0

Dear Moderator,

I am relatively new to the world of adware, malware and other such inventions consisting of malicious/annoying code, and it is a great relief for me to discover, that there does exist, those few individuals who are dedicated to both fighting it and assisting others to protect themselves from it. It is in all seriousness that I say I believe :it is people like yourself (someone dedicated to assisting others in their time of need) who make the world a better place. I thank you in advance for any time and effort you expend in the process of assisting me, and I hope that my profusive thanks and whatever experience you may gain through assisting me, are sufficient payment for your kindness.

My System Parameters are as follows:System=Windows XP Pro. ServicePack1, Processor=Pentium 1.5 GHz, 512 MB of RAM

These logs are all from scans that were performed after my computer was fixed using the following tools:Ad-Aware SE Personal, ewido-security suite, WinsockxpFix.exe, Cleanup.exe,CWS Shredder, PCRescue Trial Version, hsremove.exe,Nailfix(nailfix.cmd/Process.exe) and Online scan :Bit Defender Online.

'THIS IS A LAST RESORT'

My computer still performs relatively slow, I receive popups, and I cannot use Internet explorer directly [every time I try I see the following in the status bar (res://C:\WINNT\System32\shdoclc.dll/dnserror.htm) ] (although, I can browse the web through Microsoft Outlook), 1 or more virus detection programs have detected the presence of some sort of unwanted data/programs - I don't know what to remove or how to remove it without causing damage to my system
I hope that these logs will be of some assistance

logs are listed in the following order and are relatively long: HJT Log, ewido, Ad-Aware SE, and XOFTSPY
(All scans were done in "safe mode")

HJT Log:
[log]
Logfile of HijackThis v1.99.1
Scan saved at 12:06:03 AM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteckt32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\nrarap.exe reg_run
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKLM\..\Run: [wiphadt] c:\winnt\system32\dlvxkqp.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4519/mcfscan.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe[/log]


ewido Log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           11:54:03 PM, 6/26/2005
+ Report-Checksum:      21DB64F0


+ Scan result:


No infected files found!



::Report End


NOTE: During the 'ewido' scan I recieved the following errors:[heuristic rule error,??,38,54,135,97,151,89,??,106,12, and146]??=numbers that I failed to record
NOTE:upon completion of the scan I attempted to refresh the Qurantine list whereas I received the following notification: (Exception:unknown error) and ewido immediately closed thereafter.



Ad-Aware SE Log:


[log]Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, June 27, 2005 12:08:41 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R51 21.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):46 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects



6-27-2005 12:08:41 AM - Scan started. (Custom mode)


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


#:1 [smss.exe]
ModuleName         : \SystemRoot\System32\smss.exe
Command Line       : n/a
ProcessID          : 180
ThreadCreationTime : 6-27-2005 2:44:02 AM
BasePriority       : Normal



#:2 [csrss.exe]
ModuleName         : \??\C:\WINNT\system32\csrss.exe
Command Line       : C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThre
ProcessID          : 228
ThreadCreationTime : 6-27-2005 2:44:14 AM
BasePriority       : Normal



#:3 [winlogon.exe]
ModuleName         : \??\C:\WINNT\system32\winlogon.exe
Command Line       : winlogon.exe
ProcessID          : 252
ThreadCreationTime : 6-27-2005 2:44:16 AM
BasePriority       : High



#:4 [services.exe]
ModuleName         : C:\WINNT\system32\services.exe
Command Line       : C:\WINNT\system32\services.exe
ProcessID          : 296
ThreadCreationTime : 6-27-2005 2:44:22 AM
BasePriority       : Normal
FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion     : 5.1.2600.0
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Services and Controller app
InternalName       : services.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : services.exe


#:5 [lsass.exe]
ModuleName         : C:\WINNT\system32\lsass.exe
Command Line       : C:\WINNT\system32\lsass.exe
ProcessID          : 308
ThreadCreationTime : 6-27-2005 2:44:22 AM
BasePriority       : Normal
FileVersion        : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion     : 5.1.2600.1106
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : LSA Shell (Export Version)
InternalName       : lsass.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : lsass.exe


#:6 [svchost.exe]
ModuleName         : C:\WINNT\system32\svchost.exe
Command Line       : C:\WINNT\system32\svchost -k rpcss
ProcessID          : 472
ThreadCreationTime : 6-27-2005 2:44:25 AM
BasePriority       : Normal
FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion     : 5.1.2600.0
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Generic Host Process for Win32 Services
InternalName       : svchost.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : svchost.exe


#:7 [svchost.exe]
ModuleName         : C:\WINNT\system32\svchost.exe
Command Line       : C:\WINNT\system32\svchost.exe -k netsvcs
ProcessID          : 496
ThreadCreationTime : 6-27-2005 2:44:25 AM
BasePriority       : Normal
FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion     : 5.1.2600.0
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Generic Host Process for Win32 Services
InternalName       : svchost.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : svchost.exe


#:8 [zcfgsvc.exe]
ModuleName         : C:\WINNT\system32\ZCfgSvc.exe
Command Line       : n/a
ProcessID          : 656
ThreadCreationTime : 6-27-2005 2:44:40 AM
BasePriority       : Normal
FileVersion        : 1, 0, 0, 1
ProductVersion     : 1, 0, 0, 1
ProductName        : ZeroCfgSvc Application
CompanyName        : Intel Corporation
FileDescription    : ZeroCfgSvc MFC Application
InternalName       : ZeroCfgSvc
LegalCopyright     : Copyright © 2002 - 2003 Intel Corporation
OriginalFilename   : ZeroCfgSvc.EXE


