\
   guard.tmp      Thu Nov  3 2005  12:04:38a  ..S.R        236,349   230.81 K
 
1 item found:  1 file (1 H/S), 0 directories.
   Total of file sizes:  236,349 bytes    230.81 K
**********************************************************************************
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 4A87-3376
 
 Directory of C:\WINDOWS\System32
 
11/03/2005  12:04 AM           236,349 guard.tmp
11/03/2005  12:02 AM           237,098 g840lihm184a.dll
11/02/2005  08:59 PM           237,098 pIpnetsh.dll
11/02/2005  08:57 PM           236,349 g8lmli3118.dll
10/25/2005  06:35 AM    <DIR>          dllcache
11/12/2003  07:14 PM    <DIR>          Microsoft
               4 File(s)        946,894 bytes
               2 Dir(s)  13,871,771,648 bytes free
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/3/2005 8:33 AM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
I´ll comment your questions when we have fixed your log-ok?;-)
Let´s disable Teatimer as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.
You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm



Download CWShredder: http://www.trendmicro.com/cwshredder/
Update it !!
From the l2mfix folder on your desktop, double click l2mfix.bat
Now select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear,
then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
If nothing happen after reboot open the l2mfix folder, doubleclick on Second Bat. then the fix should continue
Reboot, run cwshredder and L2m. option #2 again, I don´t need a log from this scan.
Reboot
Copy the contents of firstl l2m log and paste it back into this thread, along with a new hijackthis log.

 





Regards - Touch
 
Do not post your log file in a thread started by someone else.
Start a new topic.

Back to Top
 

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/4/2005 7:45 AM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
OK
Tea Timer is disabled.
The CW Shredder update gave me no confirmation and when I ran the “fix” it was quick and removed 2 files. 
After reboot I started getting this Run DLL Error, “An Exception occurred trying to run “c:\windows…….\mzvidctldll,” DLL Get Version”
 
Here is the L2Mfix log:
 
Setting Directory
C:\
C:\
System Rebooted!
 
Running From:
C:\
 
killing explorer and rundll32.exe
 
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea!!!!@beyondlogic.org
Killing PID 1256 'explorer.exe'
 
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Pea!!!!@beyondlogic.org
Killing PID 1268 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\m064lajq1doe.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pIpnetsh.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 file(s) copied.
deleting: C:\WINDOWS\system32\m064lajq1doe.dll 
Successfully Deleted: C:\WINDOWS\system32\m064lajq1doe.dll
deleting: C:\WINDOWS\system32\pIpnetsh.dll 
Successfully Deleted: C:\WINDOWS\system32\pIpnetsh.dll
deleting: C:\WINDOWS\system32\guard.tmp 
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
 
 
Zipping up files for submission:
  adding: m064lajq1doe.dll (104 bytes security) (deflated 5%)
  adding: pIpnetsh.dll (104 bytes security) (deflated 5%)
  adding: guard.tmp (104 bytes security) (deflated 5%)
  adding: clear.reg (104 bytes security) (deflated 22%)
  adding: asdf.txt (104 bytes security) (deflated 68%)
  adding: COMLOG.txt (104 bytes security) (stored 0%)
  adding: lo2.txt (104 bytes security) (deflated 66%)
  adding: test.txt (104 bytes security) (deflated 46%)
  adding: test2.txt (104 bytes security) (stored 0%)
  adding: test3.txt (104 bytes security) (stored 0%)
  adding: test5.txt (104 bytes security) (stored 0%)
  adding: xfind.txt (104 bytes security) (deflated 39%)
 
Restoring Registry Permissions:
 
 
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
 
 
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
 
 
Registry permissions set too:
 
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!
 
