Desktop being hijcacked.

Unknown · June 2006

The desktop of this PC is not functioning very well... running extremely slow like something has taken over and is bogging everything down.

Please help.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:18 AM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS.1\system32\winlogon.exe
C:\Program Files\Citrix\GoToMyPC\G2ProcessFactory.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\WINDOWS.1\system32\ntvdm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148052261734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.1\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS.1\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Here the startup log as well.
StartupList report, 6/1/2006, 10:33:22 AM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS.1\system32\winlogon.exe
C:\Program Files\Citrix\GoToMyPC\G2ProcessFactory.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\WINDOWS.1\system32\ntvdm.exe

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS.1\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
HostManager = C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
GoToMyPC = C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
RCScheduleCheck = C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
VTPreset = VTPreset.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup = C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS.1\System32\mshta.exe "%1" %*

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS.1\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS.1\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS.1\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS.1\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS.1\system32\Rundll32.exe C:\WINDOWS.1\system32\mscories.dll,Install

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

Load/Run keys from C:\WINDOWS.1\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=apitrap.dll

Shell & screensaver key from C:\WINDOWS.1\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS.1\System32\THEONE~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

Checking for EXPLORER.EXE instances:

C:\WINDOWS.1\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS.1\Explorer\Explorer.exe: not present
C:\WINDOWS.1\System\Explorer.exe: not present
C:\WINDOWS.1\System32\Explorer.exe: not present
C:\WINDOWS.1\Command\Explorer.exe: not present
C:\WINDOWS.1\Fonts\Explorer.exe: not present

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS.1
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

Enumerating Browser Helper Objects:

Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

Enumerating Task Scheduler jobs:

Norton SystemWorks One Button Checkup.job
Disk Cleanup.job
LiveUpdate.job
Speed Disk.job
Norton CleanSweep.job
Norton Internet Security.job
Symantec NetDetect.job
XoftSpy.job
Norton AntiVirus - Run Full System Scan - Matt.job
Scheduled Checkpoint.job
MP Scheduled Scan.job

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS.1\Java\classes\dajava.cab
OSD = C:\WINDOWS.1\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS.1\Java\classes\xmldso.cab
OSD = C:\WINDOWS.1\Downloaded Program Files\Microsoft XML Parser for Java.osd

[StagingUI Object]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\StagingUI.ocx
CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab

[Musicnotes Viewer]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\mnviewer.dll
CODEBASE = http://netscape.musicnotes.com/download/mnviewer.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS.1\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS.1\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[ZoneBuddy Class]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\ZBuddy.ocx
CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS.1\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab

[ZonePAChat Object]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\ZPAChat.ocx
CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS.1\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148052261734

[Groove Control]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\GrooveAX.dll
CODEBASE = http://www.nick.com/common/groove/gx/GrooveAX27.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[ZPA_TexasHoldem Object]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\zpa_txhe.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab

[IWinAmpActiveX Class]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.6\AmpX.dll
CODEBASE = http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS.1\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

[StadiumProxy Class]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\StProxy.dll
CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS.1\Downloaded Program Files\popcaploader.dll
CODEBASE = http://www.popcap.com/games/popcaploader_v6.cab

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS.1\System32\mswsock.dll
NameSpace #2: C:\WINDOWS.1\System32\winrnr.dll
NameSpace #3: C:\WINDOWS.1\System32\mswsock.dll
Protocol #1: C:\WINDOWS.1\system32\mswsock.dll
Protocol #2: C:\WINDOWS.1\system32\mswsock.dll
Protocol #3: C:\WINDOWS.1\system32\mswsock.dll
Protocol #4: C:\WINDOWS.1\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS.1\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS.1\system32\mswsock.dll
Protocol #7: C:\WINDOWS.1\system32\mswsock.dll
Protocol #8: C:\WINDOWS.1\system32\mswsock.dll
Protocol #9: C:\WINDOWS.1\system32\mswsock.dll
Protocol #10: C:\WINDOWS.1\system32\mswsock.dll
Protocol #11: C:\WINDOWS.1\system32\mswsock.dll
Protocol #12: C:\WINDOWS.1\system32\mswsock.dll
Protocol #13: C:\WINDOWS.1\system32\mswsock.dll
Protocol #14: C:\WINDOWS.1\system32\mswsock.dll
Protocol #15: C:\WINDOWS.1\system32\mswsock.dll