#:9 [explorer.exe]
ModuleName         : C:\WINNT\Explorer.EXE
Command Line       : C:\WINNT\Explorer.EXE
ProcessID          : 732
ThreadCreationTime : 6-27-2005 2:44:41 AM
BasePriority       : Normal
FileVersion        : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion     : 6.00.2800.1221
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Windows Explorer
InternalName       : explorer
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : EXPLORER.EXE


#:10 [notepad.exe]
ModuleName         : C:\WINNT\system32\NOTEPAD.EXE
Command Line       : C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\boe2206\Desktop\c.txt
ProcessID          : 1516
ThreadCreationTime : 6-27-2005 3:45:29 AM
BasePriority       : Normal
FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion     : 5.1.2600.0
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Notepad
InternalName       : Notepad
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : NOTEPAD.EXE


#:11 [notepad.exe]
ModuleName         : C:\WINNT\system32\NOTEPAD.EXE
Command Line       : C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\hijackthis\hijackthis.log
ProcessID          : 1760
ThreadCreationTime : 6-27-2005 4:06:03 AM
BasePriority       : Normal
FileVersion        : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion     : 5.1.2600.0
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Notepad
InternalName       : Notepad
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : NOTEPAD.EXE


#:12 [ad-aware.exe]
ModuleName         : C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\Ad-Aware SE Personal\Ad-Aware.exe
Command Line       : "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID          : 1848
ThreadCreationTime : 6-27-2005 4:08:25 AM
BasePriority       : Normal
FileVersion        : 6.2.0.236
ProductVersion     : SE 106
ProductName        : Lavasoft Ad-Aware SE
CompanyName        : Lavasoft Sweden
FileDescription    : Ad-Aware SE Core application
InternalName       : Ad-Aware.exe
LegalCopyright     : Copyright © Lavasoft AB Sweden
OriginalFilename   : Ad-Aware.exe
Comments           : All Rights Reserved


Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0



Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0



Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


MRU List Object Recognized!
Location:          : C:\Documents and Settings\boe2206\Application Data\microsoft\office\recent
Description        : list of recently opened documents using microsoft office



MRU List Object Recognized!
Location:          : C:\Documents and Settings\boe2206\recent
Description        : list of recently opened documents



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description        : list of recently used files in adobe reader



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\direct3d\mostrecentapplication
Description        : most recent application to use microsoft direct3d



MRU List Object Recognized!
Location:          : software\microsoft\direct3d\mostrecentapplication
Description        : most recent application to use microsoft direct3d



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\direct3d\mostrecentapplication
Description        : most recent application to use microsoft direct X



MRU List Object Recognized!
Location:          : software\microsoft\direct3d\mostrecentapplication
Description        : most recent application to use microsoft direct X



MRU List Object Recognized!
Location:          : software\microsoft\directdraw\mostrecentapplication
Description        : most recent application to use microsoft directdraw



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\directinput\mostrecentapplication
Description        : most recent application to use microsoft directinput



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\directinput\mostrecentapplication
Description        : most recent application to use microsoft directinput



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\internet explorer
Description        : last download directory used in microsoft internet explorer



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\internet explorer\main
Description        : last save directory used in microsoft internet explorer



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\internet explorer\typedurls
Description        : list of recently entered addresses in microsoft internet explorer



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\mediaplayer\medialibraryui
Description        : last selected node in the microsoft windows media player media library



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\mediaplayer\player\recentfilelist
Description        : list of recently used files in microsoft windows media player



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\mediaplayer\player\settings
Description        : last open directory used in jasc paint shop pro



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\mediaplayer\preferences
Description        : last cd record path used in microsoft windows media player



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\mediaplayer\preferences
Description        : last playlist index loaded in microsoft windows media player



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\mediaplayer\preferences
Description        : last playlist loaded in microsoft windows media player



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\mediaplayer\preferences
Description        : last search path used in microsoft windows media player



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\microsoft management console\recent file list
Description        : list of recent snap-ins used in the microsoft management console



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\clip organizer\search\last query
Description        : last query in microsoft clip organizer



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\common\general
Description        : list of recently used symbols in microsoft office



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description        : list of recent pictured inserted in microsoft powerpoint



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description        : list of recent documents saved by microsoft powerpoint



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description        : list of recent documents opened by microsoft word



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description        : list of recent documents saved by microsoft word



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\common\search\last query
Description        : last query in microsoft office



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\excel\recent files
Description        : list of recent files used by microsoft excel



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\powerpoint\recent file list
Description        : list of recent files used by microsoft powerpoint



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\powerpoint\recent templates
Description        : list of recent templates used by microsoft powerpoint



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\powerpoint\recent typeface list
Description        : list of recently used typefaces in microsoft powerpoint



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\powerpoint\recenttemplatelist
Description        : list of recent templates used by microsoft powerpoint



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\office\10.0\word\recent templates
Description        : list of recent templates used by microsoft word



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\search assistant\acmru
Description        : list of recent search terms used with the search assistant



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\terminal server client\default
Description        : list of recent systems connected to using remote desktop / terminal services



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description        : list of recent programs opened



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description        : list of recently saved files, stored according to file extension



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\windows\currentversion\explorer\recentdocs
Description        : list of recent documents opened



MRU List Object Recognized!
Location:          : software\musicmatch
Description        : download location of the musicmatch installer



MRU List Object Recognized!
Location:          : software\musicmatch\musicmatch jukebox\4.0\fileconv
Description        : file conversion location settings in musicmatch jukebox



MRU List Object Recognized!
Location:          : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description        : information on the last station listened to using musicmatch radio



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\nico mak computing\winzip\filemenu
Description        : winzip recently used archives



