| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 88237 | 2008-03-20 07:30:00 | Virus, Trojan, Spyware infection | colinf (13530) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 651931 | 2008-03-24 01:57:00 | Boot into safe mode then run trojan remover. Then click on scan and select all options under utilities after. Nothing should be running then, see what happens then |
Speedy Gonzales (78) | ||
| 651932 | 2008-03-24 03:25:00 | Hi Speedy I have opened trojan remover in safe mode, run all the selections under options with no problems, but the access denied error still occurs when I run a scan. I have successfully deleted some of the entries trojan remover finds during a scan. By using my renamed version of regedt32, and they don't return after a reboot. So it seems to me, that the remaining problem is, to bulk alter the permissions on the registry keys and values so that trojan remover can actually remove them. Colin |
colinf (13530) | ||
| 651933 | 2008-03-24 03:37:00 | Umm boot into safe mode again. Search for these files, they maybe in C:\windows DOWN(0).EXE DOWN(1).EXE WINLONGON.EXE If the 2 down files are there, delete them. Be careful with Winlogon, as there maybe a file in C:\Windows\System32 folder. Tell me how many winlogon.exe files you have (and what folder its in), before you delete one (if theres 2 of them) DON'T delete the winlogon.exe file YET. |
Speedy Gonzales (78) | ||
| 651934 | 2008-03-24 05:02:00 | Hi Speedy I could not find Either of Down(0).exe or Down(1).exe. As for Winlogon.exe there were 4 copies in folders like C:\WINNT\$NTUninstallKBnnnnn$, where nnnnn was a 5 digit numer; 1 in C:\WINNT\$NtUpdateRollupPackUninstall$; 1 in C:\WINNT\ServicePackFiles\386; 1 in c:\WINNT\STSEM32; 1 in C:\WINNT\SYSTEM32\dllcache All but the last two were in lowercase letters, the other two in uppercase letters, if that is significant. Colin |
colinf (13530) | ||
| 651935 | 2008-03-24 05:26:00 | Is Driver Exden.exe still on this hdd?? If it is, upload it here (http://virusscan.jotti.org/) Once it isnt busy See what it says about it |
Speedy Gonzales (78) | ||
| 651936 | 2008-03-24 06:59:00 | Hi Speedy Sorry, Driver exden is long gone Colin |
colinf (13530) | ||
| 651937 | 2008-03-24 08:41:00 | Hi I have just finished running an experiment. Following up on Pancake's comment in post #34 "The files have been deleted but the run keys remain". I used the renamed version of regedt32.exe to work through the image file debugger section of the Combofix log and reset the permissions on all the keys whose key name started with digits or the letter a. I set the permissions to full access for all users. I then ran trojan remover to see which entries, if any it could delete. You have probably guessed that it could delete all the entries I altered manually but none of the ones I hadn't. So the problem as i stated earlier, is to find a way to bulk reset the permissions on the keys that trojan remover doesn't like, so it can actually delete them. To that end I have found that a program in the NT or Windows 2000 resource kit called regini.exe will do the job. There are probably other non Microsoft utilities that can do this. However I have to successfully download regini.exe or any third party equivalent. If any of you know where I could download such a utility, could yoou please let me know? Latest Combofix log is below for your perusal. Colin ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.6.8.2522. For information, email support@simplysup.com [Unregistered version] Scan started at: 24/03/08 21:05:05 Using Database v6957 Operating System: Windows 2000 SP4 [Windows 2000 Professional Service Pack 4 (Build 2195)] File System: NTFS Data directory: C:\Documents and Settings\Doug McLaren.DOUGHOME\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Doug McLaren.DOUGHOME\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** ************************************************** 21:05:06: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINNT ************************************************** 21:05:06: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINNT ************************************************** 21:05:06: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** 21:05:06: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): File: Explorer.exe C:\WINNT\Explorer.exe 243472 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): File: C:\WINNT\system32\userinit.exe C:\WINNT\system32\userinit.exe 17680 bytes Created: 01/01/80 Modified: 20/06/03 Company: Microsoft Corporation ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value appears to be blank ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: PrevxCSI Value Data: "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg C:\Program Files\PrevxCSI\prevxcsi.exe 109568 bytes Created: 23/03/08 Modified: 23/03/08 Company: Prevx -------------------- Value Name: TrojanScanner Value Data: C:\Program Files\Trojan Remover\Trjscan.exe C:\Program Files\Trojan Remover\Trjscan.exe 873552 bytes Created: 24/03/08 Modified: 17/03/08 Company: Simply Super Software -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ServicesOnce This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run This Registry Key appears