An appeal to the experts for help, hijack this log included

Discussion in 'adware, spyware & hijack cleaning' started by celerityfm, May 20, 2004.

Thread Status:
Not open for further replies.
  1. celerityfm

    celerityfm Registered Member

    Joined:
    May 20, 2004
    Posts:
    7
    Hey guys... I've been owned by what I THINK is a CWS variant.. latest CWSShredder shows CWS.searchx and cleans it but it kept coming back.. eventually it just stopped showing up all together and my IE homepage stopped getting reset to CoolWebSearch. Sometimes it would get reset to about:blank, but I stopped using IE and hit up FireFox for a while and figured I could ignore this. But recently AVG Free 6.0 started finding random DLL files in system32 that it said was "Trojan horse Startpage.4.AO" and could not clean them! I don't think we're out of the woods yet!

    I thought I might have the RealYellow variant of CWS but I tried the cleaning steps posted on Merijn's site but never found the file with the 61c00000 61440 header, so I'm not sure I even have that. To make things even STRANGER, I downloaded SpywareBlaster AFTER the fact (shoulda been running that before all this right?) and when I try to launch it after installation I get an error saying "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." and as you may have guessed, reinstalling does not help. I also tried the program and technique listed in this thread https://www.wilderssecurity.com/showpost.php?p=177718&postcount=17 out of desperation even though I've never seen a mrhoppy.dll anywhere on my computer. Now, justto be complete I'll go ahead and run Spybot and Hijackthis again right now...(goes off to run Spybot).

    Ok, just ran the latest Spybot and man did that adware/trojan squirm! Right around 4292 (AdGoblin), AVG started detecting "Trojan horse Startpage.4.AO" and continued to do so throughout the rest of the scan. SYSTEM32\FIEN.DLL, HQCMPE.DLL, etc flashed by on AVG during the scan but in the end Spybot only found 1 random registry key for a "web dialer", the rest were just cookies (btw that key was HKEY_USERS\S-1-5-21-484763869-1343024091-1708537768-1003\Software\Microsoft\Internet Explorer\Main\HOMEOldSP). AVG finds this trojan on random occasions as well but so far it finds it everytime I run spybot right around the AdGoblin part. HMM. Anyways, enough blathering, here's the Hijack this goods (including scan log and startup log for completeness). THANK YOU!!! I feel like I'm close to killing this thing for good, and with your help perhaps we can!

    I've pasted the Hijackthis log and startup list below!

    Logfile of HijackThis v1.97.7
    Scan saved at 6:10:13 PM, on 5/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\bloggar\wbloggar.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\system32\logon.scr
    C:\Documents and Settings\Toby\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (8394abfc1be196a62c9f532511936df7, 37808 bytes)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (skipped, 711168 bytes)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (0fb22dd37c17f80ad71316049f725170, 31744 bytes)
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup (47d4d5e2f2b6a78dcd5dbdd8c06677ac, 345661 bytes)
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe (84f0c045f24dae5de54b9aff3450b181, 262144 bytes)
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (5d8d50d90cbf3b5cc32100425545394a, 323584 bytes)
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (15cca68bee2d232166f992a7ae2f8002, 81920 bytes)
    O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe (1178f146097e820b1ed219c646693b52, 348160 bytes)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe (ed85b344e6edc30c1bc57ec1a2a56bf3, 32881 bytes)
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (414de7cf9d3f19c3ea902f1bb38ec116, 13312 bytes)
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (skipped, 1038336 bytes)
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe (30895afed476666c11470d7311c9ad81, 40960 bytes)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM (file missing)
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM (file missing)
    O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm (file missing)
    O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    StartupList report, 5/20/2004, 6:10:28 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Toby\Desktop\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\bloggar\wbloggar.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\system32\logon.scr
    C:\Documents and Settings\Toby\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Toby\Start Menu\Programs\Startup]
    Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    Shortcut to wbloggar.lnk = C:\Program Files\bloggar\wbloggar.exe
    Trillian.lnk = C:\Program Files\Trillian\trillian.exe

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
    DataCaching = C:\PROGRA~1\DATACA~1\FLashKsk.exe
    nwiz = nwiz.exe /install
    DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    Hotkeycontrol = C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
    SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\NOSTAL~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\System32\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [Java Plug-in 1.4.2_03]
    InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852

    [Java Plug-in 1.4.0]
    InProcServer32 = C:\Program Files\Java\j2re1.4.0\bin\npjpi140.dll
    CODEBASE = http://java.sun.com/products/plugin/1.4/jinstall-14-win.cab

