Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

01 - hosts keep returning

Started by auggust , Mar 05 2007 02:06 AM

  • This topic is locked This topic is locked
40 replies to this topic

#1 auggust

auggust

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 05 March 2007 - 02:06 AM

When running hijackthis I continually keep getting 01 - hosts ...... I remove them, reboot and when I surf they come back again .. depending how long between sessions I can have hundreds of 01 errors ..every website I go to shows up in the 01 error .. I have removed the hosts from the windows/sys32/drivers/ect and they just return in force .... have read everywhere but am stumped if anyone could please help me out ... thanx

Logfile of HijackThis v1.99.1
Scan saved at 3:07:57 AM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\TWEAKM~1\TMTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Weather Watcher\ww.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Football\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Fred\Application Data\Mozilla\Profiles\default\olcuyixv.slt\prefs.js)
O1 - Hosts: 216.77.188.41 home.bellsouth.net
O1 - Hosts: 209.40.97.64 ad2.m5-systems.com
O1 - Hosts: 159.54.226.224 www.tennessean.com
O1 - Hosts: 198.105.192.70 espn.go.com
O1 - Hosts: 198.105.192.66 sports.espn.go.com
O1 - Hosts: 208.68.59.11 ads.espn.adsonar.com
O1 - Hosts: 66.135.209.247 cgi.ebay.com
O1 - Hosts: 66.135.192.34 pages.motors.ebay.com
O1 - Hosts: 66.135.199.185 signin.ebay.com
O1 - Hosts: 66.135.214.177 contact.ebay.com
O1 - Hosts: 201.240.252.70 201.240.252.70
O1 - Hosts: 216.113.185.142 search.ebay.com
O1 - Hosts: 209.62.176.101 us.ebayobjects.com
O1 - Hosts: 69.147.72.43 pn1.adserver.yahoo.com
O1 - Hosts: 66.211.160.134 motors.search.ebay.com
O1 - Hosts: 84.53.144.134 pics.ebaystatic.com
O1 - Hosts: 72.32.5.117 www.break.com
O1 - Hosts: 64.237.103.151 rotator.adjuggler.com
O1 - Hosts: 68.142.72.177 info.break.com
O1 - Hosts: 72.32.5.116 my.break.com
O1 - Hosts: 68.142.72.181 media1.break.com
O1 - Hosts: 209.10.222.100 ad2.adecn.com
O1 - Hosts: 207.44.235.116 www.faqs.org
O1 - Hosts: 152.46.7.81 tldp.org
O1 - Hosts: 207.172.156.132 www.tux.org
O1 - Hosts: 64.246.26.120 linuxgazette.net
O1 - Hosts: 143.127.144.212 seer.support.veritas.com
O1 - Hosts: 209.132.176.177 mail.gnome.org
O1 - Hosts: 209.190.9.67 www.freeos.com
O1 - Hosts: 72.14.209.104 pagead2.googlesyndication.com
O1 - Hosts: 70.84.70.85 www.tomcoyote.org
O1 - Hosts: 209.85.5.16 www.adwarealert.com
O1 - Hosts: 208.101.7.150 www.majorgeeks.com
O1 - Hosts: 70.84.70.85 tomcoyote.org
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170805567156
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Edited by auggust, 05 March 2007 - 02:10 AM.

    Advertisements

Register to Remove

#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 05 March 2007 - 07:26 AM

You have removed hosts from windows/sys32/drivers/ect? Did you make a typo here and really mean C:\WINDOWS\system32\drivers\etc?

No Firewall Onboard

Also I do not see a firewall application installed. Perhaps you have a hardware firewall but a combination of both a software firewall and a hardware firewall is better. Just be sure there are no conflicts. Please do not rely solely on the Windows XP firewall. Using a software firewall other than the XP firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
Test your Firewall - Please test your firewall and make sure it is working properly.
Test Firewall

======
Hijackthis Start-up List/Uninstall list
  • Run HijackThis, click on Open the Misc Tools Section.
  • click on Open Uninstall Manager.
  • Click on Save List and save uninstall_list.txt to your Desktop.
  • Open this file in Notepad and copy/past the content in your reply.
  • Click back (the one located at the right side of the save list button)
  • Put a checkmark in List also minor sections and List empty sections.
  • Click on Generate StartupList log, anwser Yes
Copy/paste the uninstall_list.txt and the startuplist-log in your reply.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit.
  • Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Anti-spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

======
Hoster

Please download hoster.
  • Unzip Hoster.zip
  • Open Hoster.exe.
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
======
WinPFind
Please Download the following tools to assist us in removing this infection! Download WinPFind from http://www.bleepingc...es/winpfind.php
  • Right Click the Zip Folder and Select Extract All
  • Extract it somewhere you will remember like the Desktop
  • Don’t do anything with it yet!
Reboot.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

  • Doubleclick WinPFind.exe
  • Click on Configure Scan Options.
  • Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
  • Click Start Scan
    It will scan the entire System, so please be patient! This scan may take awhile
Once the Scan is Complete
  • Reboot your computer into normal mode.
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Copy the results from the WinPFind.txt file and post the results in your next reply.

Please post:
  • the uninstall_list.txt and the startuplist-log
  • AVG Anti-spyware log
  • WinPFind.txt
Your may need several replies to post the requested logs, otherwise they might get cut off.