to be empty ************************************************** 21:05:06: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** 21:05:06: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** 21:05:06: Scanning -----ACTIVE SCREENSAVER----- No active ScreenSaver found to scan. ************************************************** 21:05:06: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- Key: >{26923b43-4d38-484f-9b9e-de460746276c} Path: "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE C:\WINNT\system32\shmgrate.exe 33552 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS Path: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP C:\WINNT\system32\IEDKCS32.DLL 294912 bytes Created: 29/08/02 Modified: 29/08/02 Company: Microsoft Corporation ---------- Key: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} Path: "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE C:\WINNT\system32\shmgrate.exe 33552 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT C:\WINNT\system32\advpack.dll 91136 bytes Created: 29/08/02 Modified: 29/08/02 Company: Microsoft Corporation ---------- Key: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install C:\Program Files\Outlook Express\setup50.exe 67584 bytes Created: 29/08/02 Modified: 29/08/02 Company: Microsoft Corporation ---------- Key: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.N T C:\WINNT\system32\advpack.dll - file already scanned ---------- Key: {6A5110B5-E14B-4268-A065-EF89FF33C325} Path: regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll 2 true 3 true 4 true 5 true 6 true 7 true initpki.dll [file not found to scan] ---------- Key: {7790769C-0471-11d2-AF11-00C04FA35D02} Path: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install C:\Program Files\Outlook Express\setup50.exe 67584 bytes Created: 29/08/02 Modified: 29/08/02 Company: Microsoft Corporation ---------- Key: {89820200-ECBD-11cf-8B85-00AA005B4340} Path: regsvr32.exe /s /n /i:U shell32.dll C:\WINNT\system32\shell32.dll 2362640 bytes Created: 13/07/06 Modified: 13/07/06 Company: Microsoft Corporation ---------- Key: {89820200-ECBD-11cf-8B85-00AA005B4383} Path: %SystemRoot%\System32\ie4uinit.exe C:\WINNT\System32\ie4uinit.exe 28672 bytes Created: 29/08/02 Modified: 29/08/02 Company: Microsoft Corporation ---------- Key: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} Path: %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl C:\WINNT\System32\updcrl.exe 7168 bytes Created: 23/03/01 Modified: 23/03/01 Company: Microsoft Corporation ---------- ************************************************** 21:05:07: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Key: Alcmtr Path: C:\WINNT\system32\Alcmtr.dll C:\WINNT\system32\Alcmtr.dll [file not found to scan] -------------------- Key: BITS Path: C:\WINDOWS\system32\qmgr.dll C:\WINDOWS\system32\qmgr.dll [file not found to scan] -------------------- Key: COMROMLoader64 Path: C:\WINNT\inf\dvdromdrvs.inf C:\WINNT\inf\dvdromdrvs.inf [file not found to scan] -------------------- Key: EventSystem Path: C:\WINNT\System32\es.dll C:\WINNT\System32\es.dll 242448 bytes Created: 05/09/05 Modified: 05/09/05 Company: Microsoft Corporation -------------------- Key: servere Path: C:\WINNT\system32\servere.dll C:\WINNT\system32\servere.dll [file not found to scan] -------------------- Key: srfenm Path: %SystemRoot%\System32\pkeytc.dll C:\WINNT\System32\pkeytc.dll [file not found to scan] -------------------- Key: svcs Path: C:\PROGRA~1\winp\snet.dll C:\PROGRA~1\winp\snet.dll [file not found to scan] -------------------- Key: WmdmPmSN Path: C:\WINNT\system32\mspmsnsv.dll C:\WINNT\system32\mspmsnsv.dll 52224 bytes Created: 27/02/07 Modified: 26/11/02 Company: Microsoft Corporation -------------------- ************************************************** 21:05:08: Scanning ----- SERVICES REGISTRY KEYS ----- Key: 3ComDMIService ImagePath: C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE 110592 bytes Created: 13/02/02 Modified: 21/04/01 Company: 3Com Corporation ---------- Key: ActionAgent ImagePath: C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe 118784 bytes Created: 13/02/02 Modified: 22/08/01 Company: Dell Computer Corporation ---------- Key: adpu160m ImagePath: System32\DRIVERS\adpu160m.sys C:\WINNT\System32\DRIVERS\adpu160m.sys 64432 bytes Created: 13/02/02 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: aeaudio ImagePath: system32\drivers\aeaudio.sys C:\WINNT\system32\drivers\aeaudio.sys 4816 bytes Created: 01/04/02 Modified: 01/04/02 Company: Andrea Electronics Corporation ---------- Key: Aha154x ImagePath: System32\DRIVERS\aha154x.sys C:\WINNT\System32\DRIVERS\aha154x.sys 12336 bytes Created: 13/02/02 Modified: 25/09/99 Company: Microsoft Corporation ---------- Key: aic78u2 ImagePath: System32\DRIVERS\aic78u2.sys C:\WINNT\System32\DRIVERS\aic78u2.sys 65168 bytes Created: 13/02/02 Modified: 18/10/99 Company: Microsoft Corporation ---------- Key: aic78xx ImagePath: System32\DRIVERS\aic78xx.sys C:\WINNT\System32\DRIVERS\aic78xx.sys 56848 bytes Created: 13/02/02 Modified: 06/10/99 Company: Microsoft Corporation ---------- Key: AVG Anti-Rootkit ImagePath: System32\DRIVERS\avgarkt.sys C:\WINNT\System32\DRIVERS\avgarkt.sys 5632 bytes Created: 01/02/07 Modified: 