Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

check up


  • Please log in to reply
3 replies to this topic

#1 antazn99

antazn99

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 21 April 2005 - 02:48 AM

hey it been a while and i used hijackthis again to find some new things among the stuff, so i appreciate if anyone can take a look and tell me what i need to delete

Logfile of HijackThis v1.99.1
Scan saved at 12:47:29 AM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msks32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\winhr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Owner\Desktop\spyware cleaners\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {795BB343-30B6-2B4F-FA68-F174D498229E} - C:\WINDOWS\system32\netgi.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Crazy Browser.exe] C:\Program Files\Crazy Browser\Crazy Browser.exe
O4 - HKLM\..\Run: [winhr32.exe] C:\WINDOWS\winhr32.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\Owner\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\RunOnce: [msks32.exe] C:\WINDOWS\system32\msks32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/706ed77f/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winjs32.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks for taking the time to help me

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:38 PM

Posted 21 April 2005 - 01:18 PM

Hi antazn99. You have a number of infections on your computer. It will take me some time to write up a fix. I will post back to you when I have it ready.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:38 PM

Posted 21 April 2005 - 01:49 PM

Hi antazn99. Open Notepad and copy/paste these directions into the new document. Save the document to your desktop to use as we proceed and then follow the steps below in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CleanUp! and install it but do not run it yet.

Download Pocket Killbox and unzip it to your desktop.

Download FindIt2000XP.zip and unzip it to its own folder.

Step #2

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the Remote Procedure Call (RPC) Helper service and click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window:
    • sc delete 11F#`I
  • If you get an error message then copy/paste this line into the Command Prompt window:sc delete Remote Procedure Call (RPC) Helper
  • Close the Command Prompt window
Step #3

Double-click on KillBox.exe to launch the program.
  • Paste the line below into the top Full Path of File to Delete field.
    • C:\WINDOWS\system32\facpg.dll
  • Click the Delete File button which looks like a stop sign.
  • Click No at the Pending Operations prompt.
Repeat the above steps for each of the following lines. The only difference is that you will be substituting the file listed in the first step with each of the files below. C:\WINDOWS\system32\netgi.dll
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\winhr32.exe
C:\WINDOWS\system32\msks32.exe
C:\WINDOWS\system32\winjs32.exe

After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so. If you receive any error messages then reboot manually.

Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\facpg.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {795BB343-30B6-2B4F-FA68-F174D498229E} - C:\WINDOWS\system32\netgi.dll
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [winhr32.exe] C:\WINDOWS\winhr32.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\Owner\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\RunOnce: [msks32.exe] C:\WINDOWS\system32\msks32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/706ed77f/enter.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winjs32.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\facpg.dll
C:\WINDOWS\system32\netgi.dll
C:\Program Files\Media Access\ <--folder
C:\WINDOWS\winhr32.exe
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\MiniBug.exe
C:\WINDOWS\system32\msks32.exe
C:\WINDOWS\system32\winjs32.exe

Note: If you receive any error messages while trying to delete any of the above files/folder then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.

If needed, start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode reboot normally now.

Step #6

Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Now reboot your computer to finish the fix.

Step #7

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #8

Locate the Find.bat file that you unzipped in Step #1 and double-click on it. It will run for a while, so be patient. When finished, it will produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log back here as a reply to this message.

From the moment you post your list DO NOT reboot your system or log off. If you do, any remaining files could changed and the next fix provided will not work.

Step #9

OK. Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file and the log file from the find.bat back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 antazn99

antazn99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 21 April 2005 - 03:12 PM

here is what find.bat found

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Owner\Desktop\spyware cleaners\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 3457-691A

Directory of C:\WINDOWS\System32

04/14/2005 12:50 PM <DIR> dllcache
11/28/2004 04:42 PM 512 VasEdR6.4so
11/22/2004 02:47 PM 253,962 Htw0Uz0Y.exe
11/18/2004 10:22 PM 253,962 Dqk5Y.exe
11/14/2004 05:58 PM 512 Msj8U.3h1
11/12/2004 01:38 AM 512 OzmSbN.xja
11/05/2004 01:05 PM 512 Lqh77.ggb
11/04/2004 01:13 PM 512 ZewIhUUP.8r9
11/04/2004 01:02 AM 512 Pul9X4.32m
11/04/2004 01:02 AM 512 Dizm4yYT.0v1
10/18/2004 08:39 PM 512 Qvn9Y4.42n
10/11/2004 09:07 AM 512 Kph77.ffa
10/09/2004 04:03 PM 512 Qvm9Y4.42n
10/04/2004 09:06 AM 512 Sxo0A5.43o
09/29/2004 12:17 AM 512 Ekbo.4az
09/28/2004 12:04 AM 512 Fkco.5ba
09/22/2004 08:34 PM 512 Otl9W3.31l
09/18/2004 08:22 PM 512 XctGfSS.5up
04/09/2003 10:51 PM <DIR> Microsoft
17 File(s) 515,604 bytes
2 Dir(s) 28,348,530,688 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 3457-691A

Directory of C:\WINDOWS\System32

04/21/2005 12:39 PM 892 vsconfig.xml
04/14/2005 12:50 PM <DIR> dllcache
02/11/2005 10:30 AM 4,212 zllictbl.dat
11/28/2004 04:42 PM 512 VasEdR6.4so
11/22/2004 02:47 PM 253,962 Htw0Uz0Y.exe
11/18/2004 10:22 PM 253,962 Dqk5Y.exe
11/14/2004 05:58 PM 512 Msj8U.3h1
11/12/2004 01:38 AM 512 OzmSbN.xja
11/05/2004 01:05 PM 512 Lqh77.ggb
11/04/2004 01:13 PM 512 ZewIhUUP.8r9
11/04/2004 01:02 AM 512 Pul9X4.32m
11/04/2004 01:02 AM 512 Dizm4yYT.0v1
10/18/2004 08:39 PM 512 Qvn9Y4.42n
10/11/2004 09:07 AM 512 Kph77.ffa
10/09/2004 04:03 PM 512 Qvm9Y4.42n
10/04/2004 09:06 AM 512 Sxo0A5.43o
09/30/2004 03:46 PM 17,920 loading.exe
09/29/2004 12:17 AM 512 Ekbo.4az
09/28/2004 12:04 AM 512 Fkco.5ba
09/22/2004 08:34 PM 512 Otl9W3.31l
09/18/2004 08:22 PM 512 XctGfSS.5up
04/09/2003 10:17 PM 488 WindowsLogon.manifest
04/09/2003 10:17 PM 488 logonui.exe.manifest
04/09/2003 10:17 PM 749 wuaucpl.cpl.manifest
04/09/2003 10:17 PM 749 ncpa.cpl.manifest
04/09/2003 10:17 PM 749 nwc.cpl.manifest
04/09/2003 10:17 PM 749 cdplayer.exe.manifest
04/09/2003 10:17 PM 749 sapi.cpl.manifest
27 File(s) 543,349 bytes
1 Dir(s) 28,348,526,592 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 3457-691A

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is HP_PAVILION
Volume Serial Number is 3457-691A

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\appsys.exe: .aspack
C:\WINDOWS\system32\mssys.exe: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\OutLook.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Crazy Browser.exe"="C:\\Program Files\\Crazy Browser\\Crazy Browser.exe"
"WildTangent CDA"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




and here is my HJT list

Logfile of HijackThis v1.99.1
Scan saved at 1:11:29 PM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Owner\Desktop\spyware cleaners\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Crazy Browser.exe] C:\Program Files\Crazy Browser\Crazy Browser.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


thanks for the help oldtimer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users