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
atirage3: System32\DRIVERS\atimpae.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Internet Security Password Validation: "C:\Program Files\Norton Internet Security\ccPwdSvc.exe" (manual start)
Symantec Network Proxy: "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS.1\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM Host: "C:\Program Files\Norton Internet Security\comHost.exe" (manual start)
COM+ System Application: C:\WINDOWS.1\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Kodak Camera Proxy: system32\DRIVERS\DcCam.sys (system)
DcFpoint: system32\DRIVERS\DcFpoint.sys (manual start)
Kodak DCFS2K Driver: system32\drivers\dcfs2k.sys (autostart)
Legacy Polling Service: system32\DRIVERS\DcLps.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
dcptp: system32\DRIVERS\DcPTP.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS.1\System32\svchost.exe -k netsvcs (manual start)
Exportit: system32\DRIVERS\exportit.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: System32\DRIVERS\fetnd5.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5b.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
GoToMyPC: "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (autostart)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HCF_MSFT: System32\DRIVERS\HCF_MSFT.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
File Security Kernel Anti-Spyware Driver: \??\C:\WINDOWS.1\system32\drivers\ikhfile.sys (system)
Kernel Anti-Spyware Driver: \??\C:\WINDOWS.1\system32\drivers\ikhlayer.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS.1\System32\imapi.exe (manual start)
Iomega Devices Disk Filter Services: System32\DRIVERS\iomdisk.sys (system)
Iomega Activity Disk2: "" (disabled)
Iomega App Services: "C:\PROGRA~1\Iomega\System32\AppServices.exe" (autostart)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Kodak Camera Connection Software: %SystemRoot%\system32\drivers\KodakCCS.exe (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS.1\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS.1\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS.1\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060519.017\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060519.017\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINDOWS.1\System32\Drivers\NPDRIVER.SYS (manual start)
Norton Unerase Protection: C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (autostart)
Norton Protection Center Service: "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE" (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
QDFSDRV: \??\C:\WINDOWS.1\system32\drivers\qdfsdrv.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS.1\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
S3Psddr: system32\DRIVERS\s3gnbm.sys (manual start)
S3SavageNB: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\C:

JeffatTT · June 2006

bump.. please help

Shaba · June 2006

Fix with HjT (do a system scan only, checkmark these and press fix checked):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - <default> - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

Reboot

Please do these online scans:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

[/size]

Please run this online scan:

Panda ActiveScan

Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

Send their reports along with a fresh HjT log

JeffatTT · June 2006

OK... here's the Kapersky report. Currently running Panda.

KASPERSKY ON-LINE SCANNER REPORT
Sunday, June 04, 2006 10:13:41 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 4/06/2006
Kaspersky Anti-Virus database records: 198350

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 88267
Number of viruses found: 19
Number of infected objects: 46
Number of suspicious objects: 2
Duration of the scan process: 02:29:56

Infected Object Name / Virus Name / Last Action
C:\HJT\backups\backup-20060604-000900-862.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS.1\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\033B136A.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36E962A3.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36EC0CA0.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36EC0CA0.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D5E0E44.exe Infected: Trojan.Win32.Small.cy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36EF369C.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36F26099.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57A70CD0.exe Infected: Trojan-Downloader.Win32.IstBar.lw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57AA36CC.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78F03AB7.exe Infected: Trojan-Downloader.Win32.Small.bke skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D447528.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67DA1447.exe Infected: Trojan.Win32.Small.cy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67E4123C.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67FE6220.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67FE6220.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1912458E.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68053618.DLL Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EDA238D.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68053618.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68086015.EXE Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24A3018C.sys Suspicious: Rootkit.Win32.Agent.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\680B0A11.EXE Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10E00594.sys Suspicious: Rootkit.Win32.Agent.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10ED2D85.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Brotunes\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Brotunes\ace.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Brotunes\umdbdcz2.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Brotunes\robpro32.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Brotunes\Cache\00001056_4436baae_00050b04 Infected: Exploit.HTML.Mht skipped
C:\Program Files\filesubmit\theonering.exe\NNWDAC638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\filesubmit\theonering.exe\atoolbar400134.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Program Files\filesubmit\theonering.exe\atoolbar400134.exe WiseSFX: infected - 1 skipped
C:\Program Files\filesubmit\theonering.exe\atoolbar400134.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\XoftSpy\uninstall.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\XoftSpy\uninstall.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000263.exe Infected: Trojan-Downloader.Win32.Zlob.pn skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000264.tlb Infected: Trojan-Downloader.Win32.Zlob.qk skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000273.exe Infected: Trojan-Downloader.Win32.Zlob.qk skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000280.exe Infected: Trojan-Downloader.Win32.Zlob.pa skipped
C:\who.exe Infected: Trojan.Win32.Small.gf skipped
C:\temp1\xoftspy 4.15 + serial.zip/software/System Security/xsoftspy4.15/XoftSpy415_97.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\temp1\xoftspy 4.15 + serial.zip/software/System Security/xsoftspy4.15/XoftSpy415_97.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\temp1\xoftspy 4.15 + serial.zip ZIP: infected - 2 skipped
C:\temp1\xoftspy 4.15 + serial\software\System Security\xsoftspy4.15\XoftSpy415_97.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\temp1\xoftspy 4.15 + serial\software\System Security\xsoftspy4.15\XoftSpy415_97.exe NSIS: infected - 1 skipped
C:\Recycled\Dc671 Infected: Exploit.HTML.Mht skipped

