Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - Please help


  • Please log in to reply
19 replies to this topic

#1 Cyndi_Truj

Cyndi_Truj

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 29 July 2005 - 05:41 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:35:51 PM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.0.0.0.0
O15 - Trusted Zone: *.alpineaccess.com
O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.workathomeagent.com
O15 - Trusted Zone: *.workathomeagent.net
O15 - Trusted Zone: http://www.workingsol.com
O15 - Trusted Zone: *.workingsol.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120676611140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120676886235
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/.../weblaunch2.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\iHsads.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 30 July 2005 - 03:00 PM

Hello Cyndi_Truj and welcome to the BC malware forum. After reviewing your log I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can hide malware from us when we are performing a fix, so we would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot so reboot normally.

Now please create a new Hijackthis Log and post it here as a reply. I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Cyndi_Truj

Cyndi_Truj
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 30 July 2005 - 10:44 PM

OT

FYI which I'm sure you already know, but when I restarted in normal all the entries and registry of know adware and other that had previously reappeared and restarted as well as other. Immediately unpo restarting Penicilin internet suite found and cleaned WORM NAVIDAD.E which also keep popping right back up and the suite kept recleaning. Almost did not make it back to the internet here is the log PLEAsE PLEAse help if you can...anyone


Logfile of HijackThis v1.99.1
Scan saved at 10:31:08 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\itiole32.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\irmnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [t27V3pQ] itiole32.exe
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [stexfs] c:\windows\system32\tjvdqai.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [npnpvu] c:\windows\system32\btnanfo.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vvmllk.exe
O4 - HKLM\..\Run: [hhrtbc] C:\WINDOWS\system32\hhrtbc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteggf32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users.WINDOWS\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKCU\..\Run: [Zhnovyr] C:\WINDOWS\system32\?ymbols\mmc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Wpao] C:\Program Files\rsed\hsee.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [cssrv8] C:\WINDOWS\system32\cssrv8.exe
O4 - HKCU\..\Run: [cluskp] C:\WINDOWS\system32\cluskp.exe
O4 - HKCU\..\Run: [c1o9Rfc4Q] irmnt.exe
O4 - HKCU\..\Run: [Auna] C:\WINDOWS\system32\??stem32\smss.exe
O4 - HKCU\..\Run: [atiere] C:\WINDOWS\system32\atiere.exe
O4 - Startup: SpamSubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O15 - Trusted Zone: *.0.0.0.0
O15 - Trusted Zone: *.alpineaccess.com
O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.workathomeagent.com
O15 - Trusted Zone: *.workathomeagent.net
O15 - Trusted Zone: http://www.workingsol.com
O15 - Trusted Zone: *.workingsol.com
O16 - DPF: Aurigma Image Uploader 2.0 -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120676611140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120676886235
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/.../weblaunch2.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\iHsads.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 31 July 2005 - 01:12 AM

Hi Cyndi_Truj. Yes, this is what we wanted. The original log didn't show anything because MsConfig was not running the files we had to see for removal. We cannot remove what we cannot see.

It appears that we have a few different infections here and I don't think we are seeing all of it. Let's run a different scanner to see if we can pick up the rest.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Cyndi_Truj

Cyndi_Truj
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 31 July 2005 - 04:04 AM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
FSG! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
PTech 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
aurora.exe 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 7/28/2005 6:26:26 PM 17408 C:\WINDOWS\icont.exe
qoologic 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
urllogic 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
urllogic 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
abetterinternet.com 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 5/5/2005 9:27:00 PM 170053 C:\WINDOWS\tsc.exe
UPX! 5/22/2005 1:21:48 PM 288256 C:\WINDOWS\unshred1.exe
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
UPX! 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 7/29/2005 11:52:14 AM 66048 C:\WINDOWS\SYSTEM32\cssrv8.exe
PEC2 8/29/2002 3:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 7/31/2005 2:08:00 AM 417792 C:\WINDOWS\SYSTEM32\eh.dll
WinShutDown 7/31/2005 2:08:00 AM 417792 C:\WINDOWS\SYSTEM32\eh.dll
PECompact2 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 3:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 7/30/2005 1:01:48 AM 700224 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 7/30/2005 1:01:48 AM 700224 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 7/30/2005 1:01:48 AM 700224 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
UPX! 3/30/2004 5:12:52 PM 929968 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys
aspack 3/30/2004 5:12:52 PM 929968 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/6/2005 2:04:16 PM 0 C:\WINDOWS\inf\oem29.inf
7/31/2005 3:17:40 AM 20480 C:\WINDOWS\system32\config\default.LOG
7/31/2005 3:17:34 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
7/31/2005 3:17:16 AM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
7/31/2005 3:17:40 AM 151552 C:\WINDOWS\system32\config\software.LOG
7/31/2005 3:17:28 AM 1069056 C:\WINDOWS\system32\config\system.LOG
7/24/2005 2:07:00 AM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/26/2005 11:05:20 AM 190 C:\WINDOWS\Tasks\RUTASK.job
7/31/2005 3:15:16 AM 6 C:\WINDOWS\Tasks\SA.DAT
7/29/2005 10:04:56 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8RATUDWF\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\MZIP2D8H\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OP8RGTU1\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YJ0ZEPWH\desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/11/2005 8:54:44 PM 793 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
3/23/2005 7:39:12 PM 1759 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/26/2004 12:13:50 AM 763 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
9/26/2004 12:13:56 AM 738 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk
5/7/2005 9:25:06 PM 789 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\SpySubtract.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
5/7/2005 9:32:06 PM 1725 C:\Documents and Settings\Cyndi.SPANISHFLY\Start Menu\Programs\Startup\SpamSubtract.lnk