01/02/07 Company: GRISOFT, s.r.o. ---------- Key: AvgArCln ImagePath: System32\DRIVERS\AvgArCln.sys C:\WINNT\System32\DRIVERS\AvgArCln.sys 3968 bytes Created: 07/03/07 Modified: 19/01/07 Company: GRISOFT, s.r.o. ---------- Key: BCAITDI ImagePath: System32\DRIVERS\BCAItdi.sys C:\WINNT\System32\DRIVERS\BCAItdi.sys 19310 bytes Created: 13/02/02 Modified: 18/04/01 Company: 3Com Corporation ---------- Key: cisvc ImagePath: C:\WINNT\System32\cisvc.exe C:\WINNT\System32\cisvc.exe 5392 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- Key: CSIScanner ImagePath: "C:\Program Files\PrevxCSI\\PrevxCSI.exe" /service C:\Program Files\PrevxCSI\\PrevxCSI.exe 109568 bytes Created: 23/03/08 Modified: 23/03/08 Company: Prevx ---------- Key: DcCam ImagePath: system32\DRIVERS\DcCam.sys C:\WINNT\system32\DRIVERS\DcCam.sys 37150 bytes Created: 16/06/05 Modified: 16/06/05 Company: Eastman Kodak Company ---------- Key: DcFpoint ImagePath: system32\DRIVERS\DcFpoint.sys C:\WINNT\system32\DRIVERS\DcFpoint.sys 61564 bytes Created: 31/03/05 Modified: 31/03/05 Company: Eastman Kodak Company ---------- Key: DCFS2K ImagePath: system32\drivers\dcfs2k.sys C:\WINNT\system32\drivers\dcfs2k.sys 38673 bytes Created: 31/03/05 Modified: 31/03/05 Company: Eastman Kodak Company ---------- Key: DcLps ImagePath: system32\DRIVERS\DcLps.sys C:\WINNT\system32\DRIVERS\DcLps.sys 8022 bytes Created: 31/03/05 Modified: 31/03/05 Company: Eastman Kodak Company ---------- Key: DcPTP ImagePath: system32\DRIVERS\DcPTP.sys C:\WINNT\system32\DRIVERS\DcPTP.sys 70262 bytes Created: 31/03/05 Modified: 31/03/05 Company: Eastman Kodak Company ---------- Key: DellDmi ImagePath: C:\DMI\WIN32\bin\DellDmi.exe C:\DMI\WIN32\bin\DellDmi.exe 217088 bytes Created: 13/02/02 Modified: 22/08/01 Company: Dell Computer Corporation ---------- Key: DEventAgent ImagePath: C:\Program Files\Dell\OpenManage\Client\EventAgt.exe C:\Program Files\Dell\OpenManage\Client\EventAgt.exe 147456 bytes Created: 13/02/02 Modified: 22/08/01 Company: Dell Computer Corporation ---------- Key: DLT ImagePath: C:\Program Files\Dell\OpenManage\Client\DLT.exe C:\Program Files\Dell\OpenManage\Client\DLT.exe 131072 bytes Created: 13/02/02 Modified: 22/08/01 Company: Dell Computer Corporation ---------- Key: dmadmin ImagePath: %SystemRoot%\System32\dmadmin.exe /com C:\WINNT\System32\dmadmin.exe 147728 bytes Created: 15/08/03 Modified: 20/06/03 Company: VERITAS Software Corp. ---------- Key: dmboot ImagePath: System32\drivers\dmboot.sys C:\WINNT\System32\drivers\dmboot.sys 369104 bytes Created: 01/01/80 Modified: 20/06/03 Company: VERITAS Software Corp. ---------- Key: dmio ImagePath: System32\drivers\dmio.sys C:\WINNT\System32\drivers\dmio.sys 137936 bytes Created: 01/01/80 Modified: 20/06/03 Company: VERITAS Software Corp. ---------- Key: dmload ImagePath: System32\drivers\dmload.sys C:\WINNT\System32\drivers\dmload.sys 7312 bytes Created: 01/01/80 Modified: 20/06/03 Company: VERITAS Software Corp. ---------- Key: Exportit ImagePath: system32\DRIVERS\exportit.sys C:\WINNT\system32\DRIVERS\exportit.sys 152081 bytes Created: 31/03/05 Modified: 31/03/05 Company: Eastman Kodak Company ---------- Key: fasttrak ImagePath: System32\DRIVERS\fasttrak.sys C:\WINNT\System32\DRIVERS\fasttrak.sys 64418 bytes Created: 13/02/02 Modified: 26/04/01 Company: Promise Technology, Inc. ---------- Key: Fax ImagePath: %systemroot%\system32\faxsvc.exe C:\WINNT\system32\faxsvc.exe 94992 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: Fd16_700 ImagePath: System32\DRIVERS\fd16_700.sys C:\WINNT\System32\DRIVERS\fd16_700.sys 11280 bytes Created: 13/02/02 Modified: 25/09/99 Company: Microsoft Corporation ---------- Key: i81x ImagePath: System32\DRIVERS\i81xnt5.sys C:\WINNT\System32\DRIVERS\i81xnt5.sys 103104 bytes Created: 01/01/80 Modified: 08/08/00 Company: Intel Corporation ---------- Key: Iap ImagePath: C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe 155648 bytes Created: 13/02/02 Modified: 22/08/01 Company: Dell Computer Corporation ---------- Key: ichaud ImagePath: system32\drivers\ichaud.sys C:\WINNT\system32\drivers\ichaud.sys 32592 bytes Created: 13/02/02 Modified: 22/10/99 Company: Microsoft Corporation ---------- Key: IdeBusDr ImagePath: System32\DRIVERS\IdeBusDr.sys C:\WINNT\System32\DRIVERS\IdeBusDr.sys 13182 bytes Created: 13/02/02 Modified: 23/03/01 Company: Intel Corporation ---------- Key: IntelATA ImagePath: System32\DRIVERS\IntelAta.sys C:\WINNT\System32\DRIVERS\IntelAta.sys 79106 bytes Created: 13/02/02 Modified: 23/03/01 Company: Intel Corporation ---------- Key: IPFilter ImagePath: System32\DRIVERS\IPFilter.sys C:\WINNT\System32\DRIVERS\IPFilter.sys 11504 bytes Created: 01/01/80 Modified: 19/05/00 Company: Microsoft Corporation ---------- Key: KodakCCS ImagePath: %SystemRoot%\system32\drivers\KodakCCS.exe C:\WINNT\system32\drivers\KodakCCS.exe 411920 bytes Created: 30/03/05 Modified: 30/03/05 Company: Eastman Kodak Company ---------- Key: LogWatch ImagePath: C:\WINNT\LogWatNT.exe C:\WINNT\LogWatNT.exe 50176 bytes Created: 09/06/00 Modified: 09/06/00 Company: ---------- Key: mnmsrvc ImagePath: C:\WINNT\System32\mnmsrvc.exe C:\WINNT\System32\mnmsrvc.exe 21776 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- Key: mraid2k ImagePath: System32\DRIVERS\mraid2k.sys