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access   NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access   NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read          BUILTIN\Users
(ID-IO) ALLOW  Read          BUILTIN\Users
(ID-NI) ALLOW  Full access             BUILTIN\Administrators
(ID-IO) ALLOW  Full access             BUILTIN\Administrators
(ID-NI) ALLOW  Full access             NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access             NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access             CREATOR OWNER
 
 
Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
Restoring Windows Update Certificates.:
 
deleting local copy: m064lajq1doe.dll  
deleting local copy: pIpnetsh.dll  
deleting local copy: guard.tmp  
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
 
 
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\m064lajq1doe.dll
C:\WINDOWS\system32\pIpnetsh.dll
C:\WINDOWS\system32\guard.tmp
 
Registry Entries that were Deleted:
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FB112208-A094-4CDB-B6B4-49FA816C8ACF}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FB112208-A094-4CDB-B6B4-49FA816C8ACF}]
REGEDIT4
 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
 
Here is the hijackthis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 11:40:26 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\J.P. DeLuca\Desktop\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [sdat] C:\WINDOWS\system32\yloy\sdat.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lk4pss.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ndpa.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122692227411
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C62EEC3F-D535-11D1-A663-006008AC53FC} (EngageTreeView Class) - http://cartman.engagenet.com/aem/Controls/EngageTree.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://secure.nypa.gov/secure/cds/CGC/en/CSGProxy.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/4/2005 7:50 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Trusted Zone removal:
Right click http://mvps.org/winhelp2002/DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf.
Please save the file somewhere you can find it like on the desktop.
To run the inf file, right click on it and select Install.
 
 
Please go offline
 
Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked.
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O4 - HKLM\..\Run: [sdat] C:\WINDOWS\system32\yloy\sdat.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lk4pss.exe reg_run
O4 - Global Startup: ndpa.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe


 
 
 
Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message.
To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
 
 
Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.
 

Open Folder Options in Controlpanel >view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Delete:
Files:
C:\WINDOWS\system32\lk4pss.exe
 
Folders:
C:\WINDOWS\system32\yloy\sdat.exe
 

Next go to Start- Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
And delete:
ndpa.exe
 
 
Reboot, post new log and tell how things are running
 


Regards - Touch
 
Do not post your log file in a thread started by someone else.
Start a new topic.

Back to Top
 

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/5/2005 6:42 AM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Touch,
I deleted most of what you said but could not find the following:
O4 - Global Startup: ndpa.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
 
While in safe mode…..
The file C:windows\system32\lk4pss.exe could not be deleted because it was write protected or being used.
 
Could not find ndpa.exe
 
The popups are far less frequent like 1 every 10 minutes, also I’m not at 100% speed….
 
Here is the latest Hijackthis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 10:03:55 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\J.P. DeLuca\Desktop\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lk4pss.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122692227411
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C62EEC3F-D535-11D1-A663-006008AC53FC} (EngageTreeView Class) - http://cartman.engagenet.com/aem/Controls/EngageTree.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://secure.nypa.gov/secure/cds/CGC/en/CSGProxy.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/5/2005 11:42 AM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
 
Download the trial version of Ewido Security Suite from here and save it to your Desktop.
When the download has finished, locate ewido-setup.exe and double click it to begin installation.
**If you already have Ewido installed, update it and go to 2)**

In the 'Additional Options' window, uncheck both:
'Install required for automatic updates (background guard)' and
'Install scan via context menu'.

When installation is complete, you will need to update Ewido to the latest definition files.
To do this:
Double click the Ewido Desktop icon.
In the main screen, on the left hand side, click Update.
In the following screen, click Start Update

A progress bar will show how the update is going. When it has finished updating, close it. 


 2) Download Trackqoo.zip from here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish.

You should now see the contents of the Trackqoo folder - Track qoo 1.vbs
Close it - you will need it later.


3) Download WinPFind.zip from
here and save it to your Desktop.
You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

You should now see a window with the WinPFind folder in it.
Close it - you will need it later.


 
1) Boot into Safe Mode.
 
2) Run Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close ewido security suite.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

3) Go to Start > Run, enter %temp% and click on OK
Delete all the files that you find there.

4) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

5) Open the Trackqoo folder and double click Track qoo 1.vbs to run it, and OK it with any real-time protection you have running.
It will produce a text file called Report.txt that will be saved into the Trackqoo folder.
Please post this file.

6) Open the WinPFind folder and double click winpfind.exe.
Click on 'Start Scan'.
When the scan has completed, copy and paste the results into your next reply.

7) Boot into Normal Mode.


Post a new HJT log (run in Normal Mode), the Ewido log, the results of both the above scans and tell how your computer are behaving


Regards - Touch
 
Do not post your log file in a thread started by someone else.
Start a new topic.

Back to Top
 

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/7/2005 6:46 AM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Touch,
It appears the popups are gone, as I had not had one and I’ve been surfing safe websites for about an hour now!


Here is the Ewido report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:32:09 PM, 11/6/2005
+ Report-Checksum: 681E6B82

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-733184280-2994884863-530001187-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-733184280-2994884863-530001187-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-733184280-2994884863-530001187-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-733184280-2994884863-530001187-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-21-733184280-2994884863-530001187-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
C:\backup.zip/m064lajq1doe.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/pIpnetsh.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\contextplus.exe -> Trojan.Crypt.t : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ndpa.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@ad.yieldmanager.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@ads.addynamix.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@ads.pointroll.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@bluestreak.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@citi.bridgetrack.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@image.masterstats.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@microsofteup.112.2o7.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@paypopup.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@popunder.paypopup.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@questionmarket.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@serving-sys.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@www.burstbeacon.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Cookies\j.p. deluca@z1.adserver.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@ad.yieldmanager.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@adopt.specificclick.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@ads.pointroll.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@com.txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@paypopup.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@popunder.paypopup.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@questionmarket.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@trafficmp.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@yieldmanager.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Cookies\j.p. deluca@z1.adserver.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\Temporary Internet Files\Content.IE5\WVO3MDM1\drsmartload_js.htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temp\uninstall.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\A1N898R2\WFI.cab/UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\HW95NX93\drsmartload_js.htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\HW95NX93\prompt.htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\JACRVD41\ysb_website.cab/YSBactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\NVHF7TWW\power_remove.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\PLZCXE87\contextplus.exe -> Trojan.Crypt.t : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\PLZCXE87\popcaploader_v6.cab/PopCapLoader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\Q55MJY98\ysb_prompt.htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\SBXBAMFH\search.htm -> TrojanDownloader.IstBar.u : Cleaned with backup
C:\Documents and Settings\J.P. DeLuca\Local Settings\Temporary Internet Files\Content.IE5\YTDIFMTG\0006_cracks.cab/ISTactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@sales.liveperson.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@www.burstbeacon.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Visitor\Cookies\visitor@www.myaffiliateprogram.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Program Files\Common Files\Download\freeprodtb.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Download\mc-110-12-0000122.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq107(2).tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11D.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11E.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11F.tmp -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> Spyware.Cookie.Ad-logics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq200.tmp -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq201.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq202.tmp -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq203.tmp -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq204.tmp -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq206.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq217.tmp -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq220.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq221.tmp -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> Spyware.Cookie.Bluemountain : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> Spyware.Cookie.Bluemountain : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26B.tmp -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26E.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26F.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq270.tmp -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5E.tmp -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq624.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75E.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75F.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq760.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq762.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq763.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq764.tmp -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq79.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7A.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7B.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7C.tmp -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7E.tmp -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq97(2).tmp -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq98(2).tmp -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\RECYCLER\NPROTECT\00005173.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005210.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005211.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005212.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005214.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005289.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005293.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\00005295.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005296.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005307.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005310.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005311.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005313.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005448.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005455.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\00005458.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00005461.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\elitemediapop.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\system32\bcradmo.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\jdoae.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\lk4pss.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\pqbuw.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\rastmon.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\sdksfsg.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@2o7.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@ad.yieldmanager.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@ad.yieldmanager.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@adopt.specificclick.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@ads.addynamix.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@as-eu.falkag.txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@as1.falkag.txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@tradedoubler.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@trafficmp.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@yieldmanager.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\j.p. deluca@z1.adserver.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\056ZK9I3\launcher.exe -> Spyware.Maxifiles : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KH6JGLIB\zqactx1.exe -> Trojan.VB.aeq : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OL2FOLEF\freeprodtb.exe -> Spyware.Maxifiles : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WT6B4PUV\elitemediapop.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\Temp\zqactx1.exe -> Trojan.VB.aeq : Cleaned with backup


