Options
Help with trojan-spy.html.smitfraud.c
Okay I did the scan of RunThis and the HijackThis and it has cleared up the background problem however according to my computer it still is infected. My antivirus does not fix the problem. I have received help from another here and was instructed to post the log list here, below.
Logfile of HijackThis v1.99.1
Scan saved at 3:29:07 PM, on 7/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\system32\svcnt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BootWarn] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\BootWarn.exe /a
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103240871216
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{949291CE-0D01-4A25-8760-5A3CD5F17B76}: NameServer = 151.164.1.8 206.13.28.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 3:29:07 PM, on 7/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\system32\svcnt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BootWarn] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\BootWarn.exe /a
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103240871216
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{949291CE-0D01-4A25-8760-5A3CD5F17B76}: NameServer = 151.164.1.8 206.13.28.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)
0
Comments
You are running hijackthis from a temporary folder. You need to create a new folder in a permanent directory of your choice, (a folder on the desktop is fine) name the new folder hijackthis and move or unzip hijackthis.exe into that folder.
--
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Run Ewido:
- Click on scanner
- Click Complete System Scan and the scan will begin.
- During the scan it will prompt you to clean files, click OK
- When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
Close EwidoNext go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
================
I need you to also delete these;
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\svcnt.exe
Logfile of HijackThis v1.99.1
Scan saved at 4:30:49 PM, on 7/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BootWarn] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\BootWarn.exe /a
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103240871216
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)
smitfiles log:
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~ system32 folder ~~~
intel32.exe
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
CLEAN!
Incident Status Location
Adware:adware/superspider No disinfected C:\PROGRAM FILES\q330994.exe
Adware:adware/antivirus-gold No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\AntivirusGold 2.0.lnk
Adware:adware/portalscan No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\adlinstallwin32.exe
Adware:adware/sahagent No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\bundletracking.asp
Adware:adware/adsmart No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\pi.sys
Spyware:spyware/istbar No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\LOCAL SETTINGS\TEMP\shortcuts.txt
Spyware:spyware/bridge No disinfected C:\WINDOWS\SYSTEM32\bridge.dll
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/startpage.id No disinfected C:\msdos.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:adware/addestroyer No disinfected C:\PROGRAM FILES\AdDestroyer
Adware:adware/apropos No disinfected C:\PROGRAM FILES\AutoUpdate
Adware:adware/downloadware No disinfected C:\PROGRAM FILES\Recommended Hotfix - 421701D
Adware:adware/searchexe No disinfected C:\PROGRAM FILES\se
Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevancy
Spyware:spyware/surfsidekick No disinfected C:\PROGRAM FILES\SurfSideKick 2
Adware:adware/topconvert No disinfected C:\PROGRAM FILES\TopConverting
Adware:adware/virtualbouncer No disinfected C:\PROGRAM FILES\VBouncer
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Windows ServeAd
Adware:adware/powerscan No disinfected C:\DOCUMENTS AND SETTINGS\RYAN.SHERRIE-N0QRH1B\START MENU\PROGRAMS\Power Scan
Adware:adware/sqwire No disinfected C:\PROGRAM FILES\COMMON FILES\tsa
Adware:adware/ncase No disinfected C:\TEMP\FLEOK
Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Adware:adware/cws No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807}
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\John\Local Settings\Temp\SskUpdater.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\0LY7C96N\auto_update[1]
Virus:Trj/Downloader.TC Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\global[1].css
Virus:Trj/Downloader.TC Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\global[2].css
Adware:Adware/Xupiter No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\OELoader[1].cab[OELoader.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\Playstation%202_19621_Bujingai_cheats[1].html[Playstation%202_19621_Bujingai_cheats[1]]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\Playstation%202_19621_Bujingai_cheats[2].html
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\CA2JSJ70.HTM
Virus:VBS/Psyme.X No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\hardmansp[1].chm[1.htm]
Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\hardmansp[1].chm[on-line.exe]
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\3U0JB58D\hosts[1]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4L0HABGX\loaderadv234[1].jar[Dummy.class]
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\CAXNND79.HTM
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\hosts[1]
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\hosts[2]
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\hosts[3]
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\mt[1].htm
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4TUNKXIZ\hosts[1]
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\auto_update[1]
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\auto_update[2]