Then please reboot and post a fresh hijackthis log. I want to see if the 01s come back.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 auggust

auggust

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 05 March 2007 - 06:47 PM

The link for winpfind.php does not work ... every search i did to dl the file took me to bleepingcomputer.com with same result when you clicked to dl it ...... not there

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 05 March 2007 - 08:28 PM

I am sorry. Please go ahead and skip that step for now. Let me review the other logs and then decide what to do next.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 auggust

auggust

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 05 March 2007 - 10:40 PM

Checked all firewall settings u asked and all were ok


hijackthis startup

StartupList report, 3/5/2007, 6:33:05 PM
StartupList version: 1.52.2
Started from : C:\Football\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16414)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\TWEAKM~1\TMTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Weather Watcher\ww.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Football\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Fred\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
TweakMASTER = "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
TraySantaCruz = C:\WINDOWS\system32\tbctray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WeatherWatcher = C:\Program Files\Weather Watcher\ww.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Skype add-on (mastermind) - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
(no name) - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
XoftSpySE.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://download.micr...heckControl.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onec...lscbase9602.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.micros...b?1170805567156

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://javadl-esd.su...indows-i586.cab

[a-squared Scanner]
InProcServer32 = C:\WINDOWS\DOWNLO~1\asquared.ocx
CODEBASE = http://ax.emsisoft.com/asquared.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter: System32\DRIVERS\AN983.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG7 Resident Shield Service: C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Minifilter x86 Resident Driver: \SystemRoot\System32\Drivers\avgmfx86.sys (system)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
basic2: system32\DRIVERS\basic2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ICatch VI PC CAMERA: System32\Drivers\SPCA561.SYS (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
USB Storage Adapter ISD-X00 (DTP): system32\DRIVERS\DTPX00.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fallback: system32\DRIVERS\fallback.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Windows Presentation Foundation Font Cache 3.0.0.0: c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
Fsks: system32\DRIVERS\fsksnt.sys (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Santa Cruz Game Port: system32\DRIVERS\gameenum.sys (manual start)
USB Scroll Mouse Driver: system32\DRIVERS\gflmouhid.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
EHCI: System32\Drivers\hcdriver.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HSFHWBS2: System32\DRIVERS\HSFBS2S2.sys (manual start)
HSF_DP: System32\DRIVERS\HSFDPSP2.sys (manual start)
hsf_msft: System32\DRIVERS\HSF_MSFT.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
Windows CardSpace: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
K56: system32\DRIVERS\k56nt.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Linksys LNE100TX(v5) Fast Ethernet Adapter: system32\DRIVERS\LNE100V5.sys (manual start)
MaxBackServiceInt: "C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe" (disabled)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Maxtor OneTouch Security Driver: system32\DRIVERS\mxopswd.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net.Tcp Port Sharing Service: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (disabled)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Rksample: system32\DRIVERS\rksample.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
SoftFax: system32\DRIVERS\faxnt.sys (autostart)
SpeakerPhone: system32\DRIVERS\spkpnt.sys (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{00626841-6460-4B8E-959E-A47FB10C0050} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Santa Cruz Driver: system32\drivers\tbcspud.sys (manual start)
Santa Cruz WDM Driver: system32\drivers\tbcwdm.sys (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: system32\DRIVERS\tonesnt.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
Motorola USB Modem Driver for MPT XP: system32\DRIVERS\usbsermptxp.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
V124: system32\DRIVERS\v124nt.sys (autostart)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
VIA USB Host Controller Lower Filter: \SystemRoot\System32\Drivers\vulfnth.sys (manual start)
VIA USB Roothub Lower Filter: \SystemRoot\System32\Drivers\vulfntr.sys (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 35,401 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


hijack uninstall list:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
AdsGone Popup Killer Spyware Blocker by A1Tech.com
AIM 6.0
ALi USB2.0 Driver
Apple Software Update
ArcSoft PhotoImpression
Avanquest update
AVG 7.5
CCleaner (remove only)
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Dell ResourceCD
eFax Messenger 4.2
Google Earth
Google Updater
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
HP Imaging Device Functions 6.1
HP Photosmart Essential
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
i-Fun Viewer
J2SE Runtime Environment 5.0 Update 6
King Kong Capture
LiveUpdate 2.7 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Motorola Phone Tools
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
MUSICMATCH Jukebox
Netscape (7.0)
NoAd HOSTS file (remove only)
NVIDIA Drivers
Quicken 2007
QuickTime
RealPlayer
Santa Cruz
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SereneScreen Marine Aquarium 2.6
Skype 3.0
Skype add-on for IE
Skype Plugin Manager
SP TimeSync 2.1
Stock-Signal-Pro TM
System Requirements Lab
TurboTax Basic 2006
TurboTax ItsDeductible 2006
Turtle Beach Santa Cruz
TweakMASTER
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB931836)
USB Storage Adapter ISD-X00 (DTP)
Weather Watcher
WexTech AnswerWorks
Winamp (remove only)
Windows Communication Foundation
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
XoftSpySE
XTreme Files
Yahoo! Messenger
Zoner Photo Studio



OK as far as AVE goes I have the pay version of ave malware so those directions couldnt be followed but this is basically what you are looking for from that prog:

<rec time="2007/03/05 09:06:20" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">iavi:721-720;</attr>
</rec>
- <rec time="2007/03/05 18:57:21" user="Fred" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2007/03/05 18:57:27" user="Fred" source="General">
<value>@HL_TestStopped</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2007/03/05 19:01:07" user="Fred" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@2o7[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.2o7</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@adbrite[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Adbrite</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@adopt.euroclick[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Euroclick</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@advertising[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Advertising</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@anad.tacoda[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Tacoda</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@anat.tacoda[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Tacoda</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@atdmt[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Atdmt</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@bluestreak[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Bluestreak</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@c1.zedo[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Zedo</attr>
</rec>
- <rec time="2007/03/05 20:00:31" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@clickbank[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Clickbank</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@com[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Com</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@cpvfeed[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Cpvfeed</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@dealtime[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Dealtime</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@e-2dj6wjkyghczmap.stats.esomniture[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Esomniture</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@e-2dj6wjlygkcpkhp.stats.esomniture[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Esomniture</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@ehg-legacy.hitbox[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Hitbox</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@ehg-viacom.hitbox[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Hitbox</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@ge.112.2o7[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.2o7</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@hitbox[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Hitbox</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@leeenterprises.112.2o7[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.2o7</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@maxim.122.2o7[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.2o7</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@mcclatchy.112.2o7[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.2o7</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@msnportal.112.2o7[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.2o7</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@perf.overture[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Overture</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@revsci[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Revsci</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@rotator.adjuggler[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Adjuggler</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@stat.onestat[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Onestat</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@statcounter[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Statcounter</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@statse.webtrendslive[2].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Webtrendslive</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Fred\Cookies\fred@tacoda[1].txt</attr>
<attr name="type" />
<attr name="what">TrackingCookie.Tacoda</attr>
</rec>
- <rec time="2007/03/05 20:00:32" user="Fred" source="Virus">
<value>@HL_R

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 06 March 2007 - 03:59 PM

Please use this link for the Winpfind
http://download.blee...er/winpfind.exe
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 06 March 2007 - 04:25 PM

Thank you for the information about the AVE Malware. It is difficult sometimes to tell what products one may have under one name.

I am looking forward to seeing the log from Winpfind. Also I was hoping to see another hijackthis log. One possibility is that some application may have a lock on the host file to prevent tampering or changes.

ZoneAlarm Pro includes an option (in the "Firewall" section, "Main" tab, "Advanced" button) to "Lock host file", which seems to give extremely effective protection to the HOSTS file.


Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#8 auggust

auggust

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 07 March 2007 - 01:54 AM

from WinPFind

WinPFind logfile created on: 3/6/2007 5:06:25 PM
WinPFind by OldTimer - v2.0.2 Folder = C:\music dl stuff\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 7.0.5730.11

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

523276 Kb Total Physical Memory | 209368 Kb Available Physical Memory | 40.01% Memory free
1277876 Kb Paging File | 914020 Kb Available in Paging File | 71.53% Paging File free
Paging file location: C:\pagefile.sys 768 1536

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39045980 Kb Total Space | 29513096 Kb Free Space | 75.59% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\music dl stuff\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\AdsGone\adsgone.exe (A1Tech, Inc.)
C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
C:\Program Files\Grisoft\AVG7\avgamsvr.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG7\avgcc.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG7\avgemc.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG7\avgrssvc.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG7\avgrssvc.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG7\avgupsvc.exe (GRISOFT, s.r.o.)
C:\Program Files\KH Blocker\khb.exe ()
C:\Program Files\TweakMASTER\TMTray.exe (Hagel Technologies Ltd)
C:\Program Files\Weather Watcher\ww.exe (Singer's Creations)
C:\WINDOWS\system32\HPZipm12.exe (HP)
C:\WINDOWS\system32\tbctray.exe (Voyetra Turtle Beach, Inc.)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG7\avgamsvr.exe (GRISOFT, s.r.o.)

(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG7\avgupsvc.exe (GRISOFT, s.r.o.)

(AvgCoreSvc) AVG7 Resident Shield Service [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG7\avgrssvc.exe (GRISOFT, s.r.o.)

(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG7\avgemc.exe (GRISOFT, s.r.o.)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped]
= (File not found)

(MaxBackServiceInt) MaxBackServiceInt [Win32_Own | Disabled | Stopped]
= C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (File not found)

(NVSvc) NVIDIA Display Driver Service [Win32_Own | Disabled | Stopped]
= C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Unknown | Running]
= (File not found)

»»»»»»»»»»»»»»»»»»»» Driver Services (Non-Microsoft) »»»»»»»»»»

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped]
= (File not found)

(abp480n5) abp480n5 [Kernel | Disabled | Stopped]
= (File not found)

(adpu160m) adpu160m [Kernel | Disabled | Stopped]
= (File not found)

(Aha154x) Aha154x [Kernel | Disabled | Stopped]
= (File not found)

(aic78u2) aic78u2 [Kernel | Disabled | Stopped]
= (File not found)

(aic78xx) aic78xx [Kernel | Disabled | Stopped]
= (File not found)

(AliIde) AliIde [Kernel | Disabled | Stopped]
= (File not found)

(amsint) amsint [Kernel | Disabled | Stopped]
= (File not found)

(AN983) ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\an983.sys (ADMtek Incorporated.)

(asc) asc [Kernel | Disabled | Stopped]
= (File not found)

(asc3350p) asc3350p [Kernel | Disabled | Stopped]
= (File not found)

(asc3550) asc3550 [Kernel | Disabled | Stopped]
= (File not found)

(Atdisk) Atdisk [Kernel | Disabled | Stopped]
= (File not found)

(AvgClean) AVG7 Clean Driver [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\avgclean.sys (GRISOFT, s.r.o.)

(AvgMfx86) AVG Minifilter x86 Resident Driver [File_System | System | Running]
= C:\WINDOWS\system32\drivers\avgmfx86.sys (GRISOFT, s.r.o.)