::Report End


Here is the Trackqoo report:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- fgtymxqt
{3b57ad1d-7d42-4417-b88d-7d5d83d55c1c}
C:\WINDOWS\system32\jdoae.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
==============================
C:\Documents and Settings\J.P. DeLuca\Start Menu\Programs\Startup

desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
ADPanel.cpl Iomega Corporation
appwiz(2).cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
btcpl.cpl WIDCOMM, Inc.
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wtcpl.cpl WildTangent, Inc.
wuaucpl.cpl Microsoft Corporation


Here is the WinPFind report:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
ad-w-a-r-e.com 11/1/2005 8:49:02 PM 747068 C:\WINDOWS\setupapi.log

Checking %System% folder...
PEC2 3/30/2003 9:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 7/7/2005 9:31:32 PM 398742 C:\WINDOWS\SYSTEM32\Jqdlovk1.xml
PTech 7/12/2005 5:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 10/2/2005 6:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/2/2005 6:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
FSG! 8/4/2005 10:26:44 PM 398742 C:\WINDOWS\SYSTEM32\Nnufvzk1.xml
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 5/16/2002 5:12:30 PM 117248 C:\WINDOWS\SYSTEM32\SKCL.dll
FSG! 2/12/2005 8:29:24 PM 398742 C:\WINDOWS\SYSTEM32\Tqjuiak1.xml
winsync 3/30/2003 9:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
FSG! 7/7/2005 11:12:58 PM 398742 C:\WINDOWS\SYSTEM32\Ztyeghk1.xml

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

qoologic 11/3/2005 11:19:50 PM 2207 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak
urllogic 11/3/2005 11:19:50 PM 2207 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.bak

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/6/2005 5:51:22 PM S 2048 C:\WINDOWS\bootstat.dat
11/6/2005 5:49:54 PM H 24 C:\WINDOWS\pvHxa
10/24/2005 4:02:40 AM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_66.cab
10/4/2005 8:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 6:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
11/6/2005 7:24:32 PM H 28672 C:\WINDOWS\system32\config\default.LOG
11/6/2005 5:52:36 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/6/2005 5:51:24 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
11/6/2005 7:39:08 PM H 258048 C:\WINDOWS\system32\config\software.LOG
11/6/2005 5:52:14 PM H 1208320 C:\WINDOWS\system32\config\system.LOG
10/25/2005 11:56:56 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/24/2005 11:43:00 PM S 6429 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
10/24/2005 11:42:46 PM S 17881 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
10/24/2005 11:43:00 PM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
10/24/2005 11:42:46 PM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
10/6/2005 12:17:02 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0cd202bd-53a9-4a9e-8bc3-9ef08538c5ab
10/6/2005 12:17:02 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
11/6/2005 5:50:20 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Iomega Corporation 9/24/2002 4:44:10 PM 151552 C:\WINDOWS\SYSTEM32\ADPanel.cpl
Microsoft Corporation 3/30/2003 9:00:00 PM 578560 C:\WINDOWS\SYSTEM32\appwiz(2).cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
WIDCOMM, Inc. 9/12/2003 10:43:12 AM 245819 C:\WINDOWS\SYSTEM32\btcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/12/2003 7:31:00 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/30/2003 9:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/30/2003 9:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 1:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/30/2003 9:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
WildTangent, Inc. 3/12/2004 2:53:44 PM 45056 C:\WINDOWS\SYSTEM32\wtcpl.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/30/2003 9:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/30/2003 9:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/16/2003 8:09:48 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/16/2003 1:00:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
2/16/2004 8:51:42 PM 11 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt
11/12/2003 8:00:02 PM 237 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
7/16/2003 8:09:48 AM HS 84 C:\Documents and Settings\J.P. DeLuca\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
7/16/2003 1:00:28 AM HS 62 C:\Documents and Settings\J.P. DeLuca\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgtymxqt
{3b57ad1d-7d42-4417-b88d-7d5d83d55c1c} = C:\WINDOWS\system32\jdoae.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CCA281CA-C863-46ef-9331-5C8D4460577F}
ButtonText = @btrez.dll,-4015 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Apoint C:\Program Files\Apoint2K\Apoint.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Cpqset C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
cmdService 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ndpa.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ndpa.exe
backup C:\WINDOWS\pss\ndpa.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ndpa.exe
item ndpa
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ndpa.exe
backup C:\WINDOWS\pss\ndpa.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ndpa.exe
item ndpa