Scan process completed.

Shaba · June 2006

Ok, you have some serious infections. I'll give you cleaning instructions after you have send also Panda results

JeffatTT · June 2006

OK Here's the Panda report

Incident Status Location

Adware:adware program Not disinfected c:\windows.1\ss3unstl.exe
Adware:adware/surfaccuracy Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS.1\system32\Process.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atwola[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[3].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[4].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[5].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[3].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[4].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.WINXP_HOME\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@doubleclick[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@banner[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@atdmt[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@tribalfusion[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@2o7[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@go[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@belnk[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@fastclick[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@advertising[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@dist.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@atwola[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@trafficmp[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@com[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@realmedia[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@advertising[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@mediaplex[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@www.burstbeacon[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@entrepreneur[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@hitbox[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@ad.yieldmanager[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@ads.pointroll[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@go[3].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@searchportal.information[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@azjmp[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@ad.yieldmanager[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@atwola[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@i.screensavers[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@dist.belnk[3].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@perf.overture[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@atwola[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@ads.pointroll[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@mediaplex[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@microsofteup.112.2o7[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@serving-sys[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@advertising[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@doubleclick[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@overture[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@atdmt[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@hitbox[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@2o7[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Matt.WINXP_HOME\Cookies\matt@go[1].txt
Spyware:Spyware/New.net Not disinfected C:\Program Files\filesubmit\theonering.exe\NNWDAC638.EXE

JeffatTT · June 2006

And here's the HJT report

Logfile of HijackThis v1.99.1
Scan saved at 10:39:05 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\csrss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.1\System32\alg.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Sierra\Planner\PLNRnote.exe
C:\WINDOWS.1\system32\ntvdm.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS.1\system32\csrss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\Program Files\Citrix\GoToMyPC\G2ProcessFactory.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PartyGaming\PartyGaming.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\HJT\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.com/
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148052261734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.1\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS.1\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Awaiting your next set of instructions.
Jeff.

Shaba · June 2006

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Delete, if found:

c:\windows.1\ss3unstl.exe
C:\Program Files\filesubmit\theonering.exe
C:\WINDOWS.1\Downloaded Program Files\popcaploader.dll

Empty this folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine <

Empty Recycle Bin.

Please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

Run another Kaspersky scan.

Send:

- kaspersky report
- aproposfix log
- a fresh HjT log

JeffatTT · June 2006

OK... i followed all your instructions successfully.

Here are the 3 reports.