(AvgTdi) AVG Network Redirector [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\avgtdi.sys (GRISOFT, s.r.o.)

(basic2) basic2 [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\basic2.sys (Conexant Systems)

(CA561) ICatch VI PC CAMERA [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\SPCA561.SYS (SP)

(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped]
= (File not found)

(Changer) Changer [Kernel | System | Stopped]
= (File not found)

(CmdIde) CmdIde [Kernel | Disabled | Stopped]
= (File not found)

(Cpqarray) Cpqarray [Kernel | Disabled | Stopped]
= (File not found)

(cvintdrv) cvintdrv [Kernel | Auto | Running]
= C:\WINDOWS\System32\drivers\cvintdrv.sys ()

(dac960nt) dac960nt [Kernel | Disabled | Stopped]
= (File not found)

(dmboot) dmboot [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmboot.sys (Microsoft Corp., Veritas Software)

(dmio) dmio [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmio.sys (Microsoft Corp., Veritas Software)

(dmload) dmload [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmload.sys (Microsoft Corp., Veritas Software.)

(dpti2o) dpti2o [Kernel | Disabled | Stopped]
= (File not found)

(DTPX00) USB Storage Adapter ISD-X00 (DTP) [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\DTPX00.SYS (Cypress Semiconductor)

(Fallback) Fallback [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\fallback.sys (Conexant Systems)

(Fsks) Fsks [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\fsksnt.sys (Conexant Systems)

(genmcmnUSB) USB Scroll Mouse Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\gflmouhid.sys ()

(hcdriver) EHCI [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\hcdriver.sys (Intel Corporation)

(hpn) hpn [Kernel | Disabled | Stopped]
= (File not found)

(hpt3xx) hpt3xx [Kernel | Disabled | Stopped]
= (File not found)

(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\HPZid412.sys (HP)

(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\HPZipr12.sys (HP)

(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\HPZius12.sys (HP)

(HSFHWBS2) HSFHWBS2 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\hsfbs2s2.sys (Conexant Systems, Inc.)

(HSF_DP) HSF_DP [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\hsfdpsp2.sys (Conexant Systems, Inc.)

(hsf_msft) hsf_msft [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\HSF_MSFT.sys (Conexant)

(i2omgmt) i2omgmt [Kernel | System | Stopped]
= (File not found)

(i2omp) i2omp [Kernel | Disabled | Stopped]
= (File not found)

(ini910u) ini910u [Kernel | Disabled | Stopped]
= (File not found)

(K56) K56 [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\k56nt.sys (Conexant Systems)

(lbrtfdc) lbrtfdc [Kernel | System | Stopped]
= (File not found)

(LNE100) Linksys LNE100TX(v5) Fast Ethernet Adapter [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\lne100v5.sys (LinkSys Group Inc.)

(mdmxsdk) mdmxsdk [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)

(mraid35x) mraid35x [Kernel | Disabled | Stopped]
= (File not found)

(MXOPSWD) Maxtor OneTouch Security Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\mxopswd.sys (Maxtor Corp.)

(nv) nv [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

(OMCI) OMCI [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)

(PCIDump) PCIDump [Kernel | System | Stopped]
= (File not found)

(PCIIde) PCIIde [Kernel | Disabled | Stopped]
= (File not found)

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped]
= (File not found)

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(PDRELI) PDRELI [Kernel | On_Demand | Stopped]
= (File not found)

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(perc2) perc2 [Kernel | Disabled | Stopped]
= (File not found)

(perc2hib) perc2hib [Kernel | Disabled | Stopped]
= (File not found)

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

(PxHelp20) PxHelp20 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\PxHelp20.sys (Sonic Solutions)

(ql1080) ql1080 [Kernel | Disabled | Stopped]
= (File not found)

(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped]
= (File not found)

(ql12160) ql12160 [Kernel | Disabled | Stopped]
= (File not found)

(ql1240) ql1240 [Kernel | Disabled | Stopped]
= (File not found)

(ql1280) ql1280 [Kernel | Disabled | Stopped]
= (File not found)

(Rksample) Rksample [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\rksample.sys (Conexant Systems)

(Secdrv) Secdrv [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\secdrv.sys ()

(Simbad) Simbad [Kernel | Disabled | Stopped]
= (File not found)

(SoftFax) SoftFax [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\faxnt.sys (Conexant Systems)

(Sparrow) Sparrow [Kernel | Disabled | Stopped]
= (File not found)

(SpeakerPhone) SpeakerPhone [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\spkpnt.sys (Conexant Systems)

(symc810) symc810 [Kernel | Disabled | Stopped]
= (File not found)

(symc8xx) symc8xx [Kernel | Disabled | Stopped]
= (File not found)

(sym_hi) sym_hi [Kernel | Disabled | Stopped]
= (File not found)

(sym_u3) sym_u3 [Kernel | Disabled | Stopped]
= (File not found)

(tbcspud) Santa Cruz Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\tbcspud.sys (Voyetra Turtle Beach)

(tbcwdm) Santa Cruz WDM Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\tbcwdm.sys (Voyetra Turtle Beach)

(Tones) Tones [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\tonesnt.sys (Conexant Systems)

(TosIde) TosIde [Kernel | Disabled | Stopped]
= (File not found)

(ultra) ultra [Kernel | Disabled | Stopped]
= (File not found)

(V124) V124 [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\v124nt.sys (Conexant Systems)

(ViaIde) ViaIde [Kernel | Disabled | Stopped]
= (File not found)

(vulfnths) VIA USB Host Controller Lower Filter [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\vulfnth.sys (VIA Technologies, Inc.)