MRU List Object Recognized!
Location:          : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description        : windows media sdk



MRU List Object Recognized!
Location:          : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description        : windows media sdk



MRU List Object Recognized!
Location:          : S-1-5-21-2785951302-267654794-1488859256-1011\software\microsoft\windows media\wmsdk\general
Description        : windows media sdk


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»



Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Deep scanning and examining files ( C: )
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46



Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 46



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


12:18:07 AM Scan Complete


Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:25.754
Objects scanned:101762
Objects identified:0
Objects ignored:0
New critical objects:0[/log]


XOFTSPY log:


[log]<?xml version = "1.0"?>
<Session START = "27 Jun 05 00:31:19" END = "27 Jun 05 00:31:19">
<Information Version = "4.13" DatabaseVersion = "94" DataBaseDate = "23 June 2005"/>
<Information OS = "Win XP"/>
<Information ServicePack = "Service Pack 1"/>
<Information WorkingDirectory = "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\xoftspy\"/>
<Information Option = "AdvSpyware Scan" State = "ON"/>
<Information Option = "Scan IE Favorites" State = "ON"/>
<Information Option = "Scan Host Files" State = "ON"/>
<Information Option = "Scan Drives" State = "ON"/>
<Information Option = "Do Not Scan Executables" State = "OFF"/>
<Information Option = "Scan Registry" State = "ON"/>
<Information Option = "Scan Active Processes" State = "ON"/>
<Information Option = "Automatic Database Update" State = "OFF"/>
<Information Option = "Automatic Program Update" State = "OFF"/>
<Information Option = "Automatic Removal" State = "OFF"/>
<Information Option = "Exit When Finished" State = "OFF"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "ctfmon.exe" Data = "C:\WINNT\System32\ctfmon.exe" MD5 = "414de7cf9d3f19c3ea902f1bb38ec116" Path = ""/>
<Information Value = "MSMSGS" Data = ""C:\Program Files\Messenger\msmsgs.exe" /background" MD5 = "4f5a3d13650b26c9f140027f3878e194" Path = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "NoUpdateCheck" Data = ""/>
<Information Value = "NoJITSetup" Data = ""/>
<Information Value = "Disable Script Debugger" Data = "no"/>
<Information Value = "Show_ChannelBand" Data = "No"/>
<Information Value = "Anchor Underline" Data = "hover"/>
<Information Value = "Cache_Update_Frequency" Data = "Once_Per_Session"/>
<Information Value = "Display Inline Images" Data = "yes"/>
<Information Value = "Do404Search" Data = ""/>
<Information Value = "Local Page" Data = "C:\WINNT\System32\blank.htm"/>
<Information Value = "Save_Session_History_On_Exit" Data = "no"/>
<Information Value = "Show_FullURL" Data = "no"/>
<Information Value = "Show_StatusBar" Data = "yes"/>
<Information Value = "Show_ToolBar" Data = "yes"/>
<Information Value = "Show_URLinStatusBar" Data = "yes"/>
<Information Value = "Show_URLToolBar" Data = "yes"/>
<Information Value = "Start Page" Data = "http://www.msn.com"/>
<Information Value = "Use_DlgBox_Colors" Data = "yes"/>
<Information Value = "Search Page" Data = ""/>
<Information Value = "FullScreen" Data = "no"/>
<Information Value = "Window_Placement" Data = ","/>
<Information Value = "SmoothScroll" Data = ""/>
<Information Value = "Use FormSuggest" Data = "no"/>
<Information Value = "Error Dlg Displayed On Every Error" Data = "no"/>
<Information Value = "HistoryViewType" Data = ""/>
<Information Value = "HistoryTopNSitesView" Data = ""/>
<Information Value = "NotifyDownloadComplete" Data = "yes"/>
<Information Value = "AddToFavoritesExpanded" Data = ""/>
<Information Value = "FormSuggest PW Ask" Data = "no"/>
<Information Value = "Expand Alt Text" Data = "no"/>
<Information Value = "Move System Caret" Data = "no"/>
<Information Value = "NscSingleExpand" Data = ""/>
<Information Value = "NoWebJITSetup" Data = ""/>
<Information Value = "Page_Transitions" Data = ""/>
<Information Value = "FavIntelliMenus" Data = "no"/>
<Information Value = "Enable Browser Extensions" Data = "yes"/>
<Information Value = "UseThemes" Data = ""/>
<Information Value = "Force Offscreen Composition" Data = ""/>
<Information Value = "AllowWindowReuse" Data = ""/>
<Information Value = "Friendly http errors" Data = "no"/>
<Information Value = "ShowGoButton" Data = "yes"/>
<Information Value = "Enable AutoImageResize" Data = "yes"/>
<Information Value = "Enable_MyPics_Hoverbar" Data = "yes"/>
<Information Value = "Play_Animations" Data = "yes"/>
<Information Value = "Play_Background_Sounds" Data = "yes"/>
<Information Value = "Display Inline Videos" Data = "yes"/>
<Information Value = "Show image placeholders" Data = ""/>
<Information Value = "Print_Background" Data = "no"/>
<Information Value = "LastCheckedHi" Data = "yÅ"/>
<Information Value = "Save Directory" Data = "D:\3D-Animation\anima8or\Help\Tutorials\"/>
<Information Value = "AutoSearch" Data = ""/>
<Information Value = "Search Bar" Data = ""/>
<Information Value = "Check_Associations" Data = "yes"/>
<Information Value = "Use Search Asst" Data = "no"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "Default_Page_URL" Data = ""/>
<Information Value = "Default_Search_URL" Data = ""/>
<Information Value = "Search Page" Data = ""/>
<Information Value = "Enable_Disk_Cache" Data = "yes"/>
<Information Value = "Cache_Percent_of_Disk" Data = "
"/>
<Information Value = "Delete_Temp_Files_On_Exit" Data = "yes"/>
<Information Value = "Local Page" Data = "%SystemRoot%\system32\blank.htm"/>
<Information Value = "Anchor_Visitation_Horizon" Data = ""/>
<Information Value = "Use_Async_DNS" Data = "yes"/>
<Information Value = "Placeholder_Width" Data = ""/>
<Information Value = "Placeholder_Height" Data = ""/>
<Information Value = "Start Page" Data = "http://www.msn.com"/>
<Information Value = "FullScreen" Data = "no"/>
<Information Value = "Search Bar" Data = ""/>
<Information Value = "Check_Associations" Data = "yes"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Search"/>
<Information Value = "SearchAssistant" Data = "http://ie.search.msn.com"/>
<Information Value = "CustomizeSearch" Data = "http://ie.search.msn.com"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "ATIModeChange" Data = "Ati2mdxx.exe" MD5 = "fae95d6d7651b5629c4e19adbc9a3863" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "SynTPLpr" Data = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" MD5 = "c274b074cea7d9f5f67bd4629446d28f" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "SynTPEnh" Data = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" MD5 = "6e3b8a462eed8037343ff7b37e7b53ec" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "ATIPTA" Data = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" MD5 = "5af6c15a062a901065a160ac0eef5be9" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "Gateway Ink Monitor" Data = ""C:\Program Files\Gateway Utilities\GWInkMonitor.exe"" MD5 = "f95ed236795db5d70e0f36f208b78ac2" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "AdaptecDirectCD" Data = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" MD5 = "98b9c6e3225d94ab34e4d6a64f91f391" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "ccApp" Data = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" MD5 = "371d2fa0dfeb9767b3cc7cae1ab21a5a" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "vptray" Data = "C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" MD5 = "5972a3384ebceaeb99f4216e77ebed59" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "Microsoft Works Update Detection" Data = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" MD5 = "86577b9a2bef98e8121cd9262ea15eb6" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "CorelDRAW Graphics Suite 11b" Data = "D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN"/>