C:\WINNT\System32\DRIVERS\mraid2k.sys 17258 bytes Created: 13/02/02 Modified: 08/06/01 Company: American Megatrends, Inc. ---------- Key: mraid35x ImagePath: System32\DRIVERS\mraid35x.sys C:\WINNT\System32\DRIVERS\mraid35x.sys 9488 bytes Created: 13/02/02 Modified: 05/11/99 Company: American MegaTrends Inc. ---------- Key: MSDTC ImagePath: C:\WINNT\System32\msdtc.exe C:\WINNT\System32\msdtc.exe 6928 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- Key: msikbd2k ImagePath: System32\DRIVERS\msikbd2k.sys C:\WINNT\System32\DRIVERS\msikbd2k.sys 6883 bytes Created: 13/02/02 Modified: 06/06/00 Company: Netropa Corporation ---------- Key: NetDetect ImagePath: \SystemRoot\system32\drivers\netdtect.sys C:\WINNT\system32\drivers\netdtect.sys 9680 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- Key: nhksrv ImagePath: C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe 28672 bytes Created: 13/02/02 Modified: 13/09/00 Company: ---------- Key: nv4 ImagePath: System32\DRIVERS\nv4.sys C:\WINNT\System32\DRIVERS\nv4.sys 345040 bytes Created: 01/01/80 Modified: 27/10/99 Company: NVIDIA Corporation ---------- Key: Parallel ImagePath: System32\DRIVERS\parallel.sys C:\WINNT\System32\DRIVERS\parallel.sys 60208 bytes Created: 01/01/80 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: pxark ImagePath: System32\drivers\pxark.sys C:\WINNT\System32\drivers\pxark.sys 10880 bytes Created: 23/03/08 Modified: 24/03/08 Company: ---------- Key: PxHelp20 ImagePath: system32\DRIVERS\PxHelp20.sys C:\WINNT\system32\DRIVERS\PxHelp20.sys 20576 bytes Created: 23/09/04 Modified: 23/09/04 Company: Sonic Solutions ---------- Key: RCA ImagePath: system32\drivers\RCA.sys C:\WINNT\system32\drivers\RCA.sys 21712 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- Key: RemoteRegistry ImagePath: %SystemRoot%\system32\regsvc.exe C:\WINNT\system32\regsvc.exe 68368 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: RSVP ImagePath: %SystemRoot%\System32\rsvp.exe -s C:\WINNT\System32\rsvp.exe 176912 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: smwdm ImagePath: system32\drivers\smwdm.sys C:\WINNT\system32\drivers\smwdm.sys 500568 bytes Created: 28/05/02 Modified: 28/05/02 Company: Analog Devices, Inc. ---------- Key: Sparrow ImagePath: System32\DRIVERS\sparrow.sys C:\WINNT\System32\DRIVERS\sparrow.sys 19376 bytes Created: 13/02/02 Modified: 28/09/99 Company: Adaptec, Inc. ---------- Key: StiSvc ImagePath: %systemroot%\system32\stisvc.exe C:\WINNT\system32\stisvc.exe 61712 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: sxgbvswp ImagePath: \SystemRoot\System32\drivers\sxgbvswp.SYS C:\WINNT\System32\drivers\sxgbvswp.SYS 1069088 bytes Created: 13/02/02 Modified: 01/09/00 Company: YAMAHA CORPORATION ---------- Key: tcaicchg ImagePath: \??\C:\WINNT\System32\tcaicchg.sys C:\WINNT\System32\tcaicchg.sys 21233 bytes Created: 13/02/02 Modified: 06/06/00 Company: 3Com Corporation ---------- Key: TCAITDI ImagePath: System32\DRIVERS\TCAITDI.sys C:\WINNT\System32\DRIVERS\TCAITDI.sys 19374 bytes Created: 13/02/02 Modified: 28/03/01 Company: 3Com Corporation ---------- Key: TlntSvr ImagePath: %SystemRoot%\system32\tlntsvr.exe C:\WINNT\system32\tlntsvr.exe 186128 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: uhcd ImagePath: System32\DRIVERS\uhcd.sys C:\WINNT\System32\DRIVERS\uhcd.sys 32848 bytes Created: 13/02/02 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: Ultra ImagePath: System32\DRIVERS\ultra.sys C:\WINNT\System32\DRIVERS\ultra.sys 46848 bytes Created: 13/02/02 Modified: 26/04/01 Company: Promise Technology, Inc. ---------- Key: UtilMan ImagePath: %SystemRoot%\System32\UtilMan.exe C:\WINNT\System32\UtilMan.exe 22800 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: Win32Sl ImagePath: C:\dmi\win32\bin\Win32sl.exe C:\dmi\win32\bin\Win32sl.exe 249344 bytes Created: 13/02/02 Modified: 18/06/01 Company: Intel ---------- Key: Winachcf ImagePath: System32\DRIVERS\winachcf.sys C:\WINNT\System32\DRIVERS\winachcf.sys 899548 bytes Created: 01/01/80 Modified: 16/08/00 Company: Conexant ---------- Key: WinMgmt ImagePath: %SystemRoot%\System32\WBEM\WinMgmt.exe C:\WINNT\System32\WBEM\WinMgmt.exe 196706 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- ************************************************** 21:05:24: Scanning -----VXD ENTRIES----- Checking the following VxD entries: C:\WINNT\system32\JAVASUP.VXD 7315 bytes Created: 15/08/03 Modified: 28/02/03 Company: VxD Key = JAVASUP ---------- ---------- ************************************************** 21:05:24: Scanning ----- WINLOGON\NOTIFY DLLS ----- Key: wzcnotif DLL: wzcdlg.dll C:\WINNT\system32\wzcdlg.dll 52496 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- ************************************************** 21:05:25: Scanning ----- CONTEXTMENUHANDLERS ----- Key: Offline Files CLSID: {750fdf0e-2a26-11d1-a3ea-080036587f03} Path: cscui.dll C:\WINNT\system32\cscui.dll 242960 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: Open With CLSID: {09799AFB-AD67-11d1-ABCD-00C04FC30936} Path: %SystemRoot%\system32\shell32.dll C:\WINNT\system32\shell32.dll 2362640 bytes Created: 13/07/06 Modified: 13/07/06 Company: Microsoft Corporation ---------- Key: Open With EncryptionMenu CLSID: {A470F8CF-A1E8-4f65-8335-227475AA5C46} Path: %SystemRoot%\system32\shell32.dll C:\WINNT\system32\shell32.dll 2362640 bytes Created: 13/07/06 Modified: 13/07/06 Company: Microsoft Corporation ---------- Key: ShellExtension CLSID: [empty] ---------- Key: Trojan Remover CLSID: {52B87208-9CCF-42C9-B88E-069281105805} Path: C:\PROGRA~1\TROJAN~1\Trshlex.dll C:\PROGRA~1\TROJAN~1\Trshlex.dll 467552 bytes Created: 24/03/08 Modified: 05/02/07 Company: Simply Super Software ---------- Key: WinZip CLSID: {E0D79304-84BE-11CE-9641-444553540000} Path: C:\PROGRA~1\WinZip\WZSHLSTB.DLL C:\PROGRA~1\WinZip\WZSHLSTB.DLL 24644 bytes Created: 19/04/00 Modified: 19/04/00 Company: WinZip Computing, Inc. ---------- ************************************************** 21:05:25: Scanning ----- FOLDER\COLUMNHANDLERS ----- Key: {0D2E74C4-3C34-11d2-A27E-00C04FC30871} File: %SystemRoot%\system32\shell32.dll C:\WINNT\system32\shell32.dll 2362640 bytes Created: 13/07/06 Modified: 13/07/06 Company: Microsoft Corporation ---------- Key: {24F14F01-7B1C-11d1-838f-0000F80461CF} File: %SystemRoot%\system32\shell32.dll C:\WINNT\system32\shell32.dll 2362640 bytes Created: 13/07/06 Modified: 13/07/06 Company: Microsoft Corporation ---------- Key: {24F14F02-7B1C-11d1-838f-0000F80461CF} File: %SystemRoot%\system32\shell32.dll C:\WINNT\system32\shell32.dll 2362640 bytes Created: 13/07/06 Modified: 13/07/06 Company: Microsoft Corporation ---------- Key: {66742402-F9B9-11D1-A202-0000F81FEDEE} File: C:\WINNT\System32\docprop2.dll C:\WINNT\System32\docprop2.dll 304912 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- Key: {7D4D6379-F301-4311-BEBA-E26EB0561882} File: C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll 1515520 bytes Created: 27/02/07 Modified: 04/04/05 Company: Nero AG ---------- Key: {7f9609be-af9a-11d1-83e0-00c04fb6e984} File: %SystemRoot%\system32\faxshell.dll C:\WINNT\system32\faxshell.dll 8464 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- Key: {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} File: C:\WINNT\System32\docprop2.dll C:\WINNT\System32\docprop2.dll 304912 bytes Created: 01/01/80 Modified: 08/05/01 Company: Microsoft Corporation ---------- ************************************************** 21:05:26: Scanning ----- BROWSER HELPER OBJECTS ----- Key: {AA58ED58-01DD-4d91-8333-CF10577473F7} BHO: c:\program files\google\googletoolbar1.dll c:\program files\google\googletoolbar1.dll -R- 2403392 bytes Created: 11/02/08 Modified: 11/02/08 Company: Google Inc. ---------- ************************************************** 21:05:26: Scanning ----- SHELLSERVICEOBJECTS ----- Key: Network.ConnectionTray CLSID: {7007ACCF-3202-11D1-AAD2-00805FC1270E} Path: C:\WINNT\system32\NETSHELL.dll C:\WINNT\system32\NETSHELL.dll 477456 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- Key: WebCheck CLSID: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Path: %SystemRoot%\System32\webcheck.dll C:\WINNT\System32\webcheck.dll 258048 bytes Created: 29/08/02 Modified: 29/08/02 Company: Microsoft Corporation ---------- Key: SysTray CLSID: {35CEC8A3-2BE6-11D2-8773-92E220524153} Path: stobject.dll C:\WINNT\system32\stobject.dll 81168 bytes Created: 15/08/03 Modified: 20/06/03 Company: Microsoft Corporation ---------- ************************************************** 21:05:27: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- Value: {8C7461EF-2B13-11d2-BE35-3078302C2030} Comment: Component Categories cache daemon File: %SystemRoot%\System32\browseui.dll C:\WINNT\System32\browseui.dll 1018368 bytes Created: 11/10/07 Modified: 11/10/07 Company: Microsoft Corporation ---------- ************************************************** 21:05:27: Scanning ----- IMAGEFILE DEBUGGERS ----- Key = 60e41.exe Debugger file = C:\windows\system32\svchost.exe - this entry has been removed [file not found to scan] ---------- Key = adam.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = ADVXDWIN Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AgentSvr.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = alertsvc.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = ALOGSERV Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = amon.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AMON9X Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = an006.exe Debugger file = C:\windows\system32\svchost.exe - this entry has been removed [file not found to scan] ---------- Key = anti - trojan.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AntiArp.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = antivir Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = ANTS Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AppSvc32.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = arvmon.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = ATCON Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AtiSrv.exe Debugger file = C:\windows\system32\svchost.exe - this entry has been removed [file not found to scan] ---------- Key = ATUPDATER Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = ATWATCH Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AutoGuarder.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = autoruns.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AutoTrace Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVGCC32 Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avgrssvc.