    [Java Plug-in 1.4.2_03]
    InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
    Protocol #14: C:\WINDOWS\system32\mswsock.dll
    Protocol #15: C:\WINDOWS\system32\mswsock.dll
    Protocol #16: C:\WINDOWS\system32\mswsock.dll
    Protocol #17: C:\WINDOWS\system32\mswsock.dll
    Protocol #18: C:\WINDOWS\system32\mswsock.dll
    Protocol #19: C:\WINDOWS\system32\mswsock.dll
    Protocol #20: C:\WINDOWS\system32\mswsock.dll
    Protocol #21: C:\WINDOWS\system32\mswsock.dll
    Protocol #22: C:\WINDOWS\system32\mswsock.dll
    Protocol #23: C:\WINDOWS\system32\mswsock.dll
    Protocol #24: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
    Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATI TV Wonder Video Capture: system32\drivers\atibtcap.sys (autostart)
    ATI TV Wonder Video Crossbar: system32\drivers\atibtxbr.sys (autostart)
    ATI TV Wonder TV Tuner: system32\drivers\ativtutw.sys (autostart)
    ATI TV Wonder Audio Crossbar: system32\drivers\ativxstw.sys (autostart)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys (autostart)
    AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys (autostart)
    AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (autostart)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: C:\WINDOWS\System32\cisvc.exe (disabled)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)
    COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    d344bus: System32\DRIVERS\d344bus.sys (system)
    d344prt: System32\Drivers\d344prt.sys (system)
    Dev_DirectNT: \??\C:\Program Files\Dreaming of Brazil 3b6\directnt.sys (manual start)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    DSDrv4: \??\C:\PROGRA~1\DScaler\DSDrv4.sys (manual start)
    DVXCEL Streaming Class Driver: System32\DRIVERS\DVXUSBKS.sys (manual start)
    DVXUSBLD: system32\drivers\DVXUSBLD.SYS (manual start)
    enodpl: System32\drivers\enodpl.sys (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Hid to Joystick Port Enabler: System32\DRIVERS\hidgame.sys (manual start)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    IIS Admin: C:\WINDOWS\System32\inetsrv\inetinfo.exe (disabled)
    CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    mapmem: \??\C:\WINDOWS\System32\Drivers\mapmem.sys (autostart)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    Sidewinder HID to Joystick Port Enabler: System32\DRIVERS\msgame.sys (manual start)
    Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (disabled)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NetGroup Packet Filter Driver: system32\drivers\npf.sys (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    NUVision II Audio Service: System32\DRIVERS\nuvaud2.sys (manual start)
    NUVision Video Service: System32\DRIVERS\nuvvid2.sys (manual start)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    nVidia WDM TVTuner: System32\DRIVERS\nvtunep.sys (autostart)
    nVidia WDM TVAudio Crossbar: System32\DRIVERS\nvtvsnd.sys (autostart)
    nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
    NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
    NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
    PGPmemlock: \??\C:\WINDOWS\System32\drivers\PGPmemlock.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Linksys Fast Ethernet PCI Card: System32\DRIVERS\lne100.SYS (manual start)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    portio: \??\C:\WINDOWS\System32\Drivers\portio.sys (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\drivers\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (disabled)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
    Remote Packet Capture Protocol v.0 (experimental): "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" (manual start)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (disabled)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (disabled)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SanDisk USB ImageMate/SecureMate Mass Storage Driver: System32\DRIVERS\SDSTOR2K.SYS (manual start)
    Secdrv: System32\DRIVERS\secdrv.sys (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (disabled)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
    BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{485B4C9D-B5EF-432F-8632-3F7A53E30B1F} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    tandpl: System32\drivers\tandpl.sys (autostart)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    tvtool: \??\C:\Program Files\TVTool 9.5\tvtool.sys (system)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (disabled)
    USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
    Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
    Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
    VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
    VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
    ViaIde: System32\DRIVERS\viaidexp.sys (system)
    VIAPFD: \SystemRoot\System32\Drivers\VIAPFD.SYS (system)
    Virtual PC Application Services: System32\DRIVERS\VPCAppSv.sys (autostart)
    Virtual PC Emulated Ethernet Switch Driver: System32\DRIVERS\VPCNetS2.sys (manual start)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (disabled)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    X10 Device Network Service: C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\Program Files\Spybot - Search & Destroy\is-963V6.tmp => C:\Program Files\Spybot - Search & Destroy\SDHelper.dll||\

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 34,200 bytes
    Report generated in 0.131 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Thanks for reading this far, you guys are providing an amazing service, KEEP FIGHTING THE GOOD FIGHT.

    Hope you can help.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi


    Download the following tool :

    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice but on the root drive, most likely C:\

    1. Run start.bat and press option 1. A search will start

    'output.txt' will be created in the folder

    2. Copypaste the complete contents of output.txt here please

    Thnx

    Cheers,
     
  3. celerityfm

    celerityfm Registered Member

    Joined:
    May 20, 2004
    Posts:
    7
    Ahhh thank you very much for your help! Here's the output.. when it got to those suspect DLL files AVG popped up again about the trojan horse startpage.4.ao.

    --==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

    Fri 05/21/2004
    08:14 AM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (F0CC:B2E0) - FS:NTFS clusters:4k
    Total: 80 015 491 072 [75G] - Free: 2 704 596 992 [2.5G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q813489;Q330994;Q828750;Q824145;Q832894;Q837009;Q831167;

    *Google Toolbar version and Attributes:
    Defaults: "A" ;"R"
    Path not found - C:\Program Files\google
    Path not found - C:\Program Files\google

    *UserAgent:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    *Wmplayer version:
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
    6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

    *M$Java version:


    *PC uptime:
    8:14am up 3 days, 12:29
    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error
    \\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error