Kaspersky report:

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, June 06, 2006 9:39:13 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 6/06/2006
Kaspersky Anti-Virus database records: 198611

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 79476
Number of viruses found: 18
Number of infected objects: 49
Number of suspicious objects: 2
Duration of the scan process: 03:15:41

Infected Object Name / Virus Name / Last Action
C:\HJT\backups\backup-20060604-000900-862.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS.1\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Program Files\XoftSpy\uninstall.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\XoftSpy\uninstall.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000263.exe Infected: Trojan-Downloader.Win32.Zlob.pn skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000264.tlb Infected: Trojan-Downloader.Win32.Zlob.qk skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000273.exe Infected: Trojan-Downloader.Win32.Zlob.qk skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP6\A0000280.exe Infected: Trojan-Downloader.Win32.Zlob.pa skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004431.exe Infected: Trojan.Win32.Small.cy skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004432.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004433.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004434.sys Suspicious: Rootkit.Win32.Agent.ao skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004435.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004436.sys Suspicious: Rootkit.Win32.Agent.ao skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004437.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004438.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004439.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004440.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004441.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004442.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004443.exe Infected: Trojan-Downloader.Win32.IstBar.lw skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004444.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004445.exe Infected: Trojan.Win32.Small.cy skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004446.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004447.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004448.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004449.exe Infected: Trojan-Downloader.Win32.Small.bke skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004450.EXE Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004451.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004452.DLL Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004453.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004454.EXE Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004456.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004457.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004457.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004457.exe WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004676.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004677.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004678.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{7941A242-D195-49B1-8578-0A292EF4D588}\RP37\A0004679.exe Infected: Trojan.Win32.Crypt.t skipped
C:\who.exe Infected: Trojan.Win32.Small.gf skipped
C:\temp1\xoftspy 4.15 + serial.zip/software/System Security/xsoftspy4.15/XoftSpy415_97.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\temp1\xoftspy 4.15 + serial.zip/software/System Security/xsoftspy4.15/XoftSpy415_97.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\temp1\xoftspy 4.15 + serial.zip ZIP: infected - 2 skipped
C:\temp1\xoftspy 4.15 + serial\software\System Security\xsoftspy4.15\XoftSpy415_97.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\temp1\xoftspy 4.15 + serial\software\System Security\xsoftspy4.15\XoftSpy415_97.exe NSIS: infected - 1 skipped
C:\temp1\aproposfix\backups\backups.zip/backups/WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\temp1\aproposfix\backups\backups.zip/backups/ace.dll Infected: Trojan.Win32.Crypt.t skipped
C:\temp1\aproposfix\backups\backups.zip/backups/umdbdcz2.exe Infected: Trojan.Win32.Crypt.t skipped
C:\temp1\aproposfix\backups\backups.zip/backups/robpro32.exe Infected: Trojan.Win32.Crypt.t skipped
C:\temp1\aproposfix\backups\backups.zip ZIP: infected - 4 skipped

Scan process completed.
___________________________________________________________

Apros Fix Log:

Log of AproposFix v1.1

************

Running from directory:
C:\temp1\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CrjToABFLX7n]
@="cifTYiRCDDCDDEDju3hilfCDDCSFDmYdTemiEHD4A45u.JIDt3y7u34D61ttssq.E4A4"
"Device"="\\\\.\\TerRSVP"
"DriverName"="MSPDISB"
"HideUninstallerName"="C:\\Program Files\\Brotunes\\umdbdcz2.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{228ECEB7-417B-459D-82D5-A022F3213F84}"
"UninstallerParams"="/CTUN"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xa59aed8-606d-57d5-5587-82b276870384}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Brotunes\\robpro32.exe"
"Version"="2.0.131"
"CrMnTmt"=dword:0036ee80
"NxRestTm"="2006:05:19-23:18:59:531"

************

Removing hidden service:
Service MSPDISB removed.

Removing hidden folder:
Deletion of folder Brotunes succeeded!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CrjToABFLX7n]
[-HKEY_LOCAL_MACHINE\Software\CrjToABFLX7n]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{228ECEB7-417B-459D-82D5-A022F3213F84}]

Done!

Finished!

____________________________________________________________
HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:39 AM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\csrss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Sierra\Planner\PLNRnote.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\system32\ntvdm.exe
C:\WINDOWS.1\System32\alg.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS.1\system32\csrss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\Program Files\Citrix\GoToMyPC\G2ProcessFactory.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.com/
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148052261734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS.1\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS.1\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Shaba · June 2006

Looks pretty good

Some viruses on system restore but that can be easily cleaned. Still problems?

JeffatTT · June 2006

Looks like desktop is still comprimised. When windows starts, we see the normal desktop background and then a second later, it goes to blue screen background and then the pc starts acting very sluggish.

Any more advice?