(vulfntrs) VIA USB Roothub Lower Filter [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\vulfntr.sys (VIA Technologies, Inc.)

(WDICA) WDICA [Kernel | On_Demand | Stopped]
= (File not found)

(winachsf) winachsf [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\hsf_cnxt.sys (Conexant Systems)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC = C:\Program Files\Grisoft\AVG7\avgcc.exe (GRISOFT, s.r.o.)
KH Blocker = C:\Program Files\KH Blocker\khb.exe ()
NvMediaCenter = C:\WINDOWS\system32\nvmctray.dll (NVIDIA Corporation)
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
TraySantaCruz = C:\WINDOWS\system32\tbctray.exe (Voyetra Turtle Beach, Inc.)
TweakMASTER = C:\Program Files\TweakMASTER\TMTray.exe (Hagel Technologies Ltd)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WeatherWatcher = C:\Program Files\Weather Watcher\ww.exe (Singer's Creations)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AdsGone 2006.lnk
= C:\Program Files\AdsGone\adsgone.exe (A1Tech, Inc.)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

< User Startup Folder = C:\Documents and Settings\Fred\Start Menu\Programs\Startup >
C:\Documents and Settings\Fred\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
WMPNetworkSvc = 3
Pml Driver HPZ12 = 2
NVSvc = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk (File not found)
backup = C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk (File not found)
location = Common Startup
command = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
item = Adobe Reader Speed Launch

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoolMax XTreme.lnk]
path = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoolMax XTreme.lnk (File not found)
backup = C:\WINDOWS\pss\CoolMax XTreme.lnk (File not found)
location = Common Startup
command = C:\Program Files\XTreme\XTreme.exe (CoolMax)
item = CoolMax XTreme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]
path = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.2.lnk (File not found)
backup = C:\WINDOWS\pss\eFax 4.2.l (File not found)
location = Common Startup
command = C:\Program Files\eFax Messenger 4.2\J2GTray.exe (j2 Global Communications, Inc.)
item = eFax 4.2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk (File not found)
backup = C:\WINDOWS\pss\Google Updater.lnk (File not found)
location = Common Startup
command = C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google)
item = Google Updater

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk (File not found)
backup = C:\WINDOWS\pss\HP Digital Imaging Monitor.lnk (File not found)
location = Common Startup
command = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
item = HP Digital Imaging Monitor

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk (File not found)
backup = C:\WINDOWS\pss\Microsoft Office.lnk (File not found)
location = Common Startup
item = Microsoft Office

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk (File not found)
backup = C:\WINDOWS\pss\ymetray.lnk (File not found)
location = Common Startup
item = ymetray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Fred^Start Menu^Programs^Startup^AdsGone.lnk]
path = C:\Documents and Settings\Fred\Start Menu\Programs\Startup\AdsGone.lnk (File not found)
backup = C:\WINDOWS\pss\AdsGone.lnk (File not found)
location = Startup
command = C:\Program Files\AdsGone\adsgone.exe (A1Tech, Inc.)
item = AdsGone

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item =
hkey = HKLM
command =
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aim6]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item =
hkey = HKCU
command =
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DTPBG]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\DTPBG.EXE (Cypress Semiconductor)
hkey = HKLM
command = C:\WINDOWS\DTPBG.EXE (Cypress Semiconductor)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eFax 4.2]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = J2GDllCmd
hkey = HKLM
command = C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe (j2 Global Communications, Inc.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FreeRAM XP]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = FreeRAM XP Pro
hkey = HKCU
command = C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = HPWuSchd2
hkey = HKLM
command = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Development Company, L.P.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KingKongCapture]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = KingKongCapture
hkey = HKLM
command = C:\Program Files\King Kong Software\King Kong Capture\KingKongCapture.exe (King Kong Software)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LanguageShortcut]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = Language
hkey = HKLM
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MaxtorOneTouch]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = Onetouch
hkey = HKLM
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = mm_tray
hkey = HKLM
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mozilla Quick Launch]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = Netscp
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = msmsgs
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mxomssmenu]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = maxmenumgr
hkey = HKLM
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\nwiz.exe ()
hkey = HKLM
command = C:\WINDOWS\system32\nwiz.exe ()
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = qttask
hkey = HKLM
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = PDVDServ
hkey = HKLM
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RoboForm]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = RoboTaskBarIcon
hkey = HKCU
command = C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SP TimeSync]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = SP TimeSync
hkey = HKCU
command = C:\Program Files\SP TimeSync 2.1\SP TimeSync.exe ()
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = jusched
hkey = HKLM
command = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VoSKY IPW]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = UVS6000
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VoSKY IPW Bootup]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = UDR6000
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VoSKY IPW BootupB]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = UDR6000B
hkey = HKCU
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = YAHOOM~1
hkey = HKCU
command = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
system.ini = 1
win.ini = 2
bootini = 0
services = 2
startup = 2

>>>>> Disabled Startup Folder Items <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe C:\WINDOWS\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -> "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -> "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -> "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
StubPath = C:\WINDOWS\system32\ieudinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<




>>>>> Security Providers <<<<<

>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
Control_RunDLL (File not found)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgwlntf]
DllName = C:\WINDOWS\system32\avgwlntf.dll (GRISOFT, s.r.o.)