    *List of top level windows:
    HWND PID PRIO TITLE
    100a2 1512 norm TF_FloatingLangBar_WndTitle
    490104 656 norm AVG Resident Shield
    100a6 1512 norm CiceroUIWndFrame
    2b0124 3984 norm SysFader
    250412 3748 norm Wilders Security Forums - An appeal to the experts for help, hijack this log in
    2011c 3984 norm _Shell_TrayWnd
    1101dc 1720 norm Trillian: List Tooltip Entry
    16025e 6188 norm DirectDBNotifyWndProc
    220232 6188 norm Outlook Express FolderSync Window Class
    100226 6188 norm OEStoreCleanupThread
    12601d8 6188 norm DirectDBNotifyWndProc
    1301fa 6188 norm SysFader
    7024e 6188 norm DirectDBNotifyWndProc
    4027c 6188 norm DirectDBListenWndProc
    13c0222 6188 norm O
    100e2 1632 norm MessageWindow
    100bc 1632 norm TodoWindow
    100b8 1632 norm Rainlendar
    10026 680 high NetDDE Agent
    100be 1444 Hotkeycontrol XP
    5800ae 4256 norm C:\WINDOWS\System32\cmd.exe
    110126 3984 norm dllfix
    8f035c 3748 norm Wilders Security Forums - Reply to Topic - Avant Browser
    10f0150 3748 norm Avant Browser
    2b0148 3984 norm DDE Server Window
    1a042a 3748 norm MCI command handling window
    4004f8 3748 norm IMMIF UI
    f902ae 3748 norm DDE Server Window
    14020e 6856 norm Start Page - Mozilla Firefox
    10168 1720 norm Trillian
    100c0 1720 norm Trillian
    d0024a 6188 norm Outlook Express
    c001b2 6856 norm NetscapeDispatchWnd
    a026a 6856 norm XPCOM:EventReceiver
    f02a0 6188 norm MCI command handling window
    9f031e 6188 norm Identity Mgr Notify
    c0254 6188 norm WAB Notification Window
    802a2 6188 norm Identity Mgr Notify
    501a6 6188 norm Identity Mgr Notify
    200fc 528 norm AVG Control Center - FREE Edition
    3c02f4 3984 norm DDE Server Window
    6003b0 3984 norm MCI command handling window
    70044 3984 norm Connections Tray
    2008c 3984 norm Power Meter
    2008a 3984 norm MS_WebcheckMonitor
    2005e 1632 norm Rainlendar control window
    1017c 1444 _Static
    1009e 1444 Hotkeycontrol XP
    20156 1720 norm celerityfm - Console
    100b4 1408 norm Virtual DAEMON Manager V3.44
    10070 1940 norm NVSVCPMMWindowClass
    20074 1388 norm FlashKiosk Application
    7d0238 6188 norm Inbox - Outlook Express - Main Identity
    40038 3984 norm Program Manager
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    

    Hope this helps! Thanks!!
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ah good job!

    This is the culprit :

    C:\WINDOWS\System32\ALKELH.DLL

    Let's proceed. Follow these instructions :

    run start.bat again and choose option 2.

    Hit '1' and enter C:\WINDOWS\System32\ALKELH.DLL and proceed

    Restart PC after doing so

    4. Download and run AdAware : http://www.lavasoft.de/software/adaware/

    Update XP and IE at windowsupdate.com

    Finally take another hijackthis scan, if you still see the dll entries, fix them one last time

    Hope this helps

    Cheers,
     
  5. celerityfm

    celerityfm Registered Member

    Joined:
    May 20, 2004
    Posts:
    7
    Thank you thank you thank you for followingup with me! I'm hoping we finally killed it but I have a sinking feeling that its not entirely gone yet.

    Went ahead and ran start.bat/dllfix option 2 and specified ALKELH.DLL as you described. Rebooted and it ran on startup and finished up. Hit up the latest adaware and it found some CWS registry keys which I cleaned. Then I hit up windows update and grabbed one new update that I didn't have yet and then reran hijackthis.. didn't see anything different from the last time so I reran dllfix and it found the ALKELH.DLL file again (but this time AVG didn't pop up to warn me about it). I reran step 2 and rebooted/etc.

    Here are the log files from dllfix and adaware.. what do you think? Are we out of the woods yet? THANKS!!

    First run of DLLFIX option 2:
    CWSDLL Appinit Fix By Shadowwar
    Please Do not mirror Without Permission!
    I can be contacted at spywaresubmit at aol.com
    Fri 05/21/2004
    11:19 AM

    Backing up Registry Hive

    The operation completed successfully

    Deleting Windows Key

    The operation completed successfully

    Restoring Registry Hive

    The operation completed successfully

    Deleting temp value

    The operation completed successfully

    Running from C:\dllfix
    Processing File Manually
    C:\WINDOWS\system32\ALKELH.DLL
    Md5 Check of C:\WINDOWS\system32\ALKELH.DLL

    Md5 tested As
    File was found but md5 didnt match
    MD5 was:
    Resetting file attributes
    Processing ACL of: <\\?\C:\WINDOWS\system32\ALKELH.DLL>

    SetACL finished successfully.
    File was zipped for submission to Shadowwar
    File is located at C:\dllfix\submit.zip
    please Email a copy to spywaresubmit at aol.com
    Please include a link to your post.
    File is still in original location now unlocked.
    It is now ok to proceed with Rest of Cleanup.

    AdAware log after first run of dllfix:

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Friday, May 21, 2004 11:27:33 AM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R306 19.05.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    5-21-2004 11:27:33 AM - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 5-21-2004 3:21:13 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:21:25 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:21:26 PM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:21:26 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/29/2002 8:41:26 AM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:21:26 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-21-2004 3:21:26 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:7 [logonui.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:21:26 PM
    BasePriority : Normal
    FileSize : 492 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Logon UI
    InternalName : LOGONUI
    OriginalFilename : LOGONUI.EXE
    ProductName : Microsoft
    Created on : 2/25/2003 4:18:00 AM
    Last accessed : 5/21/2004 3:19:00 PM
    Last modified : 8/29/2002 8:41:26 AM

    #:8 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:21:27 PM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:9 [avgserv.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG6\
    ThreadCreationTime : 5-21-2004 3:21:37 PM
    BasePriority : Normal
    FileSize : 20 KB
    FileVersion : 6.0.1.9
    ProductVersion : 6.0.1.9
    Copyright : Copyright (c) GRISOFT(c) SOFTWARE 1998-2001
    CompanyName : GRISOFT(c) SOFTWARE s.r.o
    FileDescription : AvgServ - displays notification message
    InternalName : AvgServ
    OriginalFilename : AvgServ
    ProductName : AVG6
    Created on : 10/17/2002 11:49:18 AM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 10/17/2002 11:49:18 AM