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\BUEK2QUA\CAYFWLI3.HTM
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\DBVBDLKE\CADWQ99J.HTM
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\GBTRUUVT\auto_update[1]
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\GX87CJGJ\TBPS[1].cab[TBPS.exe]
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IHJGP4RY\hosts[1]
Virus:VBS/Psyme.C No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IHJGP4RY\new2[3].chm[new2.html]
Virus:VBS/Psyme.C No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IHJGP4RY\new2[4].chm[new2.html]
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IPCR6D25\hosts[1]
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IR63QTIR\auto_update[1]
Adware:Adware/NetPals No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\MQAGPUV6\nce9rck[1].cab[ATPartners.inf]
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\PRJV5LKA\CAUH4FWZ.HTM
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\VJL7RTOW\CA7ZR93N.HTM
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\VJL7RTOW\hosts[1]
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\VJL7RTOW\hosts[2]
Virus:Exploit/DialogArg Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\W7Z36SDP\2[1].htm
Virus:Trj/Qhost.B Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\W7Z36SDP\hosts[1]
Virus:Trj/Downloader.FK Disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\W7Z36SDP\stc[1].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\bridge-c18[1].cab[BridgeX.inf]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\bridge-c18[2].cab[BridgeX.inf]
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\CABAEDB7.HTM
Adware:Adware/Gator No disinfected C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\hdplugin_1019_bundle33v1d33[1].cab
Adware:Adware/PortalScan No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\adlinstallwin32.exe
Spyware:Spyware/Smitfraud No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\AGLanguage.ini
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temp\pggo.exe
Virus:Trj/Downloader.TC Disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temporary Internet Files\Content.IE5\2H7O14RI\wayofthesamurai2[1].htm
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temporary Internet Files\Content.IE5\9RVRPXWE\alien[1].cab
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Local Settings\Temporary Internet Files\Content.IE5\9RVRPXWE\alien[1].cab[mm63.INF]
Spyware:Spyware/Smitfraud No disinfected C:\Documents and Settings\shari.SHERRIE-N0QRH1B\Local Settings\Temp\AGLanguage.ini
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\rainbow\classify.dll
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa\tsuninst.exe
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevancy\uninstall.exe
Possible Virus. No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
Virus:Trj/Downloader.DLH Disinfected C:\WINDOWS\system32\abirvalg32.dll
ewido security suite - Scan report
+ Created on: 6:48:10 PM, 7/17/2005
+ Report-Checksum: 14F70926
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{0F9561D0-03B2-44a3-89A6-E95E417CBA25} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E5B9131-9DA3-5441-BE0E-FA6A3B539A96} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{491BE5B7-A7F8-40EC-AAD4-CBA11FDFD814} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{29358AA6-679D-44EA-8A51-59A3C6E6F811} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Windows ServeAd -> Spyware.BlazeFind : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\accuweather;in=home;pg=8t15d;pu=1;sz=1x1;tile=1;ord=5921690717[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\accuweather;in=home;pu=1;sz=1x1;tile=1;ord=4996976404[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\2VSPMR2D\accuweather;in=home;zc=67219;wx1=34;wx2=03;wx3=35;wx4=07;wx5=15;wx6=06;wxtmp=0;pg=5daho;;pu=1;sz=1x1;tile=1;ord=1017977408168[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\D8C7LT05\freedownloads[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\ELNSDKB6\links[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\GHEN8XMZ\AppWrap[2].exe -> TrojanDropper.Small.of : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\GHEN8XMZ\AppWrap[3].exe -> TrojanDropper.Small.of : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\K77FAWH1\consumerinfo2[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\K77FAWH1\featuredartists[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\K77FAWH1\music[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\MQAGPUV6\accuweather;in=home;pu=1;sz=1x1;tile=3;ord=5183278997[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\MQAGPUV6\accuweather;in=video;;pu=1;sz=1x1;tile=1;ord=1019098106121[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\YRON0Z81\accuweather;in=home;pu=1;sz=1x1;tile=1;ord=1017885011186[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\AppWrap[1].exe -> TrojanDropper.Small.of : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\AppWrap[2].exe -> TrojanDropper.Small.of : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\21LEVADG\bridge-c3[1].cab/BridgeX.dll -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails1[1].html -> TrojanDownloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails1[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails2[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails2[3].html -> TrojanDownloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails3[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\4P63C1QF\Tails4[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\AppWrap[1].exe -> TrojanDropper.Small.of : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\hikaru[2].html -> TrojanDownloader.Iwill.m : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\7QKNBHWL\sonypictures[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\8TQJW9AF\pczx2[1].cab/pczx2.dll -> TrojanDownloader.Rameh.b : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\GHQZG5YR\tb3[1].cab/toolbar.