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments]
ScanWithAntiVirus = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
DisableRegistryTools = 0

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]*

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = My Current Home Page
Source = About:Home
SubscribedURL = About:Home

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 568924 bytes | Modified Date: 3/6/2007 4:58:50 PM)

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.yahoo.com/
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://home.bellsouth.net/
Start Page = http://home.bellsouth.net/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn...st/srchcust.htm
SearchAssistant = http://ie.search.msn...st/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Local Page = C:\WINDOWS\system32\blank.htm
Search Page = http://www.google.com/
Start Page = http://home.bellsouth.net/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\turbotax.com]
https

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- Adobe PDF Reader Link Helper ( HKLM = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
- Skype add-on (mastermind) ( HKLM = C:\Program Files\Skype\Phone\IEPlugin\SkypeIEPlugin.dll (Skype Technologies S.A.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
- Reg Data - Value does not exist ( HKLM = C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll (Siber Systems) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C}]
- TweakMASTER Component ( HKLM = C:\Program Files\TweakMASTER\TweakBHO.dll (Hagel Technologies Ltd) )

>>>>> Bars, Toolbars and Extensions <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm ( HKLM = C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll (Siber Systems) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{724D43A0-0D85-11D4-9908-00400523E39A} - &RoboForm ( HKLM = C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll (Siber Systems) )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8192 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8193

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Customize Menu &4]
@ = C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Fill Forms &]]
@ = C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Save Forms &[]
@ = C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htm (File not found)

>>>>> Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00020000-0000-1011-8004-0000C06B5161} = WIBU-SYSTEMS Shell Extension ( CLSID not found! )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{1CDB2949-8F65-4355-8456-263E7C208A5D} = Desktop Explorer ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} = Desktop Explorer Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} = nView Desktop Context Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{32683183-48a0-441b-a342-7c2a440a9478} = Media Band ( CLSID not found! )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( CLSID not found! )
{6ff26905-5466-4722-a301-08e22f780280} = HotShellExt ( HKLM = C:\Program Files\eFax Messenger 4.2\J2GShell.dll (j2 Global Communications, Inc.) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = AVG7 Shell Extension Class ( HKLM = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.) )
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} = AVG7 Find Extension Class ( HKLM = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.) )
{A70C977A-BF00-412C-90B7-034C51DA2439} = DesktopContext Class ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = RealOne Player Context Menu Class ( HKLM = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.) )
{FFB699E0-306A-11d3-8BD1-00104B6F7516} = NVIDIA CPL Extension ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} = Web Folders ( HKLM = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL () )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@ = {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ( HKLM = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\HotShellExt_40]
@ = {6FF26905-5466-4722-A301-08E22F780280} ( HKLM = C:\Program Files\eFax Messenger 4.2\J2GShell.dll (j2 Global Communications, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ZONERMenu]
@ = {BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B} ( HKLM = C:\Program Files\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL (ZONER software) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\ZONERMenu]
@ = {BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B} ( HKLM = C:\Program Files\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL (ZONER software) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\00nView]
@ = {1E9B04FB-F9E5-4718-997B-B8DA88302A48} ( HKLM = C:\WINDOWS\system32\nvshell.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\NvCplDesktopContext]
@ = {A70C977A-BF00-412C-90B7-034C51DA2439} ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@ = {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ( HKLM = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\ZONERMenu]
@ = {BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B} ( HKLM = C:\Program Files\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL (ZONER software) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

>>>>> User Agent Post Platform <<<<<

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{117202F4-4C86-48D6-9D3B-C399FD887E3E}] ( Linksys LNE100TX(v5) Fast Ethernet Adapter )
DefaultGateway =
DhcpDefaultGateway = 192.168.0.1;
DhcpIPAddress = 192.168.0.2
DhcpNameServer = 192.168.0.1
DhcpServer = 192.168.0.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9523EFA2-C553-4850-8DCB-17CB3175B6C3}]
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Protocol Handlers <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ic32pp]
CLSID = {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - ( HKLM C:\WINDOWS\wc98pp.dll () )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com]
CLSID = {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - ( HKLM C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) )

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation]
CODEBASE = http://download.micr...heckControl.cab
INF = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\DownloadInformation]
CODEBASE = http://cdn.scan.onec...lscbase9602.cab
INF = C:\WINDOWS\Downloaded Program Files\wlscBase.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\DownloadInformation]
CODEBASE = http://update.micros...b?1170805567156
INF = C:\WINDOWS\Downloaded Program Files\wuweb.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://javadl-esd.su...indows-i586.cab
INF = C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_06.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BB21F850-63F4-4EC9-BF9D-565BD30C9AE9}\DownloadInformation]
CODEBASE = http://ax.emsisoft.com/asquared.cab

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://fpdownload.ma...ash/swflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

»»»»»»»»»»»»»»»»»»»» Files Created Within 90 Days »»»»»»»»»»»»»