    #:10 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-21-2004 3:21:37 PM
    BasePriority : Normal
    FileSize : 76 KB
    FileVersion : 6.14.10.4523
    ProductVersion : 6.14.10.4523
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 45.23
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 45.23
    Created on : 11/23/2003 7:22:28 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 7/28/2003 7:19:00 PM

    #:11 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:22:53 PM
    BasePriority : High


    #:12 [rdpclip.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:23:01 PM
    BasePriority : Normal
    FileSize : 43 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : RDP Clip Monitor
    InternalName : RDPClip
    OriginalFilename : RDPClip.exe
    ProductName : Microsoft
    Created on : 2/25/2003 4:17:45 AM
    Last accessed : 5/21/2004 3:19:00 PM
    Last modified : 8/29/2002 8:41:28 AM

    #:13 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 5-21-2004 3:23:07 PM
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 2/25/2003 4:18:22 AM
    Last accessed : 5/21/2004 3:23:08 PM
    Last modified : 8/29/2002 8:41:24 AM

    #:14 [notepad.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:23:19 PM
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Notepad
    InternalName : Notepad
    OriginalFilename : NOTEPAD.EXE
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:23:19 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:15 [avgcc32.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG6\
    ThreadCreationTime : 5-21-2004 3:23:19 PM
    BasePriority : Normal
    FileSize : 337 KB
    FileVersion : 6, 0, 0, 515
    ProductVersion : 6, 0, 0, 0
    Copyright : Copyright
    CompanyName : GRISOFT s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC32
    OriginalFilename : AvgCC32.EXE
    ProductName : AVG Anti-Virus System
    Created on : 9/13/2003 11:54:11 AM
    Last accessed : 5/21/2004 3:23:33 PM
    Last modified : 9/13/2003 11:54:11 AM

    #:16 [flashksk.exe]
    FilePath : C:\PROGRA~1\DATACA~1\
    ThreadCreationTime : 5-21-2004 3:23:19 PM
    BasePriority : Normal
    FileSize : 256 KB
    FileVersion : V1.16.01
    ProductVersion : V1.16.01
    Created on : 9/24/2002 2:34:37 AM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 11/29/2001 3:55:00 AM

    #:17 [daemon.exe]
    FilePath : C:\Program Files\D-Tools\
    ThreadCreationTime : 5-21-2004 3:23:19 PM
    BasePriority : Normal
    FileSize : 80 KB
    FileVersion : 3.44.0.0
    ProductVersion : 3.44.0.0
    Copyright : Copyright (C) 2000-2003
    CompanyName : DAEMON'S HOME
    FileDescription : Virtual DAEMON Manager
    InternalName : DAEMON.EXE
    OriginalFilename : daemon.exe
    ProductName : DAEMON Tools
    Created on : 12/28/2003 1:43:26 AM
    Last accessed : 5/21/2004 3:23:20 PM
    Last modified : 12/28/2003 1:43:26 AM

    #:18 [jusched.exe]
    FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
    ThreadCreationTime : 5-21-2004 3:23:19 PM
    BasePriority : Normal
    FileSize : 32 KB
    Created on : 11/19/2003 9:48:18 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 11/19/2003 9:48:14 PM

    #:19 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-21-2004 3:23:19 PM
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 2/25/2003 4:18:13 AM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/29/2002 8:41:22 AM

    #:20 [teatimer.exe]
    FilePath : C:\Program Files\Spybot - Search & Destroy\
    ThreadCreationTime : 5-21-2004 3:23:19 PM
    BasePriority : Idle
    FileSize : 1014 KB
    FileVersion : 1, 3, 0, 12
    ProductVersion : 1, 3, 0, 12
    CompanyName : Safer Networking Limited
    FileDescription : System settings protector
    InternalName : TeaTimer
    OriginalFilename : TeaTimer.exe
    ProductName : Spybot - Search & Destroy
    Created on : 4/14/2004 5:03:00 AM
    Last accessed : 5/21/2004 3:23:20 PM
    Last modified : 5/12/2004 5:03:00 AM

    #:21 [rainlendar.exe]
    FilePath : C:\Program Files\Rainlendar\
    ThreadCreationTime : 5-21-2004 3:23:20 PM
    BasePriority : Normal
    FileSize : 40 KB
    Created on : 1/28/2004 6:11:30 PM
    Last accessed : 5/21/2004 3:23:20 PM
    Last modified : 1/28/2004 6:11:30 PM

    #:22 [wbloggar.exe]
    FilePath : C:\Program Files\bloggar\
    ThreadCreationTime : 5-21-2004 3:23:20 PM
    BasePriority : Normal
    FileSize : 584 KB
    FileVersion : 3.03.0165
    ProductVersion : 3.03.0165
    Copyright : Copyright
    CompanyName : RainDrops Freeware Project
    FileDescription : w.bloggar - Universal Weblog Interface
    InternalName : wbloggar
    OriginalFilename : wbloggar.exe
    ProductName : w.bloggar
    Created on : 7/12/2003 5:41:30 AM
    Last accessed : 5/21/2004 3:23:21 PM
    Last modified : 12/16/2003 4:48:30 PM

    #:23 [trillian.exe]
    FilePath : C:\Program Files\Trillian\
    ThreadCreationTime : 5-21-2004 3:23:20 PM
    BasePriority : Normal
    FileSize : 792 KB
    FileVersion : 2.0.1.112
    ProductVersion : 2.0.1.112
    CompanyName : Cerulean Studios
    FileDescription : Trillian
    InternalName : Trillian
    OriginalFilename : Trillian.exe
    ProductName : Trillian
    Created on : 1/12/2004 4:00:00 AM
    Last accessed : 5/21/2004 3:23:50 PM
    Last modified : 4/14/2004 11:09:29 PM