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ACTX1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item actx1
hkey HKLM
command C:\WINDOWS\system32\actx1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item actx1
hkey HKLM
command C:\WINDOWS\system32\actx1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\actx1.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item actx1
hkey HKCU
command C:\WINDOWS\system32\actx1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item actx1
hkey HKCU
command C:\WINDOWS\system32\actx1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ADUserMon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ADUserMon
hkey HKLM
command C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ADUserMon
hkey HKLM
command C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AnyDVD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AnyDVD
hkey HKLM
command "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AnyDVD
hkey HKLM
command "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CamMonitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpqcmon
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpqcmon
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CEWcbe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ttlijtte
hkey HKLM
command C:\WINDOWS\ttlijtte.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ttlijtte
hkey HKLM
command C:\WINDOWS\ttlijtte.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneCDTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CloneCDTray
hkey HKLM
command "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CloneCDTray
hkey HKLM
command "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Contextual Tool
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ZQInContextactx1
hkey HKLM
command C:\WINDOWS\system32\ZQInContextactx1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ZQInContextactx1
hkey HKLM
command C:\WINDOWS\system32\ZQInContextactx1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Deskup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item deskup
hkey HKLM
command C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item deskup
hkey HKLM
command C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eabconfg.cpl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EabServr
hkey HKLM
command C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EabServr
hkey HKLM
command C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\elitemedia
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item elitemediapop
hkey HKLM
command C:\WINDOWS\elitemediapop.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item elitemediapop
hkey HKLM
command C:\WINDOWS\elitemediapop.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eltgdps4.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eltgdps4
hkey HKCU
command C:\WINDOWS\system32\eltgdps4.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eltgdps4
hkey HKCU
command C:\WINDOWS\system32\eltgdps4.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fran-super.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fran-super
hkey HKCU
command C:\WINDOWS\system32\fran-super.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fran-super
hkey HKCU
command C:\WINDOWS\system32\fran-super.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\installer.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item installer
hkey HKCU
command C:\WINDOWS\system32\installer.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item installer
hkey HKCU
command C:\WINDOWS\system32\installer.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Optimizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Iomega Drive Icons
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ImgIcon
hkey HKLM
command C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ImgIcon
hkey HKLM
command C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\irassync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item irasyncd
hkey HKCU
command C:\WINDOWS\system32\irasyncd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item irasyncd
hkey HKCU
command C:\WINDOWS\system32\irasyncd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IST Service
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item istsvc
hkey HKLM
command C:\Program Files\ISTsvc\istsvc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item istsvc
hkey HKLM
