ByteVerify, Gaobot, dialerplatform - HJT log

Greets!
Working with XP, SP2, connect via modem. Have Norton 2004, fully updated, Ewido, CWSweeper. Followed instructions in the sticky that heads up this forum for cleaning out my machine as best I could (removed .tmp, history, cookies, etc) in safe-mode.
Problem: I get a pop-up window asking me to "For Instant Access Please click yes" when connected to the internet for a few minutes. My current dial-up disconnects, and the virus creates a dialer that keeps trying to connect. This dialer eventually goes away, and it doesn't bother me again. Web search turned up that this was something called a DialerPlatform.
Norton initially caught the Gaobot, the ByteVerify, and the DialerPlatform. Below is a modified HJT log, cleared of all the items I know are legit, after a thorough cleaning of my system by all of the programs listed above. Of note: what is "lich.exe"?Doesn't show up anywhere except in HJT. Also note the winlogon entry...hmmm.
Please let me know if any more info is helpful. If a full HJT log is needed, I can post it.

Logfile of HijackThis v1.99.1
Scan saved at 11:19:03 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Default\My Documents\Computer Files\Virus022006\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Default\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [lich] lich.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Also: something that doesn't show up anywhere: I have a program called zdj.exe on my C: that calls itself a "loader for you" in the properties window. Suspicious, yes? Can I just delete it?

Thanks for your help.

Eku

Junior Poster in Training

52 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

6 Years Ago

0

Hi,
Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan.

Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with Kaspersky log.

Note: If your PC doesnt remain online until the Kaspersky scan completes, then you can skip it.

swatkat

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

6 Years Ago

0

And, by the way, that O20 entry is related to Intel Graphics driver and is legitimate. And, Lich.exe is a spyware, we will remove it later :)

swatkat

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

6 Years Ago

0

Thanks, swatkat! I'm on my work computer right now, I'll do those scans this afternoon and post back.

Eku

Junior Poster in Training

52 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

6 Years Ago

0

OK, I have the scans.

Kaspersky gave me this (original is html, so the formatting is weird):
Tuesday, February 21, 2006 8:56:32 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/02/2006
Kaspersky Anti-Virus database records: 178009

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan Statistics
Total number of scanned objects 169781
Number of viruses found 12
Number of infected objects 47
Number of suspicious objects 0
Duration of the scan process 02:49:05

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Default\Local Settings\Temp\ajgocpmd.exe Infected: Trojan.Win32.Dialer.ay skipped

C:\Documents and Settings\Default\Local Settings\Temp\kohbhpmd.exe Infected: Trojan.Win32.Dialer.ay skipped

C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\HXEHKH09\gdnUS2161[1].exe Infected: Trojan-Downloader.Win32.Small.ayl skipped

C:\Documents and Settings\Parents\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-43756bb5-691be12c.class Infected: Trojan-Downloader.Java.OpenStream.y skipped

C:\Documents and Settings\Parents\Local Settings\Temp\bnlncpmd.exe Infected: Trojan.Win32.Dialer.ay skipped

C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\7BU5HRZX\gdnUS2161[1].exe Infected: Trojan-Downloader.Win32.Small.ayl skipped

C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\VSG8T1F2\init[1].js Infected: Trojan-Downloader.JS.IstBar.af skipped

C:\Program Files\Norton AntiVirus\Quarantine\02C26968 Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\164830C8 Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\1AE55FBC Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\1CAB2F40 Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\1D34664E Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\1F530FB9 Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\2690798C/Beyond.class Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\2690798C/BlackBox.class Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\2690798C/VerifierBug.class Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\2690798C ZIP: infected - 3 skipped

C:\Program Files\Norton AntiVirus\Quarantine\2690798C CryptFF: infected - 3 skipped

C:\Program Files\Norton AntiVirus\Quarantine\26C16F57 Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\26C41953 Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\278C68EC Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\29A024A2 Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\2B4B3E26 Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\2C03656D Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\2C4F452A Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\2D4533C4 Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\2D485DC1 Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\379976E4 Infected: Trojan-Downloader.Java.OpenConnection.v skipped