C:\avg7qt(2).dat [Ver = | Size = 12479986 bytes | Created Date = 1/14/2007 4:02:44 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\jgalt.ayn [Ver = | Size = 13 bytes | Created Date = 1/16/2007 4:52:30 PM | Attr = H ]
C:\Documents and Settings\Fred\Application Data\Notification.dll [Ver = | Size = 53248 bytes | Created Date = 3/6/2007 2:08:23 AM | Attr = H ]
C:\Documents and Settings\Fred\Application Data\rbap550.dll [Ver = | Size = 88576 bytes | Created Date = 3/6/2007 2:08:23 AM | Attr = H ]
C:\Documents and Settings\Fred\Application Data\RBInternetEncodings550.dll [Ver = | Size = 29184 bytes | Created Date = 3/6/2007 2:08:23 AM | Attr = H ]
C:\Documents and Settings\Fred\Application Data\RBShell550.dll [Ver = | Size = 38912 bytes | Created Date = 3/6/2007 2:08:23 AM | Attr = H ]
C:\Documents and Settings\Fred\Application Data\WindowsSecurity.dll [Ver = | Size = 65536 bytes | Created Date = 3/6/2007 2:08:23 AM | Attr = H ]
C:\Documents and Settings\Fred\Application Data\ZZipUtilitiesV02.dll [Ver = | Size = 75776 bytes | Created Date = 3/6/2007 2:08:23 AM | Attr = H ]
C:\Documents and Settings\Fred\Local Settings\Application Data\fusioncache.dat [Ver = | Size = 127 bytes | Created Date = 2/12/2007 1:34:00 AM | Attr = ]
C:\Documents and Settings\Fred\Local Settings\Application Data\IconCache.db [Ver = | Size = 6914994 bytes | Created Date = 3/3/2007 11:26:40 PM | Attr = H ]
C:\Documents and Settings\Fred\My Documents\Default.rdp [Ver = | Size = 1690 bytes | Created Date = 1/27/2007 1:26:48 PM | Attr = H ]
C:\Documents and Settings\Fred\Desktop\Radar.url [Ver = | Size = 345 bytes | Created Date = 12/30/2006 3:12:28 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Fred\Desktop\Radar.url:favicon (318 bytes)
C:\WINDOWS\a3kebook.ini [Ver = | Size = 4 bytes | Created Date = 1/22/2007 6:06:54 PM | Attr = H ]
C:\WINDOWS\akebook.ini [Ver = | Size = 20 bytes | Created Date = 1/22/2007 6:06:54 PM | Attr = H ]
C:\WINDOWS\ANS2000.INI [Ver = | Size = 180 bytes | Created Date = 1/22/2007 6:06:54 PM | Attr = ]
C:\WINDOWS\bears.bmp [Ver = | Size = 750174 bytes | Created Date = 1/19/2007 12:27:19 AM | Attr = ]
C:\WINDOWS\chapter.MID [Ver = | Size = 23165 bytes | Created Date = 1/23/2007 12:15:00 AM | Attr = ]
C:\WINDOWS\cviinst.ini [Ver = | Size = 29 bytes | Created Date = 12/25/2006 6:40:29 AM | Attr = ]
C:\WINDOWS\imsins.BAK [Ver = | Size = 1374 bytes | Created Date = 2/15/2007 3:15:27 AM | Attr = ]
C:\WINDOWS\khblocker.lnk [Ver = | Size = 597 bytes | Created Date = 3/6/2007 2:08:17 AM | Attr = ]
C:\WINDOWS\mozver.dat [Ver = | Size = 11024 bytes | Created Date = 12/27/2006 7:08:44 PM | Attr = ]
C:\WINDOWS\NSUninst.exe [Ver = | Size = 90832 bytes | Created Date = 12/27/2006 7:09:08 PM | Attr = ]
C:\WINDOWS\pcdlib32.dll Eastman Kodak [Ver = 3, 0, 0, 0 | Size = 212480 bytes | Created Date = 12/28/2006 11:04:08 AM | Attr = ]
C:\WINDOWS\PI4_setup.ini [Ver = | Size = 21 bytes | Created Date = 12/28/2006 11:04:08 AM | Attr = ]
C:\WINDOWS\Robotz Menu Command.wav [Ver = | Size = 13920 bytes | Created Date = 1/23/2007 12:15:11 AM | Attr = ]
C:\WINDOWS\sandy.bmp [Ver = | Size = 124470 bytes | Created Date = 12/26/2006 11:36:30 PM | Attr = ]
C:\WINDOWS\ST6UNST.000 [Ver = | Size = 5979 bytes | Created Date = 12/20/2006 12:41:08 AM | Attr = ]
C:\WINDOWS\uccspecc.sys [Ver = | Size = 31 bytes | Created Date = 3/4/2007 1:01:03 AM | Attr = H ]
C:\WINDOWS\usrwiz.ini [Ver = | Size = 134 bytes | Created Date = 1/1/2007 11:33:58 AM | Attr = ]
C:\WINDOWS\wc98pp.dll [Ver = | Size = 51712 byt

#9 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 March 2007 - 07:20 AM

Your WinPFind log was cut off but here I see the Host file was modified. C:\WINDOWS\System32\drivers\etc\Hosts (Size: 568924 bytes | Modified Date: 3/6/2007 4:58:50 PM) Please post (reply) with a hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#10 auggust

auggust

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 07 March 2007 - 07:46 AM

yes the host file gets changed all the time and no idea why or how to stop it

here is this mornings hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 8:43:00 AM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\TWEAKM~1\TMTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\KH Blocker\khb.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Weather Watcher\ww.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Football\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Fred\Application Data\Mozilla\Profiles\default\olcuyixv.slt\prefs.js)
O1 - Hosts: 216.77.188.41 home.bellsouth.net
O1 - Hosts: 209.40.97.64 ad2.m5-systems.com
O1 - Hosts: 12.29.100.148 www.americanexpress.com
O1 - Hosts: 12.29.100.25 www99.americanexpress.com
O1 - Hosts: 63.87.241.132 www.hillisslacksettlement.com
O1 - Hosts: 63.126.254.111 cert.gardencitygroup.com
O1 - Hosts: 204.117.196.164 www.nchmd.org
O1 - Hosts: 209.40.97.64 ad1.m5-systems.com
O1 - Hosts: 159.54.226.224 www.tennessean.com
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O1 - Hosts: 198.105.192.72 espn.go.com
O1 - Hosts: 198.105.192.62 sports.espn.go.com
O1 - Hosts: 64.147.114.8 www.daylife.com
O1 - Hosts: 84.53.144.150 msn.foxsports.com
O1 - Hosts: 216.27.85.33 www.alabamamotorsportspark.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KH Blocker] C:\Program Files\KH Blocker\khb.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170805567156
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    Advertisements