<Information Value = "QuickTime Task" Data = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" MD5 = "5d22b4258489575412f6d18affc847a2" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "checkrun" Data = "C:\winnt\system32\eliteckt32.exe" MD5 = "825b6e2f440cbff32e340ff0d59b66cc" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "KavSvc" Data = "C:\WINNT\System32\nrarap.exe reg_run"/>
<Information Value = "MessengerPlus3" Data = ""C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"" MD5 = "a995f7d9e1276d7c75a9c69d73073d25" Path = "C:\WINNT\system32\Ati2mdxx.exe"/>
<Information Value = "wiphadt" Data = "c:\winnt\system32\dlvxkqp.exe r"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SYSTEM\ControlSet001\Services\Winsock2\Parameters\Protocol_Catalog9"/>
<Information Value = "Num_Catalog_Entries" Data = ""/>
<Information Value = "Next_Catalog_Entry_ID" Data = ""/>
<Information Value = "Serial_Access_Num" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SYSTEM\ControlSet003\Services\Winsock2\Parameters\Protocol_Catalog9"/>
<Information Value = "Num_Catalog_Entries" Data = ""/>
<Information Value = "Next_Catalog_Entry_ID" Data = ""/>
<Information Value = "Serial_Access_Num" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "AppInit_DLLs" Data = "MsgPlusLoader.dll" MD5 = "63daccd8b53a98e9ef5353397c601a52" Path = "C:\WINNT\system32\MsgPlusLoader.dll"/>
<Information Value = "DeviceNotSelectedTimeout" Data = "15"/>
<Information Value = "GDIProcessHandleQuota" Data = "'"/>
<Information Value = "Spooler" Data = "yes"/>
<Information Value = "swapdisk" Data = ""/>
<Information Value = "TransmissionRetryTimeout" Data = "90"/>
<Information Value = "USERProcessHandleQuota" Data = "'"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "AppInit_DLLs" Data = "MsgPlusLoader.dll" MD5 = "63daccd8b53a98e9ef5353397c601a52" Path = "C:\WINNT\system32\MsgPlusLoader.dll"/>
<Information Value = "DeviceNotSelectedTimeout" Data = "15"/>
<Information Value = "GDIProcessHandleQuota" Data = "'"/>
<Information Value = "Spooler" Data = "yes"/>
<Information Value = "swapdisk" Data = ""/>
<Information Value = "TransmissionRetryTimeout" Data = "90"/>
<Information Value = "USERProcessHandleQuota" Data = "'"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"/>
<Information Value = "{438755C2-A8BA-11D1-B96B-00A0C90312E1}" Data = "Browseui preloader"/>
<Information Value = "{8C7461EF-2B13-11d2-BE35-3078302C2030}" Data = "Component Categories cache daemon"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Policies\System"/>
<Information Value = "dontdisplaylastusername" Data = ""/>
<Information Value = "caption" Data = "STATEMENT"/>
<Information Value = "text" Data = "This is a computer system. "/>
<Information Value = "shutdownwithoutlogon" Data = ""/>
<Information Value = "undockwithoutlogon" Data = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"/>
<Information Value = "rdssfnqv.exe" Data = "C:\WINNT\system\rdssfnqv.exe"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"/>
<Information Value = "PostBootReminder" Data = "{7849596a-48ea-486e-8937-a2a3009f31a9}"/>
<Information Value = "CDBurn" Data = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"/>
<Information Value = "WebCheck" Data = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"/>
<Information Value = "SysTray" Data = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "DebugOptions" Data = "2048"/>
<Information Value = "Documents" Data = ""/>
<Information Value = "DosPrint" Data = "no"/>
<Information Value = "load" Data = ""/>
<Information Value = "NetMessage" Data = "no"/>
<Information Value = "NullPort" Data = "None"/>
<Information Value = "Programs" Data = "com exe bat pif cmd"/>
<Information Value = "NetWarn" Data = "0"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\URLSearchHooks"/>
<Information Value = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" Data = ""/>
<Scanning TIME = "27 Jun 05 00:31:19">
<PROCESS NAME = "C:\WINNT\system32\services.exe" MD5 = "e3df4a0252d287c44606ee55355e1623"/>
<PROCESS NAME = "C:\WINNT\system32\lsass.exe" MD5 = "b2b6ba905d0e3f8a32a0eb3b4051807b"/>
<PROCESS NAME = "C:\WINNT\system32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/>
<PROCESS NAME = "C:\WINNT\system32\svchost.exe" MD5 = "0f7d9c87b0ce1fa520473119752c6f79"/>
<PROCESS NAME = "C:\WINNT\system32\ZCfgSvc.exe" MD5 = "2e95b5b6d2353d31734631f0865e135f"/>
<PROCESS NAME = "C:\WINNT\Explorer.EXE" MD5 = "a73bc66a95cf4f7b597fc8975778a889"/>
<PROCESS NAME = "C:\WINNT\system32\NOTEPAD.EXE" MD5 = "562a3b03546536307ac47fcb0ceadcde"/>
<PROCESS NAME = "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\xoftspy\XoftSpy.exe" MD5 = "25918fbf8f999df39b415caf4f7d4dde"/>
<ScanningRegKeys>
</SW>
<SW NAME = "AFAEnhance">
<REGKEYFOUND NAME = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
<REGKEY NAME = "AFAEnhance SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
</ScanningRegKeys>
<ScanningRegValues>
</SW>
<SW NAME = "EliteBar">
<REGVALUE VALUE = "EliteBar software\microsoft\windows\currentversion\run\checkrun"/>
<REGVALUEFOUND NAME = "software\microsoft\windows\currentversion\run\checkrun"/>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
<FILE PATH = "180Solutions C:\WINNT\salmbundle.exe"/>
<FILE PATH = "C:\WINNT\salmbundle.exe"/>
<FILE PATH = "EliteBar C:\WINNT\System32\eliteckt32.exe"/>
<FILE PATH = "C:\WINNT\System32\eliteckt32.exe"/>
<FILE PATH = "EliteBar C:\WINNT\System32\elitehxc32.exe"/>
<FILE PATH = "C:\WINNT\System32\elitehxc32.exe"/>
<FOLDER PATH = "BookedSpace C:\WINNT\bsx32"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASI2.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASI50.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASICLRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASICLV.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIEPRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIEZ.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIMBC.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIRCPRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASISS2RE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASISSRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPC.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPD.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPF.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFAM.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFI.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFIN.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPG.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPH.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPHL.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPJ.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPM.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPMTV.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPN.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPR.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPS.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPSHOP.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPSP.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPW.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\WEBS1.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\WEBS2.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ZNETGP.bsx"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml\categories"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml\images"/>
</Scanning>[/log]