C:\Program Files\Norton AntiVirus\Quarantine\3A2764AE Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\3A2D7E90 Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\43400266 Infected: Backdoor.Win32.Agobot.gen skipped

C:\Program Files\Norton AntiVirus\Quarantine\4600197F Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\4835108A Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\4E0B4A63 Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\51ED08F7 Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\586534A7 Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\5B293A28 Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\660E70DE Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\675A1500 Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\678C7715 Infected: Trojan.Java.ClassLoader.ak skipped

C:\Program Files\Norton AntiVirus\Quarantine\681759A8 Infected: Trojan.Java.Needy.c skipped

C:\Program Files\Norton AntiVirus\Quarantine\68F90B9E Infected: Trojan.Win32.Dialer.ay skipped

C:\Program Files\Norton AntiVirus\Quarantine\6F4B6083.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton AntiVirus\Quarantine\717C586A Infected: Trojan.Java.ClassLoader.z skipped

C:\Program Files\Norton AntiVirus\Quarantine\7E41045D Infected: Backdoor.Win32.Agobot.gen skipped

C:\WINDOWS\system32\drivers\etc\hosts.bak Infected: Trojan.Win32.Qhost skipped

C:\WINDOWS\system32\lich.exe Infected: Trojan.Win32.LowZones.dm skipped

Scan process completed.

And WinPFind gave me this:WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 8/22/2004 4:04:56 PM 69120 C:\WINDOWS\daemon.dll

