**************************************** Bazooka Scanner v1.13.03 http://www.kephyr.com/spywarescanner/ http://www.kephyr.com/spywarescanner/library/ support@kephyr.com Log created 11:45:55. OS: Windows NT 5.1 Database version: 3.010000 Database format version: 1.020000 Database date: 20050613 Current date: 2005-06-15 11:45 **************************************** Result when scanning: Aurora 645.353.000 %WinDir%\nail.exe C:\WINDOWS\nail.exe http://www.kephyr.com/spywarescanner/library/aurora/index.phtml BullsEye 433.111.900 BullsEye Network HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\BullsEye Network http://www.kephyr.com/spywarescanner/library/bullseye/index.phtml BullsEye 433.111.900 msxct HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\msxct http://www.kephyr.com/spywarescanner/library/bullseye/index.phtml BullsEye 433.111.901 %ProgramsDir%\BullsEye Network\ C:\Program\BullsEye Network\ http://www.kephyr.com/spywarescanner/library/bullseye/index.phtml CoolWebSearch.loadnew 325.634.000 %WinDir%\loadnew.exe C:\WINDOWS\loadnew.exe http://www.kephyr.com/spywarescanner/library/coolwebsearch.loadnew/index.phtml CoolWebSearch.loadnew 325.634.001 Service Host HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service Host http://www.kephyr.com/spywarescanner/library/coolwebsearch.loadnew/index.phtml Internet Optimizer 123.000.000 nem220.dll http://www.kephyr.com/spywarescanner/library/internetoptimizer/index.phtml Internet Optimizer 123.000.002 Internet Optimizer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Internet Optimizer http://www.kephyr.com/spywarescanner/library/internetoptimizer/index.phtml Internet Optimizer 123.000.003 C:\Program Files\Internet Optimizer\ C:\Program Files\Internet Optimizer\ http://www.kephyr.com/spywarescanner/library/internetoptimizer/index.phtml Unknown.startup.999 423.562.999 PayTime HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PayTime http://www.kephyr.com/spywarescanner/library/unknown.startup.999/index.phtml Unknown.startup.999 423.562.999 Disk Keeper HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Disk Keeper http://www.kephyr.com/spywarescanner/library/unknown.startup.999/index.phtml Unknown.startup.999 423.562.999 PayTime HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PayTime http://www.kephyr.com/spywarescanner/library/unknown.startup.999/index.phtml WebSiteViewer 523.8556.000 %ProgramsDir%\WebSiteViewer\ C:\Program\WebSiteViewer\ http://www.kephyr.com/spywarescanner/library/websiteviewer/index.phtml W32.Backdoor.Nibu 889.889.000 load32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 http://www.kephyr.com/spywarescanner/library/w32.backdoor.nibu/index.phtml WinDir.svchost 838.222.000 %WinDir%\svchost.exe C:\WINDOWS\svchost.exe http://www.kephyr.com/spywarescanner/library/windir.svchost/index.phtml **************************************** Auto start entries: C:\Documents and Settings\All Users\Start-meny\Program\Autostart\desktop.ini C:\Documents and Settings\All Users\Start-meny\Program\Autostart\desktop.ini C:\Documents and Settings\Roger\Start-meny\Program\Autostart\desktop.ini C:\Documents and Settings\Roger\Start-meny\Program\Autostart\desktop.ini Go here to analyse the startup entries and the associated files: http://www.kephyr.com/filedb/index.php **************************************** Run entries: System C:\WINDOWS\System32\kernels32.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\System PayTime C:\WINDOWS\System32\paytime.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PayTime WindowsUpdate C:\WINDOWS\System\svchost.exe /s HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate load32 C:\WINDOWS\System32\winldra.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\load32 Internet Optimizer "C:\Program Files\Internet Optimizer\optimize.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Internet Optimizer BullsEye Network C:\Program\BullsEye Network\bin\bargains.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\BullsEye Network msxct msxct.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\msxct WeirdOnTheWeb "C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WeirdOnTheWeb Service Host C:\WINDOWS\System32\Services\{E145CB39-5286-4C1F-92DF-A724A93D898C}\SVCHOST.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service Host Systems Restart Rundll32.exe zolk.dll, DllRegisterServer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Systems Restart _Cat4 C:\WINDOWS\msmsgr2.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\_Cat4 2nroktoj C:\WINDOWS\System32\2nroktoj.