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AvgServ Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVGSERV9 Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVGW Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avkpop Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AvkServ Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avkservice Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avkwctl9 Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AvMonitor.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avp.com Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avp.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avpmon.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avpnt.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = Avrep32.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = avsynmgr.exe Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVWINNT Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVXMONITOR9X Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVXMONITORNT Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVXQUAR Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = AVXW Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry has been removed [file not found to scan] ---------- Key = BullGuard Debugger file = C:\WINNT\system32\Driver Exden.exe - this entry could not be removed [ACCESS ERROR]: unable to access the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard ---------- Key = CCAPP.EXE C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = ccSvcHst.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = cfgWiz C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = cfind.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = claw95ct.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = clrav.com C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = CMGRDIAN C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = CONNECTIONMONITOR C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = CPDClnt C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = CTRL C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = d39.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = dbghlp32.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = defalert C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = defscangui C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = DEFWATCH C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = dodolook_7513.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = DOORS C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = dotnetfc1.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = dv95.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = dv95_o.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = EFINET32.EXE C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = EFPEADM C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = eREAD.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = espwatch.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = ETRUSTCIPE C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = EVPN C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = EXPERT C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = f - agnt95.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = f - prot.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = f - prot95.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = f - stopw.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fameh32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fch32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fih32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = FileDsty.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = filemon.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = findt2005.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fnrb32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fp - win.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = FPROT95.EXE C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = frhhusyk.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fsaa C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fsav32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fsgk32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fsm32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fsma32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = fsmb32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = FTCleanerShell.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = gbmenu C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = GBPOLL C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = GENERICS C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = GUARD C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = haZl0oh.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = HijackThis.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = IAMSTATS C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = IceSword.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = icmoon.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = icssuppnt.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = iparmo.