Shaba · June 2006

Let's take a look a bit deeper:

Download F-Secure Blacklight and save it to your desktop -> http://www.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)

Also do this:

Follow these instructions -> http://www.bleepingcomputer.com/files/winpfind.php and send winpfind log.

JeffatTT · June 2006

OK... here's the results of the RootKit and Winpfind.

RootKit:
No Hidden Items were found..

06/07/06 23:13:39 [Info]: BlackLight Engine 1.0.37 initialized
06/07/06 23:13:39 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/07/06 23:13:40 [Note]: 7019 4
06/07/06 23:13:40 [Note]: 7005 0
06/07/06 23:13:47 [Note]: 7006 0
06/07/06 23:13:48 [Note]: 7011 2696
06/07/06 23:13:49 [Note]: 7026 0
06/07/06 23:13:51 [Note]: 7026 0
06/07/06 23:14:27 [Note]: FSRAW library version 1.7.1015
06/07/06 23:16:57 [Note]: 2000 1006
06/07/06 23:16:57 [Note]: 2000 1006
06/07/06 23:17:47 [Note]: 7007 0

Winpfind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 4/15/2006 8:50:38 PM 194560 C:\WINDOWS.1\CSI Assume Nothing.scr

Checking %System% folder...
PECompact2 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS.1\SYSTEM32\MRT.exe
aspack 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS.1\SYSTEM32\MRT.exe
UPX! 1/9/2006 10:36:04 AM 42496 C:\WINDOWS.1\SYSTEM32\swreg.exe
PEC2 8/29/2002 12:00:00 PM 41397 C:\WINDOWS.1\SYSTEM32\dfrg.msc
UPX! 1/9/2006 10:36:06 AM 40960 C:\WINDOWS.1\SYSTEM32\swsc.exe
winsync 8/29/2002 12:00:00 PM 1309184 C:\WINDOWS.1\SYSTEM32\wbdbase.deu
PEC2 2/14/1997 9:24:14 PM 197171 C:\WINDOWS.1\SYSTEM32\Dwapilib.tlb
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS.1\SYSTEM32\WgaTray.exe
UPX! 4/27/2006 5:49:30 PM 288417 C:\WINDOWS.1\SYSTEM32\SrchSTS.exe
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS.1\SYSTEM32\LegitCheckControl.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS.1\SYSTEM32\rasdlg.dll
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS.1\SYSTEM32\ntdll.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 6/6/2006 10:51:36 PM 776096 C:\WINDOWS.1\SYSTEM32\drivers\avg7core.sys
FSG! 6/6/2006 10:51:36 PM 776096 C:\WINDOWS.1\SYSTEM32\drivers\avg7core.sys
PEC2 6/6/2006 10:51:36 PM 776096 C:\WINDOWS.1\SYSTEM32\drivers\avg7core.sys
aspack 6/6/2006 10:51:36 PM 776096 C:\WINDOWS.1\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS.1\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS.1\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/7/2006 11:08:56 AM S 2048 C:\WINDOWS.1\bootstat.dat
5/25/2006 2:11:38 PM H 24 C:\WINDOWS.1\prIsJ
6/5/2006 10:18:46 PM H 54156 C:\WINDOWS.1\QTFont.qfn
6/7/2006 11:05:08 PM H 1024 C:\WINDOWS.1\system32\config\system.LOG
6/7/2006 11:05:06 PM H 1024 C:\WINDOWS.1\system32\config\software.LOG
6/7/2006 11:03:08 PM H 1024 C:\WINDOWS.1\system32\config\default.LOG
6/7/2006 11:04:54 PM H 1024 C:\WINDOWS.1\system32\config\SAM.LOG
6/7/2006 10:30:18 PM H 1024 C:\WINDOWS.1\system32\config\SECURITY.LOG
6/7/2006 1:53:08 AM H 1024 C:\WINDOWS.1\system32\config\systemprofile\ntuser.dat.LOG
6/5/2006 9:00:04 PM S 134 C:\WINDOWS.1\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
5/28/2006 1:07:42 AM S 144 C:\WINDOWS.1\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
6/5/2006 9:00:04 PM S 7652 C:\WINDOWS.1\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
5/28/2006 1:07:42 AM S 558 C:\WINDOWS.1\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
5/18/2006 6:32:36 AM H 0 C:\WINDOWS.1\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf
4/11/2006 2:34:52 PM S 10443 C:\WINDOWS.1\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Wudf01000.cat
5/17/2006 11:24:42 AM S 7160 C:\WINDOWS.1\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
5/23/2006 5:27:00 PM S 7160 C:\WINDOWS.1\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
5/5/2006 3:17:10 PM HS 388 C:\WINDOWS.1\system32\Microsoft\Protect\S-1-5-18\07af41ab-427b-4ffe-b466-9ad95c0e00ea
5/5/2006 3:17:10 PM HS 24 C:\WINDOWS.1\system32\Microsoft\Protect\S-1-5-18\Preferred
5/18/2006 11:43:14 AM HS 24 C:\WINDOWS.1\system32\Microsoft\Protect\S-1-5-18\User\Preferred
5/18/2006 11:43:14 AM HS 388 C:\WINDOWS.1\system32\Microsoft\Protect\S-1-5-18\User\68078ba1-6d61-4280-aaef-e9034ccfa9a3
5/19/2006 6:25:10 PM H 0 C:\WINDOWS.1\inf\oem10.inf
5/26/2006 11:29:48 AM HS 67 C:\WINDOWS.1\Temp\Temporary Internet Files\Content.IE5\desktop.ini
5/26/2006 11:29:48 AM HS 67 C:\WINDOWS.1\Temp\Temporary Internet Files\Content.IE5\MB2JALO1\desktop.ini
5/26/2006 11:29:48 AM HS 67 C:\WINDOWS.1\Temp\Temporary Internet Files\Content.IE5\HTISJW3H\desktop.ini
5/26/2006 11:29:48 AM HS 67 C:\WINDOWS.1\Temp\Temporary Internet Files\Content.IE5\EVCD4PA7\desktop.ini
5/26/2006 11:29:48 AM HS 67 C:\WINDOWS.1\Temp\Temporary Internet Files\Content.IE5\XL3IP44W\desktop.ini
5/26/2006 11:29:48 AM HS 113 C:\WINDOWS.1\Temp\History\History.IE5\desktop.ini
4/18/2006 3:40:22 AM H 65536 C:\WINDOWS.1\Minidump\Mini041806-02.dmp
6/7/2006 11:09:04 AM H 6 C:\WINDOWS.1\Tasks\SA.DAT
6/7/2006 11:12:08 AM H 330 C:\WINDOWS.1\Tasks\MP Scheduled Scan.job