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\2nroktoj yxfgor c:\windows\system32\kshmqg.exe r HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\yxfgor gcasServ "C:\Program\Microsoft AntiSpyware\gcasServ.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ Disk Keeper C:\WINDOWS\System32\Services\{E145CB39-5286-4C1F-92DF-A724A93D898C}\SECURITY.EXE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Disk Keeper PayTime C:\WINDOWS\System32\paytime.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PayTime Windows installer C:\winstall.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows installer SpySheriff C:\Program Files\SpySheriff\SpySheriff.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SpySheriff wupd C:\WINDOWS\System32\win32.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wupd Go here to analyse the run entries and the associated files: http://www.kephyr.com/filedb/index.php **************************************** Browser helper objects: {00000010-6F7D-442C-93E3-4A4827C2E4C8} not set C:\WINDOWS\nem220.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8} {9A4414E1-2985-7700-2A96-EA90A0336996} not set C:\WINDOWS\cdmweb\wfpbktxiei.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A4414E1-2985-7700-2A96-EA90A0336996} {B75F75B8-93F3-429D-FF34-660B206D897A} not set C:\WINDOWS\System32\zolk.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B75F75B8-93F3-429D-FF34-660B206D897A} {F4E04583-354E-4076-BE7D-ED6A80FD66DA} C:\WINDOWS\System32\msbe.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} {FFF5092F-7172-4018-827B-FA5868FB0478} not set C:\WINDOWS\System32\ztoolber.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF5092F-7172-4018-827B-FA5868FB0478} **************************************** Toolbars: {8E718888-423F-11D2-876E-00A0C9082467} C:\WINDOWS\System32\msdxm.ocx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{8E718888-423F-11D2-876E-00A0C9082467} CLSID Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\CLSID\InprocServer32 System error message: Det går inte att hitta filen. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\CLSID {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} C:\WINDOWS\System32\ztoolber.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} {01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\System32\browseui.dll HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} {01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\System32\browseui.dll HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} {0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINDOWS\system32\SHELL32.dll HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} {4D5C8C25-D075-11d0-B416-00C04FB90376} C:\WINDOWS\System32\shdocvw.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} {32683183-48a0-441b-a342-7c2a440a9478} C:\WINDOWS\System32\browseui.dll HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} {EFA24E64-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\System32\shdocvw.dll HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} **************************************** All processes: [System Process] System smss.exe csrss.exe services.exe lsass.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe kshmqg.exe dwwin.exe paytime.exe winldra.exe kernels32.exe msxct.exe msmsgr2.exe weirdontheweb.exe SVCHOST.EXE 2nroktoj.exe paytime.exe tibs.exe vxh8jkdq6.exe vxh8jkdq7.exe cmd.exe dwwin.exe buuolii.exe bargains.exe 124497.dlr cssrs.exe win32.exe newdial1.exe newdial1.exe GIANTAntiSpywareMain.exe gcasDtServ.exe IEXPLORE.EXE wfpbktxiei.exe dumprep.exe IEXPLORE.EXE dwwin.exe maxd.exe spywarescanner.exe Go here to analyse the running processes: http://www.kephyr.com/filedb/index.php **************************************** Internet Explorer Settings: Default_Page_URL http://195.95.218.172/index.php HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL Default_Search_URL http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL Local Page http://195.95.218.172/index.php HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page Start Page http://195.95.218.172/index.php HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch http:// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\ www http:// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www provider HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider Default_Page_URL http://195.95.218.172/index.php HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL Local Page http://195.95.218.172/index.php HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page Start Page http://195.95.218.172/index.php HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ****************************************