P.S.If and when my computer is ever ridded of viruses and other nasties, I would also like to request assistance in fixing my system ,so that it performs with optimal functionality, i.e. repairing Registry Integrity, ActiveX\COM+ActiveX\COM subsections, Windows Shortcuts, if it is not too much to ask. :-|

:) -With Much Gratitude
Y. H.[/

Edited by happygeek: fixed formatting

3
Contributors
22
Replies
26
Views
12 Years
Discussion Span
Last Post by crunchie
0

fragmented_user.

Hi and welcome to Daniweb :).

First up, I cannot read that 'cos the text is too small :). Please just paste your log in normally on your next post.

Secondly, I need the hijackthis log to be done in normal mode as not all items will be listed.

Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt
C:\win.txt
C:\start.txt

-

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

To save some time, could you please have all the files that rkfiles finds uploaded for an online scan here;

http://virusscan.jotti.org/

Post the contents of C:\log.txt in your next reply.

0

Thank You Crunchie for such an immediate response; I greatly appreciate it.I performed all the tasks that

you have required of me and listed all logs below including all originally posted logs(in increased font

size :-| -sorry about the small size ) :)

these are the logs recorded succeeding the 'qoologic' scan

[log.txt]

C:\Documents and Settings\boe2206\My Documents\Mine!\Other than

Rhino\Downloads\msnmes\q\findqoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE

LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS

LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\d3dx9d_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\MRT.exe: (ASPack)
C:\WINNT\system32\MRT.exe: ASPack 1.61
C:\WINNT\system32\MRT.exe: ASPack 1.084
C:\WINNT\system32\MRT.exe: ASPack 1.083
C:\WINNT\system32\MRT.exe: ASPack 1.08.02b
C:\WINNT\system32\MRT.exe: ASPack 1.07b
C:\WINNT\system32\MRT.exe: ASPack 1.05b
C:\WINNT\system32\MRT.exe: ASPack 1.02
C:\WINNT\system32\MRT.exe: ASPACK

Files Found in all users startup Folder............
------------------------

[win.txt]