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 5/26/2005 3:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 7/22/2005 7:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
aspack 12/5/2005 6:09:18 PM 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 2/14/2006 12:41:32 PM 5692 C:\WINDOWS\SYSTEM32\lich.exe
PECompact2 2/8/2006 12:23:40 AM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/8/2006 12:23:40 AM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/21/2006 4:58:54 PM S 2048 C:\WINDOWS\bootstat.dat
2/21/2006 5:20:48 PM H 0 C:\WINDOWS\LastGood\INF\oem84.inf
2/21/2006 5:20:48 PM H 0 C:\WINDOWS\LastGood\INF\oem84.PNF
1/3/2006 1:17:06 PM S 8792 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911564.cat
1/4/2006 12:39:38 AM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911927.cat
1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/13/2006 2:28:32 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
1/6/2006 12:22:22 PM S 7156 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem79.CAT
2/21/2006 6:00:58 PM H 1024 C:\WINDOWS\system32\config\default.LOG
2/21/2006 5:11:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
2/21/2006 8:53:08 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
2/21/2006 9:02:06 PM H 1024 C:\WINDOWS\system32\config\software.LOG
2/21/2006 8:58:12 PM H 1024 C:\WINDOWS\system32\config\system.LOG
2/17/2006 10:20:32 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2/21/2006 4:58:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Realtek Semiconductor Corp. Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Intel Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Sun Microsystems Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Autodesk, Inc. Microsoft Corporation Apple Computer, Inc. Apple Computer, Inc. Autodesk, Inc. Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Realtek Semiconductor Corp. Intel Corporation Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
4/7/2003 9:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
11/19/2003 5:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
8/2/2005 3:35:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
2/14/2003 1:34:12 AM 205472 C:\WINDOWS\SYSTEM32\plotman.cpl
8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
8/26/1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
6/3/1999 7:11:20 PM 229376 C:\WINDOWS\SYSTEM32\QuickTime.cpl
2/14/2003 1:34:14 AM 205472 C:\WINDOWS\SYSTEM32\styleman.cpl
8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
2/17/2004 5:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\DRVSTORE\Alcxwdm_cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\ALSNDMGR.CPL
4/7/2003 9:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl
9/20/2004 3:20:00 PM 16121856 C:\WINDOWS\SYSTEM32\ReinstallBackups\0022\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/29/2004 5:15:04 PM 1835 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
3/14/2004 10:52:54 AM 901 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
10/10/2003 9:32:08 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/13/2005 10:39:14 PM 1567 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
10/10/2003 10:42:52 PM 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
2/29/2004 5:08:02 PM 754 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/10/2003 2:26:14 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
10/10/2003 11:30:42 PM 1236 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
10/10/2003 9:32:08 PM HS 84 C:\Documents and Settings\Default\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
10/10/2003 2:26:14 PM HS 62 C:\Documents and Settings\Default\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\DataVizMenu
{1f0c0580-d3fa-11cf-92b8-0020afd3f438} = C:\Program Files\Conversions Plus\dvzext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RhinoShExt
{C81DCBCA-8AE2-41FC-9C39-78B160393210} = C:\WINDOWS\system32\RhinoShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DataVizMenu
{1f0c0580-d3fa-11cf-92b8-0020afd3f438} = C:\Program Files\Conversions Plus\dvzext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{FED7043D-346A-414D-ACD7-550D052499A7}
= C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = c:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
= :
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : c:\Program Files\Norton AntiVirus\NavShExt.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : c:\Program Files\Norton AntiVirus\NavShExt.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
CamMonitor c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
HPHUPD05 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
KBD C:\HP\KBD\KBD.EXE
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
AutoTKit C:\hp\bin\AUTOTKIT.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
ccApp "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
LTMSG LTMSG.exe 7
PS2 C:\WINDOWS\system32\ps2.exe
Sunkist2k C:\Program Files\Multimedia Card Reader\shwicon2k.exe
MacLicense "C:\Program Files\Conversions Plus\MacLic.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
Logitech Utility Logi_MwX.Exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
Share-to-Web Namespace Daemon C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RunDLL32.exe NvMCTray.dll,NvTaskbarInit
AlcxMonitor ALCXMNTR.EXE
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
MaxtorOneTouch C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
MXOBG C:\Documents and Settings\Default\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
RetroExpress C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
lich lich.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RecordNow!
BackupNotify c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Backup Scheduler.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Backup Scheduler.lnk
backup C:\WINDOWS\pss\Iomega Backup Scheduler.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\IOMEGA~2\dtiom98.exe /sc
item Iomega Backup Scheduler
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Backup Scheduler.lnk
backup C:\WINDOWS\pss\Iomega Backup Scheduler.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\IOMEGA~2\dtiom98.exe /sc
item Iomega Backup Scheduler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk.disabled
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
backup C:\WINDOWS\pss\Iomega Icons.lnk.disabledCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
item Iomega Icons.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
backup C:\WINDOWS\pss\Iomega Icons.lnk.disabledCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
item Iomega Icons.lnk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup C:\WINDOWS\pss\Iomega Startup Options.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\Tools\IMGSTART.EXE
item Iomega Startup Options
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
backup C:\WINDOWS\pss\Iomega Startup Options.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\Tools\IMGSTART.EXE
item Iomega Startup Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup C:\WINDOWS\pss\IomegaWare.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\IOMEGA~1\COMMAN~1.EXE /startup
item IomegaWare
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
backup C:\WINDOWS\pss\IomegaWare.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\IOMEGA~1\COMMAN~1.EXE /startup
item IomegaWare

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
item Quicken Scheduled Updates.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
item Quicken Scheduled Updates.lnk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuikSync.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuikSync.lnk
backup C:\WINDOWS\pss\QuikSync.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\QuikSync\QUIKSYNC.EXE NoStartUp
item QuikSync
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuikSync.lnk
backup C:\WINDOWS\pss\QuikSync.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Iomega\QuikSync\QUIKSYNC.EXE NoStartUp
item QuikSync

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools-1033
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/21/2006 9:03:04 PM

Eku

Junior Poster in Training

52 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

6 Years Ago

0

Hi,
Download KillBox , extract it to your desktop.

Download Hosts.zip file and save it in a convinient location.