Checking files in %USERPROFILE%\Application Data folder...
7/26/2005 11:59:02 AM 120 C:\Documents and Settings\Cyndi.SPANISHFLY\Application Data\Sskdmns.dll

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{88B7CA11-F78E-43BB-AFB0-19CDEDAEFE5B} =
{DF440243-76F2-4716-9806-F32401D71BFD} =
{9476B30F-0233-4E59-8F63-DA515BA51900} =
{DA5165D3-2E9E-4E96-A2A8-3AF977C7AD82} = C:\WINDOWS\system32\olbccp32.dll
{E3ACC6B0-ECCC-49B6-AA64-EFFFA577DD0B} =
{4699FBCC-4278-4F40-9E2D-7936009B6969} =
{651754E0-0F48-40DF-826D-1333A3AECE88} =

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CounterSpy File Shredder
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fftkkxyn
{385d181d-b1b3-49c5-b484-4df5edac7370} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\PROGRA~1\INCRED~1\bin\ImShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SystemService C:\WINDOWS\etb\pokapoka62.exe
System service62 C:\WINDOWS\etb\pokapoka62.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SurfSideKick 3 C:\Program Files\SurfSideKick 3\Ssk.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
sunasServ C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
sunasDTServ C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
stexfs c:\windows\system32\tjvdqai.exe
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
pccguide.exe "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
npnpvu c:\windows\system32\btnanfo.exe
NaviSearch C:\Program Files\NaviSearch\bin\nls.exe
MSKDetectorExe C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
Media Access C:\Program Files\Media Access\MediaAccK.exe
MCUpdateExe C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
KavSvc C:\WINDOWS\system32\vvmllk.exe
hhrtbc C:\WINDOWS\system32\hhrtbc.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
exp.exe C:\WINDOWS\system32\exp.exe
Display Settings C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
checkrun C:\windows\system32\eliteggf32.exe
cfgmgr52 RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
CashBack C:\Program Files\CashBack\bin\cashback.exe
CARPService carpserv.exe
BullsEye Network C:\Program Files\BullsEye Network\bin\bargains.exe
BMan C:\Documents and Settings\All Users.WINDOWS\Application Data\msw\BMan1.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AutoUpdater "C:\Program Files\AutoUpdate\AutoUpdate.exe"
AutoLoaderAproposClient "C:\WINDOWS\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
AUNPS2 RUNDLL32 AUNPS2.DLL,_Run@16
ap9h4qmo C:\WINDOWS\system32\ap9h4qmo.exe
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB rundll32.exe E6F1873B.DLL,D9EBC318C
t27V3pQ mdmis13n.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Zhnovyr C:\WINDOWS\system32\?ymbols\mmc.exe
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Wpao C:\Program Files\rsed\hsee.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
E6TaskPanel "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
cssrv8 C:\WINDOWS\system32\cssrv8.exe
cluskp C:\WINDOWS\system32\cluskp.exe
c1o9Rfc4Q lan4svc.exe
Auna C:\WINDOWS\system32\??stem32\smss.exe
atiere C:\WINDOWS\system32\atiere.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoRun 0
NoFind 0
NoRecentDocsMenu 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility
= C:\WINDOWS\system32\iHsads.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Scan Complete
WinPFind v1.2.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/31/2005 3:31:44 AM