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\IR63QTIR\hdplugin_1019_bundle43v5d33[1].cab/HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\X7NFL1OE\netslv32_EN_XP[1].cab/netslv32.dll -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\cell[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[3].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[4].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\characters[5].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\frieza[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\gero[2].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\gero[3].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\gero[4].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\index[5].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\index[6].html -> Backdoor.IRC.Sitex : Cleaned with backup
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\Y5XQFA14\secure[1].php -> TrojanDownloader.Psyme.i : Cleaned with backup
C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\0JRO0RG8\4657[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\7ASFVXCH\0,2554,1-9696-All,00[2].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\7ASFVXCH\0,2555,1-9696-AN-HighFEN4FENSchoolFEN4FENFEN7FENFEN4FENBeyond--2,00[1].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\7ASFVXCH\0,4006,1-9696-11665-1,00[1].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\WHGF4ZGR\0,2555,1-9696-AN-HighFEN4FENSchoolFEN4FENFEN7FENFEN4FENBeyond-,00[1].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\WHGF4ZGR\0,2555,1-9696-AN-HighFEN4FENSchoolFEN4FENFEN7FENFEN4FENBeyond--3,00[1].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Shari\Local Settings\Temporary Internet Files\Content.IE5\WHGF4ZGR\home[3].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\shari.SHERRIE-N0QRH1B\Cookies\shari@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\adddh32.dll:rymftf -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\addoq32.dll:enkery -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\explorer.exe:zeajf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javaab.dll:hhovf -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\mfclk32.dll:vywac -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\msdfmap.ini:lzanxe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\NOTEPAD.EXE:xrcuf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntea.dll:walgur -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ntea.dll:wghzvi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntuq.dll:fvdly -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ntuq.dll:ohzfps -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\patch.exe:axshwv -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINDOWS\patch.exe:uqxyde -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\syshs.dll:ovxymk -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINDOWS\system32\cool.exe -> Backdoor.SdBot : Cleaned with backup
C:\WINDOWS\system32\svcnt.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\WINDOWS\system32\TFTP2356 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\TFTP3636 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\winhlp32.exe:glcgh -> TrojanDownloader.Agent.ap : Cleaned with backup
::Report End
===============
When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.
===============
Go to Add/Remove programs and remove(uninstall) the following, if present:
PSGuard
TIBS
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
===============
Run HiJackThis, click "Scan", then check(tick) the following, if present:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netud.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll (file missing)
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard\PSGuard.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Workstation NetLogon Service (?%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
files...
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\System32\intel32.exe
folder(s)...
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\System32\intel32.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\PSGuard (it is not on the desktop)
Also the programs:
PSGuard
TIBS
Are not on the Add/Remove List. Though I did do the checking and the "Fix Checked" with the HiJackThis and the service pack from Microsoft.
Logfile of HijackThis v1.99.1
Scan saved at 1:54:36 PM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BootWarn] C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\BootWarn.exe /a
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103240871216
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{949291CE-0D01-4A25-8760-5A3CD5F17B76}: NameServer = 151.164.1.8 206.13.28.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Documents and Settings\Ryan.SHERRIE-N0QRH1B\Desktop\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ntdt32.exe (file missing)
(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also have to re-install IE-SpyAd if installed.
=========
Start>>Run and type regedit
Press enter.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service (�%AF夶À¨)
If Workstation NetLogon Service (�%AF夶À¨) exists , right click on it and choose delete from the menu.
Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service (�%AF夶À¨)
If LEGACY_Workstation NetLogon Service (�%AF夶À¨) exists then right click on it and choose delete from the menu.
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe
Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
Install, run, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.
There's a value name which has: AppInit_DLLs
There's just a value which has: SYS:Microsoft\Windows NT\CurrentVersion\Windows
Also a type, type no. and size. Not sure if those were needed either. Hopefully I posted what you needed.