Checking for CPL files...
RealNetworks, Inc. 2/5/2005 4:42:36 PM 24576 C:\WINDOWS.1\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS.1\SYSTEM32\inetcpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS.1\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 12:00:00 PM 187904 C:\WINDOWS.1\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS.1\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 12:00:00 PM 35840 C:\WINDOWS.1\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS.1\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 12:00:00 PM 28160 C:\WINDOWS.1\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS.1\SYSTEM32\intl.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS.1\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS.1\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS.1\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS.1\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS.1\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS.1\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS.1\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS.1\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS.1\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS.1\SYSTEM32\bthprops.cpl
Iomega Corporation 9/24/2002 4:44:10 PM 151552 C:\WINDOWS.1\SYSTEM32\ADPanel.cpl
Realtek Semiconductor Corp. 1/10/2003 1:20:24 PM R 1607168 C:\WINDOWS.1\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS.1\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS.1\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS.1\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS.1\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS.1\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS.1\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 8/29/2002 12:00:00 PM 187904 C:\WINDOWS.1\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 12:00:00 PM 28160 C:\WINDOWS.1\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/29/2002 12:00:00 PM 35840 C:\WINDOWS.1\SYSTEM32\dllcache\ncpa.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/24/2004 6:58:50 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/16/2006 7:50:54 PM 1336 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
1/23/2006 6:05:26 AM 1741 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
1/23/2006 6:07:40 AM 1862 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/24/2004 6:51:06 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
1/24/2004 6:58:50 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/24/2004 6:51:06 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerDesk Menu
{26E7F081-EB97-11d3-9239-006008D2D00F} = C:\Program Files\VCOM\PowerDesk\pdshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerDesk Menu
{26E7F081-EB97-11d3-9239-006008D2D00F} = C:\Program Files\VCOM\PowerDesk\pdshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS.1\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Norton Internet Security 2006 : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
ButtonText = PartyPoker.com : C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Norton Internet Security 2006 : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = :
{724D43A0-0D85-11D4-9908-00400523E39A} = :
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan SOUNDMAN.EXE
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
HostManager C:\Program Files\Common Files\AOL\1133832775\ee\AOLSoftware.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
GoToMyPC C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
RCScheduleCheck C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
Windows Defender "C:\Program Files\Windows Defender\MSASCui.exe" -hide
VTPreset VTPreset.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS.1\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS.1\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToMyPC
= C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