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = IsHelp.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = isPwdSvc.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = ISRV95 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = jed.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = kabaload.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KaScrScn.SCR C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KASTask.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KAVDX.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KAVSetup.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KAVStart.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = kbfz.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = killhidepid.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KISLnchr.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KMailMon.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KMFilter.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = kpf.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KPFW32.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KPFW32X.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KPFWSvc.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KRegEx.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KRepair.COM C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KsLoader.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KVCenter.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KvDetect.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KvfwMcl.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KVMonXP.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KVMonXP_1.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = kvol.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = kvolself.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KvReport.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = Kvsc3.exE C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KVScan.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KVStub.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = kvupload.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KvXP.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KvXP_1.kxp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KWatch.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KWatch9x.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = KWatchX.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = kzdh@webbrowser-lyrics_2012.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = LDPROMENU C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = LDSCAN C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = loaddll.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = lockdownadvanced.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = lucomserver.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = LUSPT C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MagicSet.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = mcafee C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MCAGENT C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = mcconsol.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MCMNHDLR C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MCTOOL C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MCUPDATE C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MCVSRTE C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MCVSSHLD C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MGHTML C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MINILOG C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = mmqczj.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = mmsk.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = Monitor.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MPFSERVICE C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = msconfig.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = msyaxk.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = MWATCH C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = mycc080223.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = my_200801.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = my_70218.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = n32scan.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NAVENGNAVEX15 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = navrunr.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = navsched.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NAVSetup.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = navw.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = ndd32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NeoWatchLog C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = netutils C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = nisserv.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = nod32krn.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = notstart.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = npscheck C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = npssvc C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = nsched32.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = Nspclean.