command C:\Program Files\ISTsvc\istsvc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mc-110-12-0000122.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000122
hkey HKCU
command C:\WINDOWS\system32\mc-110-12-0000122.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-110-12-0000122
hkey HKCU
command C:\WINDOWS\system32\mc-110-12-0000122.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msresearch
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msresearch
hkey HKLM
command C:\windows\msresearch.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msresearch
hkey HKLM
command C:\windows\msresearch.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Power Scan
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item powerscan
hkey HKLM
command C:\Program Files\Power Scan\powerscan.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item powerscan
hkey HKLM
command C:\Program Files\Power Scan\powerscan.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\qkwz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qkwzm
hkey HKCU
command C:\PROGRA~1\COMMON~1\qkwz\qkwzm.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qkwzm
hkey HKCU
command C:\PROGRA~1\COMMON~1\qkwz\qkwzm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Recovery system
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item turbo tax 2003 deluxe - keygeo (1)
hkey HKLM
command c:\my shared folder\turbo tax 2003 deluxe - keygeo (1).exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item turbo tax 2003 deluxe - keygeo (1)
hkey HKLM
command c:\my shared folder\turbo tax 2003 deluxe - keygeo (1).exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RoxioEngineUtility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EngUtil
hkey HKLM
command "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EngUtil
hkey HKLM
command "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sais
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sais
hkey HKLM
command c:\program files\180solutions\sais.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sais
hkey HKLM
command c:\program files\180solutions\sais.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sdat
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sdat
hkey HKLM
command C:\WINDOWS\system32\yloy\sdat.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sdat
hkey HKLM
command C:\WINDOWS\system32\yloy\sdat.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\secure
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Tqjuia
hkey HKLM
command C:\WINDOWS\System32\Tqjuia.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Tqjuia
hkey HKLM
command C:\WINDOWS\System32\Tqjuia.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpgs2wnd
hkey HKLM
command C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpgs2wnd
hkey HKLM
command C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vct
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vct
hkey HKLM
command C:\WINDOWS\vct.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vct
hkey HKLM
command C:\WINDOWS\vct.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\version
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Axfiwc
hkey HKLM
command C:\WINDOWS\System32\Axfiwc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Axfiwc
hkey HKLM
command C:\WINDOWS\System32\Axfiwc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebRebates0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebRebates0
hkey HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebRebates0
hkey HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lk4pss
hkey HKLM
command C:\WINDOWS\system32\lk4pss.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lk4pss
hkey HKLM
command C:\WINDOWS\system32\lk4pss.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zqactx1.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item zqactx1
hkey HKCU
command C:\WINDOWS\system32\zqactx1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item zqactx1
hkey HKCU
command C:\WINDOWS\system32\zqactx1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ZQInContextactx1.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ZQInContextactx1
hkey HKCU
command C:\WINDOWS\system32\ZQInContextactx1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ZQInContextactx1
hkey HKCU
command C:\WINDOWS\system32\ZQInContextactx1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/6/2005 7:47:43 PM