    #:24 [ad-aware.exe]
    FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 5-21-2004 3:27:06 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 7/10/2003 5:04:02 AM
    Last accessed : 5/21/2004 3:27:02 PM
    Last modified : 7/13/2003 1:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 2


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : toby@2o7[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/5/2004 6:06:38 AM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/5/2004 6:06:38 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@ads.addynamix[2].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/6/2004 5:03:27 AM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/6/2004 5:03:27 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@ads.specificpop[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/13/2004 3:22:06 AM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/13/2004 3:22:06 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@adserver.phatmax[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/5/2004 12:42:31 AM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/5/2004 12:42:31 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@advertising[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:27:51 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:27:51 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@atdmt[2].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:18:30 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:18:30 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@doubleclick[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:18:47 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:18:49 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@ehg-dig.hitbox[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\
    FileSize : 1 KB
    Created on : 5/21/2004 12:27:35 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:27:35 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@ehg-space.hitbox[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:27:52 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:27:52 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@fastclick[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:27:33 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:27:33 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@hitbox[2].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:27:35 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:27:52 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@questionmarket[2].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/6/2004 5:03:38 AM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:27:33 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@realmedia[2].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/10/2004 4:14:41 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/10/2004 4:14:41 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@servedby.advertising[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:27:51 PM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/21/2004 12:27:51 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@tribalfusion[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/6/2004 5:03:26 AM
    Last accessed : 5/21/2004 3:29:14 PM
    Last modified : 5/6/2004 5:03:26 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : toby@zedo[1].txt
    Object : C:\Documents and Settings\Toby\Cookies\

    Created on : 5/21/2004 12:18:40 PM
    Last accessed : 5/21/2004 3:29:15 PM
    Last modified : 5/21/2004 12:27:29 PM


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 19


    11:29:50 AM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:02:16:767
    Objects scanned :51792
    Objects identified :19
    Objects ignored :0
    New objects :19

    DLLFIX logfile after SECOND run:
    CWSDLL Appinit Fix By Shadowwar
    Please Do not mirror Without Permission!
    I can be contacted at spywaresubmit at aol.com
    Fri 05/21/2004
    11:40 AM

    Backing up Registry Hive

    The operation completed successfully

    Deleting Windows Key

    The operation completed successfully

    Restoring Registry Hive

    The operation completed successfully

    Deleting temp value

    The operation completed successfully

    Running from C:\dllfix
    Processing File Manually
    C:\WINDOWS\system32\ALKELH.DLL
    Md5 Check of C:\WINDOWS\system32\ALKELH.DLL

    Md5 tested As
    File was found but md5 didnt match
    MD5 was:
    Resetting file attributes
    Processing ACL of: <\\?\C:\WINDOWS\system32\ALKELH.DLL>

    SetACL finished successfully.
    File was zipped for submission to Shadowwar
    File is located at C:\dllfix\submit.zip
    please Email a copy to spywaresubmit at aol.com
    Please include a link to your post.
    File is still in original location now unlocked.
    It is now ok to proceed with Rest of Cleanup.

    Adaware logfile after SECOND run:

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Friday, May 21, 2004 11:53:25 AM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R306 19.05.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    5-21-2004 11:53:25 AM - Scan started. (Smart mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 5-21-2004 3:42:23 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:42:36 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:42:36 PM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:42:36 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/29/2002 8:41:26 AM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:42:37 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-21-2004 3:42:37 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:7 [logonui.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:42:37 PM
    BasePriority : Normal
    FileSize : 492 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Logon UI
    InternalName : LOGONUI
    OriginalFilename : LOGONUI.EXE
    ProductName : Microsoft
    Created on : 2/25/2003 4:18:00 AM
    Last accessed : 5/21/2004 3:19:00 PM
    Last modified : 8/29/2002 8:41:26 AM

    #:8 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:42:38 PM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:9 [avgserv.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG6\
    ThreadCreationTime : 5-21-2004 3:42:47 PM
    BasePriority : Normal
    FileSize : 20 KB
    FileVersion : 6.0.1.9
    ProductVersion : 6.0.1.9
    Copyright : Copyright (c) GRISOFT(c) SOFTWARE 1998-2001
    CompanyName : GRISOFT(c) SOFTWARE s.r.o
    FileDescription : AvgServ - displays notification message
    InternalName : AvgServ
    OriginalFilename : AvgServ
    ProductName : AVG6
    Created on : 10/17/2002 11:49:18 AM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 10/17/2002 11:49:18 AM

    #:10 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-21-2004 3:42:47 PM
    BasePriority : Normal
    FileSize : 76 KB
    FileVersion : 6.14.10.4523
    ProductVersion : 6.14.10.4523
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 45.23
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 45.23
    Created on : 11/23/2003 7:22:28 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 7/28/2003 7:19:00 PM

    #:11 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:45:10 PM
    BasePriority : High


    #:12 [rdpclip.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:45:26 PM
    BasePriority : Normal
    FileSize : 43 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : RDP Clip Monitor
    InternalName : RDPClip
    OriginalFilename : RDPClip.exe
    ProductName : Microsoft
    Created on : 2/25/2003 4:17:45 AM
    Last accessed : 5/21/2004 3:19:00 PM
    Last modified : 8/29/2002 8:41:28 AM

    #:13 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 5-21-2004 3:45:34 PM
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 2/25/2003 4:18:22 AM
    Last accessed : 5/21/2004 3:45:35 PM
    Last modified : 8/29/2002 8:41:24 AM

    #:14 [notepad.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 5-21-2004 3:45:44 PM
    BasePriority : Normal
    FileSize : 64 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Notepad
    InternalName : Notepad
    OriginalFilename : NOTEPAD.EXE
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 5/21/2004 3:45:45 PM
    Last modified : 8/23/2001 12:00:00 PM