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = ntrtscan C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NTVDM C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NTXconfig C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NVSVC32 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NWService C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = NWTOOL16 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = offguard.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = outpost.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = PADMIN C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = padmin.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pav.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pavmail.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pavproxy C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pcciomon.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pccmain.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pccwin97 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pcntmon C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pcscan C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = peer.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = per.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = perd.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = Performance.exe C:\windows\system32\svchost.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pertsk.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = perupd.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pervac.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pervacd.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = PFW.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pfwagent.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pfwcon.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = PFWLiveUpdate.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = POP3TRAP C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = POPROXY C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = PORTMONITOR C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pqremove.com C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = PROCESSMONITOR C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = procexp C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = PROGRAMAUDITOR C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pview95 C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = pview95.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = QHSET.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = rapapp.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = Ras.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in place [file not found to scan] ---------- Key = RavCopy.exe C:\WINNT\system32\Driver Exden.exe - this Debugger entry has been left in |
colinf (13530) | ||
| 651938 | 2008-03-25 09:02:00 | Hi Have had a bit of trouble finding regini.exe so gave up earlier tonight and changed a the permissons on the Imagefile debugger entries in the combofix log by hand. Having done this ran combofix and it deleted all the entries it wanted to, and now runs with no errors. Yay! Ran my registry checker program and it returned 34,000 errors, most of which are in the HKCU\Software and HKU\ areas of the registry. After this minor success had a another look for regini.exe. Managed to find that too. After putting the right search phrase into Google. I have infact downloaded all the utilities from the windows 2003 resource kit from a microsoft site. Not completely sure this will work on Windows 2000, although ine site I looked at earlier said they had used later resource kit utilities on earlier versions so I am hopeful. Now I have to figure how to dump the 34000 key names into a file so I can create the batch file to to the job. I will keep you posted. Colin |
colinf (13530) | ||
| 651939 | 2008-03-25 09:09:00 | good luck on fixing your friends pc, but after you fix it, install Zone Alarm for him, alaong with Spyware doctor from Google Pack to make sure he does not get infected again. Tell him to buy an av | SPARTAN 860 (2618) | ||
| 651940 | 2008-03-29 04:37:00 | Hi all, I have been busy over the last few days putting together my fix for the problem. Hence no posts. I found that to set the permissions on the entries I wanted to delete was easy. E.g. I had a number, as I said, approx 5,500, entries of the form HKCU\Software\aaaaa where aaaaa were 5 randomly generated letters. To set the ability to delete the rubbish I went to HKCU\software and ticked the checkbox to propogate the permissions to all its child objects. Of course it took me about three days to find this gem on information.Which slowed down the process a bit. After making that fix I dumped out the offending keys using regedit; Hand edited all the sub key info out of the file; did a find and replace to add the delete code into the registry file; and then merged the info back into the registry. This has reduced the registry from 64 MB to 24 MB, and the pc is running much faster now. Thanks everyone for your help and assistance. I could never have done it without you COlin P.s. Have installed a firewall, Antivirus and antispware, as spartan860 suggested |
colinf (13530) | ||
| 1 2 3 4 5 6 | |||||