Here is the HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 8:05:23 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\J.P. DeLuca\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122692227411
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C62EEC3F-D535-11D1-A663-006008AC53FC} (EngageTreeView Class) - http://cartman.engagenet.com/aem/Controls/EngageTree.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/be!!!eled2/popcaploader_v6.cab
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://secure.nypa.gov/secure/cds/CGC/en/CSGProxy.cab
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/7/2005 5:24 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Looks clean to me ;-)
 
 
How are things running now?


Regards - Touch
 
Do not post your log file in a thread started by someone else.
Duplicate posts will be deleted.

Back to Top
 

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/7/2005 11:02 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Much better, the pop-ups are dead and the speed seems to be back up.  I have not checked my processor usage at idle to see that there is nothing running that would hinder my speed, but it should be nill.  Thanks for all your help! 
I have a few questins:
1)  How do I prevent this from happeneing again?
2)  How do I put my settings back?  (system files / hidden folders / etc.)
3)  Is there a way to reset my tea timer so that malicious files I may of allowed to pass need to be blocked?
4)  Why didn't the combination of Spybot, Tea Timer, Ad-Aware and Norton clean and detect all those files?
5)  Is it safe to assume that the latest HijackThis log is clean, and in the future If I come accross problems I should delete anything that does not match up to the current log?
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/8/2005 12:52 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
1-2 =
 
 
I suggest you install these:

Spywareblaster
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers,
and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
And unlike other programs, SpywareBlaster does not have to remain running in the background.

Spywareguard
SpywareGuard provides a real-time protection solution against spyware
that is a great addition to SpywareBlaster's protection method.
IE Spyad
IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.

Visit Microsoft  and check for Critical Security Updates
Microsoft Update
 

3-
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
check Teatimer box.

4. Good question, but nothing is 100 percent safe
 

5. I recommend you don´t fix anything in hijackthis, as legal programs are shown in the log as well


Regards - Touch
 
Do not post your log file in a thread started by someone else.
Duplicate posts will be deleted.

Back to Top
 

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/21/2005 8:59 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Touch...are your still there?  
 
Things have going great until 2 days ago then all hell broke lose.  I've been using the hibernate option instead of shut down for convenience but I'm not sure if that was the trigger for all of the following: 
 
My computer slowed down to the point where if close out of programs and open new ones too fast it will lock up and freeze. 
 
I'm getting a few pop-ups...nothing crazy. 
 
My real concern is the odd behavior of Windows.  When I go into system properties, device manager, there is absolutely nothing on the list.  I'm connected to the internet yet there is no sign of my wireless connection or even any hardware. 
 
Additionally....when I open up 3 programs simultaneously, the 3rd program will have 2 icons in the task bar as if it is open twice. 
 
Whenever I shut down my computer I get an error that disappears quickly but says something like, "can not initiate ____.DLL" 
 
I tried doing a system restore to when we last communicated but my computer says system restore incomplete on the boot up.  This happens on any restore point I try.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/21/2005 9:53 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
That´s oddrolleyes
 
 
Post a new logfile -
 
Download:  
Hijackthis


Regards - Touch
 
Do not post your log file in a thread started by someone else.
Duplicate posts will be deleted.

Back to Top
 

J.P.D.
New Member


Date Joined Nov 2005
Total Posts : 19
 
   Posted 11/22/2005 3:59 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
Here it is:




Logfile of HijackThis v1.99.1
Scan saved at 10:17:21 PM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Documents and Settings\J.P. DeLuca\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122692227411
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C62EEC3F-D535-11D1-A663-006008AC53FC} (EngageTreeView Class) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) -
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 11/22/2005 5:07 PM (GMT +3)    Quote: Undetectable virus - Non-Stop Pop-UpsAlert an admin about: Undetectable virus - Non-Stop Pop-Ups
 
Please load down SilentRunner:  http://www.silentrunners.org/sr_download.html
Run it, have it save a logfile and post it here as - new topic: http://www.bullguard.com/forum/10/
 
 - Thanks;-)
 
 
I´ll lock this thread, It´s become too long.
 
Call your post-touch look here, I´ll find it


Regards - Touch
 
Do not post your log file in a thread started by someone else.
Duplicate posts will be deleted.

Post Edited (Touch) : 11/22/2005 2:12:51 PM GMT

Back to Top
 
New Topic Locked Topic Printable version of : Undetectable virus - Non-Stop Pop-Ups
 
Forum Information
Currently it is Monday, October 20, 2014 4:07 PM (GMT +3)
There are a total of 60,663 posts in 13,329 threads.
In the last 3 days there were 0 new threads and 1 reply posts. View Active Threads
Who's Online
This forum has 36537 registered members. Please welcome our newest member, ericbana14.
3 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
My computer started running slow AFTER I installed bullguard (2)10/20/2014 1:21:09 AM (John_Don)