    #:15 [avgcc32.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG6\
    ThreadCreationTime : 5-21-2004 3:45:44 PM
    BasePriority : Normal
    FileSize : 337 KB
    FileVersion : 6, 0, 0, 515
    ProductVersion : 6, 0, 0, 0
    Copyright : Copyright
    CompanyName : GRISOFT s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC32
    OriginalFilename : AvgCC32.EXE
    ProductName : AVG Anti-Virus System
    Created on : 9/13/2003 11:54:11 AM
    Last accessed : 5/21/2004 3:45:58 PM
    Last modified : 9/13/2003 11:54:11 AM

    #:16 [flashksk.exe]
    FilePath : C:\PROGRA~1\DATACA~1\
    ThreadCreationTime : 5-21-2004 3:45:45 PM
    BasePriority : Normal
    FileSize : 256 KB
    FileVersion : V1.16.01
    ProductVersion : V1.16.01
    Created on : 9/24/2002 2:34:37 AM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 11/29/2001 3:55:00 AM

    #:17 [daemon.exe]
    FilePath : C:\Program Files\D-Tools\
    ThreadCreationTime : 5-21-2004 3:45:45 PM
    BasePriority : Normal
    FileSize : 80 KB
    FileVersion : 3.44.0.0
    ProductVersion : 3.44.0.0
    Copyright : Copyright (C) 2000-2003
    CompanyName : DAEMON'S HOME
    FileDescription : Virtual DAEMON Manager
    InternalName : DAEMON.EXE
    OriginalFilename : daemon.exe
    ProductName : DAEMON Tools
    Created on : 12/28/2003 1:43:26 AM
    Last accessed : 5/21/2004 3:45:49 PM
    Last modified : 12/28/2003 1:43:26 AM

    #:18 [jusched.exe]
    FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
    ThreadCreationTime : 5-21-2004 3:45:46 PM
    BasePriority : Normal
    FileSize : 32 KB
    Created on : 11/19/2003 9:48:18 PM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 11/19/2003 9:48:14 PM

    #:19 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 5-21-2004 3:45:46 PM
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 2/25/2003 4:18:13 AM
    Last accessed : 5/21/2004 3:21:03 PM
    Last modified : 8/29/2002 8:41:22 AM

    #:20 [teatimer.exe]
    FilePath : C:\Program Files\Spybot - Search & Destroy\
    ThreadCreationTime : 5-21-2004 3:45:47 PM
    BasePriority : Idle
    FileSize : 1014 KB
    FileVersion : 1, 3, 0, 12
    ProductVersion : 1, 3, 0, 12
    CompanyName : Safer Networking Limited
    FileDescription : System settings protector
    InternalName : TeaTimer
    OriginalFilename : TeaTimer.exe
    ProductName : Spybot - Search & Destroy
    Created on : 4/14/2004 5:03:00 AM
    Last accessed : 5/21/2004 3:23:20 PM
    Last modified : 5/12/2004 5:03:00 AM

    #:21 [rainlendar.exe]
    FilePath : C:\Program Files\Rainlendar\
    ThreadCreationTime : 5-21-2004 3:45:51 PM
    BasePriority : Normal
    FileSize : 40 KB
    Created on : 1/28/2004 6:11:30 PM
    Last accessed : 5/21/2004 3:45:51 PM
    Last modified : 1/28/2004 6:11:30 PM

    #:22 [wbloggar.exe]
    FilePath : C:\Program Files\bloggar\
    ThreadCreationTime : 5-21-2004 3:45:51 PM
    BasePriority : Normal
    FileSize : 584 KB
    FileVersion : 3.03.0165
    ProductVersion : 3.03.0165
    Copyright : Copyright
    CompanyName : RainDrops Freeware Project
    FileDescription : w.bloggar - Universal Weblog Interface
    InternalName : wbloggar
    OriginalFilename : wbloggar.exe
    ProductName : w.bloggar
    Created on : 7/12/2003 5:41:30 AM
    Last accessed : 5/21/2004 3:45:51 PM
    Last modified : 12/16/2003 4:48:30 PM

    #:23 [trillian.exe]
    FilePath : C:\Program Files\Trillian\
    ThreadCreationTime : 5-21-2004 3:45:51 PM
    BasePriority : Normal
    FileSize : 792 KB
    FileVersion : 2.0.1.112
    ProductVersion : 2.0.1.112
    CompanyName : Cerulean Studios
    FileDescription : Trillian
    InternalName : Trillian
    OriginalFilename : Trillian.exe
    ProductName : Trillian
    Created on : 1/12/2004 4:00:00 AM
    Last accessed : 5/21/2004 3:46:28 PM
    Last modified : 4/14/2004 11:09:29 PM

    #:24 [iexplore.exe]
    FilePath : C:\Program Files\Avant Browser\
    ThreadCreationTime : 5-21-2004 3:46:58 PM
    BasePriority : Normal
    FileSize : 674 KB
    FileVersion : 9.0.2.12
    ProductVersion : 9.0
    CompanyName : Avant Browser
    FileDescription : Avant Browser
    ProductName : Avant Browser
    Created on : 4/9/2004 4:55:44 PM
    Last accessed : 5/21/2004 3:46:58 PM
    Last modified : 4/9/2004 4:55:44 PM

    #:25 [ad-aware.exe]
    FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 5-21-2004 3:48:05 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 7/10/2003 5:04:02 AM
    Last accessed : 5/21/2004 3:27:06 PM
    Last modified : 7/13/2003 1:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    11:54:36 AM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:01:11:853
    Objects scanned :51622
    Objects identified :0
    Objects ignored :0
    New objects :0

    Hopefully this will be good news :) THANK YOU!
     