C:\WINNT\system32\d3dx9d_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\MRT.exe: (ASPack)
C:\WINNT\system32\MRT.exe: ASPack 1.61
C:\WINNT\system32\MRT.exe: ASPack 1.084
C:\WINNT\system32\MRT.exe: ASPack 1.083
C:\WINNT\system32\MRT.exe: ASPack 1.08.02b
C:\WINNT\system32\MRT.exe: ASPack 1.07b
C:\WINNT\system32\MRT.exe: ASPack 1.05b
C:\WINNT\system32\MRT.exe: ASPack 1.02
C:\WINNT\system32\MRT.exe: ASPACK

---------------------------------------------------------------------------------------------------------------------------------------------------

below is the log recorded succeeding the 'rkfiles' scan
with inserted 'jotti-virus scan' results=*

[win.txt]

C:\Program Files\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE

LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS

LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\gpbpbri.dll: UPX!
*Found Trojan-Downloader.Win32.Qoologic.q
C:\WINNT\system32\eliteckt32.exe: FSG!
*Found Trojan.Win32.StartPage.nk
C:\WINNT\system32\elitehxc32.exe: FSG!
*Found Trojan.Win32.StartPage.nk
C:\WINNT\system32\dfrg.msc:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
*Found nothing
C:\WINNT\system32\DivX.dll: PEC2
*Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers

were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into

lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless.

Caution is advised, however.)
MD5 9b76cfec2236efbd731b65155f24a7a0
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
Found nothing


Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

-----------------------------------End of Requested Scan Logs---------------------------------------

I am Posting most of the Previously posted logs in the following order: HJT Log, Ad-Aware SE, and

XOFTSPY (All scans except for the 'HJT Log' were done in "safe mode")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
HJT Log:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:46:38 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than

Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteckt32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\nrarap.exe reg_run
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKLM\..\Run: [wiphadt] c:\winnt\system32\dlvxkqp.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe


-------------------------------------------------------------------------------------------------------------------------------------------------------------------

I hope these help - Thank You for everything you're doing :)

-With Much Gratitude
Y. H.

0

Download Killbox v2.0.0.175 and unzip the file to your Desktop and have it ready to use.

-

Save all the below files to a text document (notepad) to be used shortly.

C:\WINNT\system32\gpbpbri.dll
C:\WINNT\system32\eliteckt32.exe
C:\WINNT\system32\elitehxc32.exe
C:\WINNT\System32\nrarap.exe
c:\winnt\system32\dlvxkqp.exe

-

Reboot into safe mode following the instructions here.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\nrarap.exe reg_run
O4 - HKLM\..\Run: [wiphadt] c:\winnt\system32\dlvxkqp.exe r

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

0

Dear Moderator Crunchie,

First off, I apologize for posting such a large quantity of info when you did not expressedly request it. I simply was unsure of whether you needed it or not, and wanted to resolve the issue in as few posts as possible which is why I posted them; just in case. :)

Secondly, I performed most of the actions that you required of me, the exception resulting because the file paths:C:\WINNT\System32\nrarap.exe and c:\winnt\system32\dlvxkqp.exe are seemingly nonexistent(I checked the path both manually-explorer- and automatically-search-to no avail) I then performed a 'Xoftspy' scan and recieved notification of the following: :?:

<ScanningRegKeys>
</SW>
<SW NAME = "EliteBar">
<REGKEYFOUND NAME = "SOFTWARE\LQ"/>
<REGKEY NAME = "EliteBar SOFTWARE\LQ"/>
</SW>
<SW NAME = "AFAEnhance">
<REGKEYFOUND NAME = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
<REGKEY NAME = "AFAEnhance SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
</ScanningRegKeys>
<ScanningRegValues>
</SW>
<SW NAME = "EliteBar">
<REGVALUE VALUE = "EliteBar software\microsoft\windows\currentversion\run\checkrun"/>
<REGVALUEFOUND NAME = "software\microsoft\windows\currentversion\run\checkrun"/>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
<FILE PATH = "180Solutions C:\WINNT\salmbundle.exe"/>
<FILE PATH = "C:\WINNT\salmbundle.exe"/>
<FOLDER PATH = "BookedSpace C:\WINNT\bsx32"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASI2.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASI50.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASICLRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASICLV.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIEPRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIEZ.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIMBC.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIRCPRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASISS2RE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASISSRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPC.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPD.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPF.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFAM.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFI.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFIN.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPG.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPH.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPHL.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPJ.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPM.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPMTV.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPN.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPR.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPS.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPSHOP.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPSP.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPW.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\WEBS1.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\WEBS2.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ZNETGP.bsx"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml\categories"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml\images"/>
</Scanning>

</Scanning>


Posted below is my new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:31:28 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteckt32.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

Oh, and one more thing- Internet Explorer still cannot open in its default window (only through outlook) and there is a proccess or program named 'Sample' that repeatedly (though not constantly) refuses or is unable to close whenever I perform 'Windows Shutdown.' I must select 'end now' in order to have the computer Shut Down.

With Much Gratitude :)
-Y.H.

0

Getting somewhere now though.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteckt32.exe


Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\winnt\system32\eliteckt32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

-

Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

0

Dear Moderator Crunchie,

Wow, Thanks for that info, in fact, thanks for everything you're doing; I never really knew enough to
check the validity of anti-spyware itself (who would've thought, first they write the spyware programs, then they
produce false anti-spyware to make-sure no-one finds any of it -:lol: ). Unfortunately though, The following
quote from the same site you posted led to confuse me:

"Over the past few months, XoftSpy has taken aggressive steps to reign in its affiliates (who were primarily
responsible for the unsavory advertising), revised its license text, and released a new version of XoftSpy
(version 4.0) that addresses our concerns with false positves. Given these changes we can no longer regard
XoftSpy as "rogue/suspect" anti-spyware."