<<<<<<<<<< Checking for AddOn Monitors.def information >>>>>>>>>>
Parameter line : regkey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors found!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\BJ Language Monitor
Driver cnbjmon.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\GoToMyPC Port
Driver gotomon.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\GoToMyPC Port\Ports

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port
Driver localspl.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Document Imaging Writer Monitor
Driver mdimon.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor
Driver pjlmon.dll
EOJTimeout 60000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port
Driver tcpmon.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports
StatusUpdateInterval 10
StatusUpdateEnabled 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor
Driver usbmon.dll

<<<<<<<<<< Checking for AddOn OpenCommand.def information >>>>>>>>>>
>>>>>>>>>> Exporting Shell Open\Command entries
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command found!
regedit.exe "%1"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command found!
"%1" /S

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command found!

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command found!
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command found!
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command found!
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command found!
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command found!

<<<<<<<<<< Checking for AddOn Policies.def information >>>>>>>>>>

<<<<<<<<<< Checking for AddOn Qoologic.def information >>>>>>>>>>
>>>>>>>>>> Search by size and name
>>>>>>>>>> Files found by this method are not necessarily bad
>>>>>>>>>> Example PNGFILT.DLL is a windows file
Parameter line : file=%sysdir%;*.exe;150;61952;;;
File C:\WINDOWS.1\SYSTEM32\*.exe for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7680;;;
File C:\WINDOWS.1\SYSTEM32\*.exe for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;91648;;;
File C:\WINDOWS.1\SYSTEM32\*.exe for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;81920;;;
File C:\WINDOWS.1\SYSTEM32\*.exe for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7168;;;
File C:\WINDOWS.1\SYSTEM32\*.exe for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;65536;;;
File C:\WINDOWS.1\SYSTEM32\*.exe for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;redit.cpl;;;;;
File C:\WINDOWS.1\SYSTEM32\redit.cpl was not found!
Parameter line : file=%sysdir%;conres.cpl;;;;;
File C:\WINDOWS.1\SYSTEM32\conres.cpl was not found!
Parameter line : file=%sysdir%;datadx.dll;;;;;
File C:\WINDOWS.1\SYSTEM32\datadx.dll was not found!
Parameter line : file=%sysdir%;*.dll;150;10240;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 10240 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;46080;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 46080 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;34816;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 34816 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;16384;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 16384 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;29184;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 29184 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;26624;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 26624 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;9728;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 9728 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;10843;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;18432;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 18432 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;23040;;;
3/29/2006 9:31:04 PM 23040 C:\WINDOWS.1\SYSTEM32\xpsp3res.dll found!
Parameter line : file=%sysdir%;*.dll;150;17920;;;
File C:\WINDOWS.1\SYSTEM32\*.dll for today - 150 days with a size of 17920 bytes was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>> Misc Checks
Parameter line : file=%sysdir%;*.dat;150;81920;;;
File C:\WINDOWS.1\SYSTEM32\*.dat for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;61952;;;
File C:\WINDOWS.1\SYSTEM32\*.dat for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;65536;;;
File C:\WINDOWS.1\SYSTEM32\*.dat for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7680;;;
File C:\WINDOWS.1\SYSTEM32\*.dat for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;91648;;;
File C:\WINDOWS.1\SYSTEM32\*.dat for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7168;;;
File C:\WINDOWS.1\SYSTEM32\*.dat for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%windir%;*.dll;150;10843;;;
File C:\WINDOWS.1\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%windir%;*.dll;150;3950;;;
File C:\WINDOWS.1\*.dll for today - 150 days with a size of 3950 byt

Shaba · June 2006

I see nothing bad there. I suggest that you do repair installation of Windows.
Remember to backup your most important files before that though nothing should be removed during that,

Desktop being hijcacked.

Comments