  6. celerityfm

    celerityfm Registered Member

    Joined:
    May 20, 2004
    Posts:
    7
    One other thing to add-- after doing this I can now launch spyware blaster! :eek:

    I wonder if thats a sign that things are OK?

    (EDIT)Although AdAware just popped AGAIN about that DLL file.. :((/EDIT)
     
    Last edited: May 21, 2004
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Can you pelase post a fresh HijackThis log, a well as a new output.txt log?

    Thnx!

    Cheers,
     
  8. celerityfm

    celerityfm Registered Member

    Joined:
    May 20, 2004
    Posts:
    7
    No prob man here they are, thanks for the help.

    Note: I recently installed April's edition of Autopatcher XP http://www.autopatcher.com , so we've got a few new running processes/etc from last time. Doh!

    First HijackThis:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:43:44 AM, on 5/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\uphclean\uphclean.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\bloggar\wbloggar.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Winamp\winamp.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and Settings\Toby\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Toby/My%20Documents/big%20list.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (8394abfc1be196a62c9f532511936df7, 37808 bytes)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (964621e8b2415feaa99026ed4f29d198, 192512 bytes)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (skipped, 744960 bytes)
    O3 - Toolbar: Find - {8D029AEC-E412-4948-84B5-699A740946AE} - %SystemRoot%\System32\iefind.dll (file missing) (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (0fb22dd37c17f80ad71316049f725170, 31744 bytes)
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup (47d4d5e2f2b6a78dcd5dbdd8c06677ac, 345661 bytes)
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe (84f0c045f24dae5de54b9aff3450b181, 262144 bytes)
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (5d8d50d90cbf3b5cc32100425545394a, 323584 bytes)
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (15cca68bee2d232166f992a7ae2f8002, 81920 bytes)
    O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe (1178f146097e820b1ed219c646693b52, 348160 bytes)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe (d7b9be63c406103ee1405fe473ac0697, 32881 bytes)
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe (ebd2ea535fc47d426d0c2fc7c7293534, 45632 bytes)
    O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe (064805a7893898cbf058086832217771, 86016 bytes)
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (414de7cf9d3f19c3ea902f1bb38ec116, 13312 bytes)
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (skipped, 1038336 bytes)
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe (30895afed476666c11470d7311c9ad81, 40960 bytes)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
    O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm (file missing)
    O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm (file missing)
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
    O8 - Extra context menu item: Zoom In - C:\WINDOWS\web\zoomin.htm (8aa6321f74d9c524a89e5fe739ee0691, 450 bytes)
    O8 - Extra context menu item: Zoom Out - C:\WINDOWS\web\zoomout.htm (2edded79e18f85e28a604869b77377f4, 450 bytes)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Now OUTPUT.TXT from running the DLLFIX START.BAT:

    --==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

    Sat 05/22/2004
    09:43 AM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (F0CC:B2E0) - FS:NTFS clusters:4k
    Total: 80 015 491 072 [75G] - Free: 2 896 121 856 [2.7G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q813489;Q330994;Q828750;Q824145;Q832894;Q837009;Q831167;Q813503;Q824463;Q826940;Q827057;Q837251;

    *Google Toolbar version and Attributes:
    Defaults: "A" ;"R"
    Path not found - C:\Program Files\google
    Path not found - C:\Program Files\google

    *UserAgent:
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    *Wmplayer version:
    9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
    6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

    *M$Java version:


    *PC uptime:
    9:43am up 0 days, 19:21
    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error
    \\?\C:\WINDOWS\System32\ALKELH.DLL +++ File read error


    *List of top level windows:
    HWND PID PRIO TITLE
    10092 1532 norm TF_FloatingLangBar_WndTitle
    10094 1532 norm CiceroUIWndFrame
    1bd037e 1148 norm SysFader
    4002c 1148 norm _Shell_TrayWnd
    16033a 2616 norm Winamp Playlist Editor
    1c0360 2616 norm Winamp Library
    2a03ba 2616 norm Winamp Video
    250320 2616 norm Winamp Equalizer
    24030a 2616 norm 16. Chromatique - Numbers - Winamp [Paused]
    1a01a6 1804 norm Trillian: List Tooltip Entry
    2a01c2 3768 norm DirectDBNotifyWndProc
    2301b4 3768 norm Outlook Express FolderSync Window Class
    120364 2616 norm Configure FindIt [(c) 1999 by STND, Thorsten Vogel]
    4f02d4 2616 norm FindIt [(c) 1999 by STND, Thorsten Vogel]
    10026a 3768 norm OEStoreCleanupThread
    2b01e6 3768 norm DirectDBNotifyWndProc
    30194 3768 norm SysFader
    30190 3768 norm DirectDBNotifyWndProc
    c028a 3768 norm DirectDBListenWndProc
    d003a 3768 norm O
    1011a 1632 norm MessageWindow
    10118 1632 norm TodoWindow
    10114 1632 norm Rainlendar
    1008a 1424 Hotkeycontrol XP
    1001e 416 high NetDDE Agent
    260354 3492 norm C:\WINDOWS\System32\cmd.exe
    300288 1148 norm dllfix
    170322 1148 norm DDE Server Window
    2023e 2080 norm _Static
    201fc 2080 norm SpywareGuard
    301ee 2080 norm SpywareGuard
    10168 1804 norm Trillian
    10128 1804 norm Trillian
    330344 3644 norm NetscapeDispatchWnd
    260292 3644 norm XPCOM:EventReceiver
    a03d6 2616 norm DDE Server Window
    1701ac 2104 norm XPCOM:EventReceiver
    80356 1148 norm MCI command handling window
    13022e 3768 norm MCI command handling window
    30378 3768 norm Identity Mgr Notify
    150304 3768 norm WAB Notification Window
    2102a4 3768 norm Identity Mgr Notify
    30180 3768 norm Identity Mgr Notify
    50164 3768 norm Outlook Express
    410254 2088 norm SpywareGuard Brower Hijacking Protection
    1c0260 2088 norm SG Browser Hijacking Protection
    200e2 1540 idle Tea Timer
    100e4 1540 idle Spybot-S&D Resident
    10110 1200 norm _Static
    1010a 1200 norm :: w.bloggar :: v3.03 ::
    10100 1200 norm w.bloggar
    20160 1804 norm celerityfm - Console
    1015e 1200 norm IMMIF UI
    100f6 1632 norm Rainlendar control window
    100f8 1148 norm Connections Tray
    100ea 1148 norm Power Meter
    100ce 1424 _Static
    10076 1424 Hotkeycontrol XP
    100dc 1148 norm MS_WebcheckMonitor
    100cc 1416 norm Virtual DAEMON Manager V3.44
    10096 1364 norm AVG Control Center - FREE Edition
    10084 1524 norm StartupMonitor
    10078 1372 norm FlashKiosk Application
    30184 3768 norm Spam - Outlook Express - Main Identity
    2402c4 3644 norm Wilders Security Forums - Reply to Topic - Mozilla Firefox
    10060 1148 norm Program Manager
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"=""