Found in its original context at: http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note
listed under 'xoftspy note'

I can't blame you if you didn't see it, it was kinda hidden. :)
None-the-less, could it be possible, that the very fact it was ever regarded as a "Rogue/Suspect", now classifies
it as ineffective? (just asking if that was your motive for declaring mistrust in xoftspy or did you just, not see the
note?) I am considering uninstalling xoftspy, and I'd like to know if I should. :confused:

On account of what I saw, I deem there's a possibility you might develop trust in xoftspy's free
downloadable scanner, and so, in the event that, that does happen I posted the results from the last xoftspy scan I performed, for you to consider: :?:

excerpt from XoftSpy '4.13' Log:

<ScanningRegKeys>
</SW>
<SW NAME = "EliteBar">
<REGKEYFOUND NAME = "SOFTWARE\LQ"/>
<REGKEY
NAME = "EliteBar SOFTWARE\LQ"/>
</SW>
<SW NAME = "AFAEnhance">
<REGKEYFOUND NAME =
"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
<REGKEY NAME = "AFAEnhance
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>

In any event, I performed all the tasks you requested of me except I did not find that one file you requested that I
delete. However, I did find and delete the following folders:C:\WINNT\EliteToolBar, C:\WINNT\bsx32
and files:salmbundle.exe, bdoscandel.exe (I deleted the folders only AFTER I recorded the HJT Log you
requested- posted below) besides for that everything ran smoothly. The instructions you gave were great! :)

Logfile of HijackThis v1.99.1
Scan saved at 9:59:23 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than
Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New
Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe
/title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than
Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk
Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program
Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My
Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program
Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation -
C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client
Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec
Client Security\Symantec Client Firewall\SymSPort.exe

Oh, and one more thing- Internet Explorer still cannot open in its default window (only through outlook) and there
is a proccess or program named 'Sample' that repeatedly (though not constantly) refuses or is unable to close
whenever I perform 'Windows Shutdown.' I must select 'end now' in order to have the computer Shut Down. I
understand that there is a seperate forum for web browsers. However, I am at this point, inclined to think, that
my web browser's loss of functionality was caused by an infected program/process/registry key.

-With Much Gratitude
Y.H. :)

0

The reason I do not have any faith in Xoftspy is because of it's history. I personally will not recommend it because of that :).

Did you try the Hoster?

Click here to download IEFIX and save it to your desktop. This will restore the MS default home and search pages. After it is downloaded, close all Internet Explorer windows and doubleclick on the file. When it asks if you want to merge to the registry say yes. Restart Internet Explorer and see how it is after that.

-

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

0

Dear Moderator Crunchie,

The reason I do not have any faith in Xoftspy is because of it's history

Well, I can understand that then, since that's the case, I guess I just havent known about Xoftspy long
enough to distrust them the way you do.. but.. your a tech expert, so I'll just be smart and take your advice. :)
As for whether or not I tried Hoster, I definitely did. Not only does the program perform quickly and contain an
easy to use interface, but it also offered to perform a host of tasks that I never even knew I was able to
perform. (If only I knew what they all did, lol) Thanks a bunch.:)

Unfortunately though the original problem [Internet Explorer still cannot connect in its default window (only
through outlook) and there is a process or program named 'Sample' that repeatedly (though not constantly)
refuses or is unable to close whenever I perform 'Windows Shutdown.' I must select 'end now' in order to
have the computer Shut Down.] still exists so...

So here I am, and here is the log you requested (generated after I performed the IE registry fix). I sure
hope there's hope for my computer.lol

"Silent Runners.vbs", revision 39, [url]http://www.silentrunners.org/[/url]
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"rdssfnqv.exe" = "C:\WINNT\system\rdssfnqv.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINNT\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Gateway Ink Monitor" = ""C:\Program Files\Gateway Utilities\GWInkMonitor.exe"" ["Gateway"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" ["Symantec Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"CorelDRAW Graphics Suite 11b" = "D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"MessengerPlus3" = ""C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"" ["Patchou"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                                       \StubPath   = ""C:\WINNT\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" [file not found]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Audiodev.dll" [MS]
"{C81DCBCA-8AE2-41FC-9C39-78B160393210}" = "RhinoShExt"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\RhinoShExt.dll" ["Robert McNeel & Associates"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\System32\NavLogon.dll" ["Symantec Corporation"]
INFECTION WARNING! Sebring\DLLName = "C:\WINNT\System32\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
qgkgkxnf\(Default) = "{3d699a55-6688-4b87-bbeb-49c32343e343}"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\dcqcq.dll" [null data]
RhinoShExt\(Default) = "{C81DCBCA-8AE2-41FC-9C39-78B160393210}"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\RhinoShExt.dll" ["Robert McNeel & Associates"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
Convert\(Default) = "{9f95ca1a-e80e-4c0f-acd1-4c9b7900b982}"
  -> {CLSID}\InProcServer32\(Default) = "D:\DirectX9 Plugins\Utilities\Bin\x86\TxView.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
InventorMenu\(Default) = "{6FDE7A70-351B-11d6-988B-0010B57A8BB7}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\boe2206\My Documents\Mine!\Plug-ins\Flamingo\Inventor 9\Bin\DT.dll" ["Autodesk, Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINNT\DCMALogo.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "ssmyst.scr" [MS]