Download CCleaner and install it. Run it, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Default\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [lich] lich.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Exit from HijackThis and delete these two files:-
C:\WINDOWS\system32\drivers\etc\hosts.bak
C:\WINDOWS\system32\drivers\etc\hosts

Next, extract the Hosts.zip to the same folder where the old (deleted) Hosts file was present.

Now, open Killbox.exe. Check the following box:-
Delete on Reboot
Highlight the entry in the quote box below and then Copy it.
C:\WINDOWS\system32\lich.exe
After this, right-click inside the "Full path of file to delete" textbox in KillBox and paste the copied filename. Then click theRed X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

After the reboot, please post a new HijackThis log.

swatkat

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

6 Years Ago

0

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:46 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\My Documents\Computer Files\Virus022006\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

The behavior (the creation of the dialer, the pop-up "Instant Access" and the disconnection) seems to have gone away...so far so good!

(I assumed, by the way, that ALL of the contents of the hosts.zip file had to be extracted to the ..drivers\etc\ folder, not just the hosts file, correct? There's a .bat file, and some text files in there too.)

Eku

Junior Poster in Training

52 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

6 Years Ago

0

Hi,
There's only one entry to be removed now. Run HijackThis and select the below mentioned entry:-

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

And click "Fix Checked".

Next, delete this file:-
C:\WINDOWS\ALCXMNTR.EXE

And, only hosts file is important and the other files (ReadMe.txt, PrivacyPolicy.txt and mvps.bat, this batch can used to automatially copy the Hosts file to the system32\drivers\etc\ folder) are not necessary. You can delete them. By the way, is Norton detecting anything?

swatkat

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

6 Years Ago

0

Did the HJT, did the deletion. Internet seems to be running along great. I did notice when I deleted the .exe you mentioned, there were two other files next to it with the same icon called alcrmv.exe and alcupd.exe (the icons look like blue crabs.) Was the one I deleted a spoof of these files, or are they relatives of the ALCXMNTR?

Afterward, I did a scan with Norton, and here's what he found:

2/22/2006 7:22:23 PM,Virus scanner,Dialer.DialPlatform,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: DialerSource: C:\Documents and Settings\Parents\Local Settings\Temp\bnlncpmd.exe,Description: The file C:\Documents and Settings\Parents\Local Settings\Temp\bnlncpmd.exe is a Dialer threat."
2/22/2006 7:22:23 PM,Virus scanner,Dialer.DialPlatform,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: DialerSource: C:\Documents and Settings\Parents\Local Settings\Temp\kiojppmd.exe,Description: The file C:\Documents and Settings\Parents\Local Settings\Temp\kiojppmd.exe is a Dialer threat."
2/22/2006 7:22:23 PM,Virus scanner,Adware.Istbar,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: AdwareSource: C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\VSG8T1F2\init[1].js,Description: The file C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\VSG8T1F2\init[1].js is a Adware threat."
2/22/2006 7:22:23 PM,Virus scanner,Adware.IEPlugin,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: AdwareSource: C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\O12VKPIR\webplugin[1].cab,Description: The file C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\O12VKPIR\webplugin[1].cab is a Adware threat."

As you can see, I deleted the four files Norton found. Then, just to be thorough, I rebooted and did a scan of just the ..\Local Settings folders for all users, and it came out clean.

I knew going into this process it wasn't going to be easy, but wow!

Eku

Junior Poster in Training

52 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

6 Years Ago

Show Comments

1

Hi,
Glad to hear that everything's working fine :) Yes, the files alcrmv.exe, alcupd.exe are "relatives" of Alcxmntr.exe. Actually, all these files are related to RealTek Audio driver. But, Alcxmntr.exe is known to be a threat, and hence should be removed. But, the other two files are not "bad"!

And, please run CCleaner after Internet browsing or before shutting down the system, because Temp folders are a favourite spot for spyware programs. CCleaner cleans up all the Temp files.

If there's no problem,shall i mark the thread as "Solved"?

swatkat

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

6 Years Ago

0

Yes, mark it solved. Thanks for your help!

Eku

Junior Poster in Training

52 posts since Jul 2005