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
    @="SpywareGuard Download Protection"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM

    Thanks!!!!!
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  10. celerityfm

    celerityfm Registered Member

    Joined:
    May 20, 2004
    Posts:
    7
    Pieter_Arntz- thanks for the reply!!

    Ok, I killed ALKELH.DLL using recovery console as specified, then ran AdAware as specified in the link you sent me.. during the AdAware scan AVG realtime scan started popping up saying it saw more Startpage.4.AO DLL files. I then ran Spybot for good measure as specified on the same page, and again AVG realtime popped up with more Startpage.4.AOs... so I fired up DLLFIX's start.bat and lo and behold, it found ANOTHER DLL file. So I "unlocked it" with option #2, rebooted, it ran second.bat, and then I went into recovery console and deleted THAT file-- THEN I rebooted one more time, ran adaware/spybot and THIS time avg DIDN'T popup! So, I ran a custom filescan of the SYSTEM32 directory and found about 6 or 7 randomly named DLL files that it id'd as Startpage.4.AO and I was able to delete and clean all those files.. seems like it moved into another DLL since I first identified it as ALKELH.DLL. But since I acted so quickly with recovery console I think we finally killed it.

    Posting HJT logfile for good measure if you spy anything wrong in that logfile please advise-- I can't find anything bad in it!

    Much appreciated!

    Logfile of HijackThis v1.97.7
    Scan saved at 9:09:07 PM, on 5/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\DATACA~1\FLashKsk.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\uphclean\uphclean.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\bloggar\wbloggar.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Avant Browser\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Toby\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Toby/My%20Documents/big%20list.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (8394abfc1be196a62c9f532511936df7, 37808 bytes)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (964621e8b2415feaa99026ed4f29d198, 192512 bytes)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (skipped, 744960 bytes)
    O3 - Toolbar: Find - {8D029AEC-E412-4948-84B5-699A740946AE} - %SystemRoot%\System32\iefind.dll (file missing) (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (0fb22dd37c17f80ad71316049f725170, 31744 bytes)
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup (47d4d5e2f2b6a78dcd5dbdd8c06677ac, 345661 bytes)
    O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe (84f0c045f24dae5de54b9aff3450b181, 262144 bytes)
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (5d8d50d90cbf3b5cc32100425545394a, 323584 bytes)
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (15cca68bee2d232166f992a7ae2f8002, 81920 bytes)
    O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe (1178f146097e820b1ed219c646693b52, 348160 bytes)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe (d7b9be63c406103ee1405fe473ac0697, 32881 bytes)
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe (ebd2ea535fc47d426d0c2fc7c7293534, 45632 bytes)
    O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe (064805a7893898cbf058086832217771, 86016 bytes)
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (414de7cf9d3f19c3ea902f1bb38ec116, 13312 bytes)
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (skipped, 1038336 bytes)
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe (30895afed476666c11470d7311c9ad81, 40960 bytes)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
    O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer\Add_UrlO.htm (file missing)
    O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer\Add_AllO.htm (file missing)
    O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm (4671176065f64336216f8afcf1d3af38, 173 bytes)
    O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm (02002db952f42b5112b83497e7352b38, 176 bytes)
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
    O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm (8cd7b3b6c6dafffa1894f41451632f55, 198 bytes)
    O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm (826a39186355ad01a9dd5077ed8b8c31, 279 bytes)
    O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm (83f299af5782dcc0a17fd83e73f9cbeb, 195 bytes)
    O8 - Extra context menu item: Zoom In - C:\WINDOWS\web\zoomin.htm (8aa6321f74d9c524a89e5fe739ee0691, 450 bytes)
    O8 - Extra context menu item: Zoom Out - C:\WINDOWS\web\zoomout.htm (2edded79e18f85e28a604869b77377f4, 450 bytes)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.7208101852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi celerityfm,

    There are a few lines stating (file missing) in your log. Those are not bad but superfluous, so if you want, you can have those fixed.

    Good job, :cool:

    Pieter
     
  12. celerityfm

    celerityfm Registered Member

    Joined:
    May 20, 2004
    Posts:
    7
    Yay! Wonderful!

    Great job guys, thank you both so much for your help! And to all the lurkers viewing this message as well, hope it helps someone else in similar circumstances.

    Until the next mystery. Ciao.
     
Thread Status:
Not open for further replies.