Startup items in "boe2206" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 2" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:2" [MS]
"ISP signup reminder 3" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:3" [MS]
"Low Battery Alarm Program" -> WARNING -- The file "Low Battery Alarm Program.job" is corrupt! (no executable)
"XoftSpy" -> launches: "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\xoftspy\XoftSpy.exe -t" ["ParetoLogic Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Adapter Switching, IntelRoam, "C:\Program Files\Intel\Switching\User\RoamSvc.exe" ["Intel Corporation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"" [null data]
Client Service for NetWare, NWCWorkstation, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\nwwks.dll" [MS]}
ewido security suite control, ewido security suite control, "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
PrismXL, PrismXL, "C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS" ["Lanovation"]
RegSrvc, RegSrvc, "C:\WINNT\System32\RegSrvc.exe" ["Intel Corporation"]
RoamMgr, RoamMgr, "C:\WINNT\System32\RoamMgr.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINNT\System32\S24EvMon.exe" ["Intel Corporation "]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec SecurePort, SymSecurePort, ""C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINNT\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 127 seconds, including 18 seconds for message boxes)

P.S. I didn't know tech support worked on holidays and weeekends.:) Well whatever, if they enjoy it, and we both benefit, it's all good. How was your Independence Day? I hope you had a blast. lol

P.P.S. I just finished burning the fourteenth CD to my new set of Debian (Sarge) OS-CD Package CDs.
I can feel it coming now...the freedom flowing towards me in a gentle breeze...surrounding me in deepening waters of a -virus shredding and glitch ridding- purification.. It won't be long now.... it won't be long.

-With Much Gratitude
Y.H.:)

Edited by mike_2000_17: Fixed formatting

0

Will take a closer look when I arrive home from work. Looks like there may be a couple of things there to fix.

Please go here and have this file scanned. Post the results back here.

C:\WINNT\System32\dcqcq.dll

0

To:Moderator Crunchie

I did as you insructed and invoked the following erorr message:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

With Much Gratitude,
Y.H.

0

To:Moderator Crunchie I tried the scan once more just to be certain, and recieved the following message:

Found: Trojan-Downloader.Win32.Qoologic.q

With Much Gratitude,
Y.H.

0

Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you the file.

C:\WINNT\System32\dcqcq.dll

Reboot afterwards if the file is successfully deleted.

If the file is not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot.

-

Post a new hijackthis log when done.

I may be away for a couple of days, but one of the other guys should finish helping you :).

0

To: Moderator Crunchie

I'm sorry, I got caught up in something the last couple days so I didn't get a
chance to speak with any another tech that might have been told to help me
in your absence, though I do greatly appreciate your consideration, as to
assure me that I would be aided in your absence :)

In any event, I saw something posted by you today, and consequently
thought it was safe to assume that you have returned. I followed your
instructions, used killbox -to succesfully delete: C:\WINNT\System32
\dcqcq.dll. and I have posted My latest HJT Log below.

-------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:14:41 AM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
-------------------------------------------------------------------------------------------

With Much Gratitude,
Y.H.

0

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

0

Dear Moderator Crunchie,

I thank you, for all the time you took out of your schedule to aid me. I also thank you for the additional tips you have given me to prevent re-infection. There is one last question I would like to ask though(I hope I don't sound ungrateful-you've already done so much), and that is: Where do you suggest that I should start a thread to help me regain functionality of Internet Explorer's Main Window( I can only start Explorer using Outlook). I ask that question because I'm assuming that I posted my problem in the wrong forum. I'm new to online forums and I can't tell the difference so, please be so kind as to advise on what to do to solve my IE problem,or where to correctly re-post it.

Note: I've already tried to uninstall and reinstall. but I can't figure out how to uninstall and I'm not sure I'd be able to reinstall.

With Much Gratitude,
Y. H.

0

My apologies Y. H. I had completely overlooked that problem. Try this as well;


1) find the ie.inf file located in Windows\Inf folder.
2) Right click the ie.inf file and click Install on the context menu.
3) Reboot the computer when the file copy process is complete.

That's it :).

0

Dear, Crunchie

After the amount of time that I was not able to use the main IE window, I truly regard it as a miracle, to see the IE
status bar read:

Opening Page--->loading:Completed,

As can be easily fathomed, I am writing this post using IE, and reveling in it. (To the greatest extent that one may
revel in IE :) lol ) And, in the spirit of goodness, if I ever come across someone with the same problem I have had,
I will pass onto them, the solution that you have provided me with.


I believe that every good technician would like to be aware of exactly how things run, in order that he or she
might learn, whatever there is to learn, from every procedure. For that reason I am providing you with all the
details of the prescribed procedure from start to finish:

1) I found the ie.inf file located in the (I have XP pro.) WINNT\Inf folder.
2) I Right clicked the ie.inf file and clicked Install on the context menu.
3) The file copy process completed.
4) I Received the following error message:
http://us.f3.yahoofs.com/users/428d72ecz223172b2/c063/__sr_/1783.jpg?phWIw1CB3XDm6yDN
5) I Left Clicked Cancel
6) I Rebooted the computer
7) Internet Explorer was ressurected from the dust (of my inf file).

To: Anybody who happens to read this post, days, weeks, or years from today:

If you have the same problem as me, and can't seem to solve it, follow Crunchie's directions as listed
in the post above this one. Don't be afraid to try it; it worked for me, and it just might work for you.


To: Crunchie

I could thank you a million times, but then I'd just sound like a moron (nevermind waste your time, and tire your
ears)
So..... I guess I'll just thank you once

Thank You Crunchie, You've been a great help. :)

Sincerely,
Joseph (a.k.a. Y.H.)

0

To: Moderator dlh6213

Thank you very much for the link you suggested; I found alot of useful info; and a great program which may prove very useful in the near future.:)

Best Regards,
Y.H.

0

Thank You Crunchie, You've been a great help. :)

Sincerely,
Joseph (a.k.a. Y.H.)

Joseph. You are extremely welcome :). I love it when things go well :D.

0

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.