Register to Remove

#11 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 March 2007 - 08:12 AM

What is this? Can you tell me where did you obtain it or what company produced it?

NoAd HOSTS file (remove only)
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 March 2007 - 09:36 AM

Let's try some other things.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

This checks for rootkits-want to rule it out.
GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.
  • Download GMER and extract it to the C:\program files\GMER folder.
  • Please rename the GMER file
    Note: You can rename gmer.exe to anything you like as long as you keep the .exe ending.
    Run the Gmer.exe renamed program by double-clicking the executable file (gmer.exe) in Windows Explorer.
    You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "yes" to begin the scan.
  • If you are not prompted, Click the "Rootkit" tab, then click "Scan".
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.

==========
Just want to run another scan to double-check there are no infected files.
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information from Kapersky in your next post.

**Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

So please post (reply) with results from GMER and Kapersky.

Edited by Susan528, 07 March 2007 - 09:37 AM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 auggust

auggust

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 07 March 2007 - 01:53 PM

this is the agreement with no ads host file, i had used it a cpl time to see if that would fix my prob but it didnt... basically it overwrites in drivers/ect but the hosts come back the 01 hosts after i get rid of them using it, havent used prob in while .... was just what i was hoping for a fix that didnt work ...... will do the rest of stuff lil later today .....

NOTE:

You are about to overwrite your hosts file.

This is the installer for Mike Skallas' Ad blocking hosts file located at:

http://everythingisnt.com/hosts.html

The host file is free only for residential/non-profit users.

This program will install the hosts file into the proper system directory for
Windows 95/98/NT/2K/XP systems. This will not backup your old hosts file.

You can always uninstall this by going to the control panel and using
Add/Remove programs.

This installer is provided 'as-is', without any express or implied warranty. In no event will anyone be held liable for any damages arising from the use of this installer or hosts file.

Installer written by Allen Jackson.

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 March 2007 - 06:02 PM

Please run a Panda scan instead of Kapersky for now--or if you have time do them both.
This scan works with Internet Explorer.

STEP 1.
======
Panda Active Scan
Please go to Panda ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan [color="blue"](Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, by using Add Reply.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#15 auggust

auggust

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 07 March 2007 - 08:07 PM

here is the active scan:

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Fred\Cookies\fred@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Fred\Cookies\fred@advertising[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Fred\Cookies\fred@casalemedia[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Fred\Cookies\fred@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Fred\Cookies\fred@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Fred\Cookies\fred@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Fred\Cookies\fred@hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Fred\Cookies\fred@media.fastclick[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Fred\Cookies\fred@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Fred\Cookies\fred@tribalfusion[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Fred\Cookies\fred@zedo[1].txt



hijack :

Logfile of HijackThis v1.99.1
Scan saved at 7:19:45 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\TWEAKM~1\TMTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\KH Blocker\khb.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Weather Watcher\ww.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Football\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Fred\Application Data\Mozilla\Profiles\default\olcuyixv.slt\prefs.js)
O1 - Hosts: 216.77.188.41 home.bellsouth.net
O1 - Hosts: 209.40.97.64 ad2.m5-systems.com
O1 - Hosts: 12.29.100.148 www.americanexpress.com
O1 - Hosts: 12.29.100.25 www99.americanexpress.com
O1 - Hosts: 63.87.241.132 www.hillisslacksettlement.com
O1 - Hosts: 63.126.254.111 cert.gardencitygroup.com
O1 - Hosts: 204.117.196.164 www.nchmd.org
O1 - Hosts: 209.40.97.64 ad1.m5-systems.com
O1 - Hosts: 159.54.226.224 www.tennessean.com
O1 - Hosts: 70.84.70.85 forums.tomcoyote.org
O1 - Hosts: 198.105.192.72 espn.go.com
O1 - Hosts: 198.105.192.62 sports.espn.go.com
O1 - Hosts: 64.147.114.8 www.daylife.com
O1 - Hosts: 84.53.144.150 msn.foxsports.com
O1 - Hosts: 216.27.85.33 www.alabamamotorsportspark.com
O1 - Hosts: 68.142.197.198 my.yahoo.com
O1 - Hosts: 209.191.92.114 login.yahoo.com
O1 - Hosts: 206.190.56.229 finance.yahoo.com
O1 - Hosts: 216.252.106.98 streamerapi.finance.yahoo.com
O1 - Hosts: 63.241.84.11 www.chicagotribune.com
O1 - Hosts: 205.177.95.85 video.chicagotribune.com
O1 - Hosts: 161.58.191.209 www.drugs.com
O1 - Hosts: 72.247.31.89 www.pandasoftware.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TweakMASTER] "C:\PROGRA~1\TWEAKM~1\TMTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KH Blocker] C:\Program Files\KH Blocker\khb.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170805567156
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.su...indows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·