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 31 July 2005 - 10:59 AM

Hi Cyndi_Truj. Ok, we have our work cut out for us here so let's get started. Please print these directions and then proceed with the following steps in order.
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\icont.exe
      C:\WINDOWS\jjhvv.dll
      C:\WINDOWS\unshred1.exe
      C:\WINDOWS\SYSTEM32\cssrv8.exe
      C:\WINDOWS\SYSTEM32\eh.dll
      C:\Documents and Settings\Cyndi.SPANISHFLY\Application Data\Sskdmns.dll
      C:\WINDOWS\system32\olbccp32.dll
      C:\WINDOWS\system32\iHsads.dll
      C:\WINDOWS\system32\itiole32.exe
      C:\WINDOWS\etb\pokapoka62.exe
      C:\Program Files\SurfSideKick 3\
      c:\windows\system32\tjvdqai.exe
      c:\windows\system32\btnanfo.exe
      C:\Program Files\NaviSearch\
      C:\Program Files\Media Access\
      C:\WINDOWS\system32\vvmllk.exe
      C:\WINDOWS\system32\hhrtbc.exe
      C:\WINDOWS\system32\exp.exe
      C:\windows\system32\eliteggf32.exe
      C:\WINDOWS\cfgmgr52.dll
      C:\Program Files\CashBack\
      C:\Program Files\BullsEye Network\
      C:\Documents and Settings\All Users.WINDOWS\Application Data\msw\
      C:\Program Files\AutoUpdate\
      C:\WINDOWS\system32\cxtpls_loader.EXE
      C:\WINDOWS\system32\AUNPS2.DLL
      C:\WINDOWS\system32\ap9h4qmo.exe
      C:\WINDOWS\system32\E6F1873B.DLL
      C:\WINDOWS\system32\wintask.exe
      C:\Program Files\rsed\
      C:\WINDOWS\system32\cluskp.exe
      C:\WINDOWS\system32\atiere.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • If not greyed out click the checkbox for Deltree (Include SubDirectories)
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
  • After your system reboots, open Notepad and copy/paste the text in the quotebox below into the new document

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fftkkxyn]
[-HKEY_CLASSES_ROOT\CLSID\{385d181d-b1b3-49c5-b484-4df5edac7370}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{385d181d-b1b3-49c5-b484-4df5edac7370}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{88B7CA11-F78E-43BB-AFB0-19CDEDAEFE5B}"=-
"{DF440243-76F2-4716-9806-F32401D71BFD}"=-
"{9476B30F-0233-4E59-8F63-DA515BA51900}"=-
"{DA5165D3-2E9E-4E96-A2A8-3AF977C7AD82}"=-
"{E3ACC6B0-ECCC-49B6-AA64-EFFFA577DD0B}"=-
"{4699FBCC-4278-4F40-9E2D-7936009B6969}"=-
"{651754E0-0F48-40DF-826D-1333A3AECE88}"=-
[-HKEY_CLASSES_ROOT\CLSID\{88B7CA11-F78E-43BB-AFB0-19CDEDAEFE5B}]
[-HKEY_CLASSES_ROOT\CLSID\{DF440243-76F2-4716-9806-F32401D71BFD}]
[-HKEY_CLASSES_ROOT\CLSID\{9476B30F-0233-4E59-8F63-DA515BA51900}]
[-HKEY_CLASSES_ROOT\CLSID\{DA5165D3-2E9E-4E96-A2A8-3AF977C7AD82}]
[-HKEY_CLASSES_ROOT\CLSID\{E3ACC6B0-ECCC-49B6-AA64-EFFFA577DD0B}]
[-HKEY_CLASSES_ROOT\CLSID\{4699FBCC-4278-4F40-9E2D-7936009B6969}]
[-HKEY_CLASSES_ROOT\CLSID\{651754E0-0F48-40DF-826D-1333A3AECE88}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]

  • Save the document to your desktop as fixqoo.reg and close Notepad. Locate the fixqoo.reg file on your desktop and right-click on it
  • Choose Merge from the popup menu and answer Yes or Ok to any further prompts
  • Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
    • O4 - HKLM\..\Run: [t27V3pQ] itiole32.exe
      O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
      O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
      O4 - HKLM\..\Run: [stexfs] c:\windows\system32\tjvdqai.exe
      O4 - HKLM\..\Run: [npnpvu] c:\windows\system32\btnanfo.exe
      O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
      O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
      O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vvmllk.exe
      O4 - HKLM\..\Run: [hhrtbc] C:\WINDOWS\system32\hhrtbc.exe
      O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
      O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteggf32.exe
      O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
      O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
      O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
      O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users.WINDOWS\Application Data\msw\BMan1.exe
      O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
      O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
      O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
      O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
      O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
      O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
      O4 - HKCU\..\Run: [Zhnovyr] C:\WINDOWS\system32\?ymbols\mmc.exe
      O4 - HKCU\..\Run: [Wpao] C:\Program Files\rsed\hsee.exe
      O4 - HKCU\..\Run: [cssrv8] C:\WINDOWS\system32\cssrv8.exe
      O4 - HKCU\..\Run: [cluskp] C:\WINDOWS\system32\cluskp.exe
      O4 - HKCU\..\Run: [Auna] C:\WINDOWS\system32\??stem32\smss.exe
      O4 - HKCU\..\Run: [atiere] C:\WINDOWS\system32\atiere.exe
      O15 - Trusted Zone: *.0.0.0.0
      O15 - Trusted Zone: *.alpineaccess.com
      O15 - Trusted Zone: *.west.com
      O15 - Trusted Zone: *.workathomeagent.com
      O15 - Trusted Zone: *.workathomeagent.net
      O15 - Trusted Zone: http://www.workingsol.com
      O15 - Trusted Zone: *.workingsol.com
      O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
      O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
      O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
      O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
      O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} -
      O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\iHsads.dll
  • Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
  • Reboot and post a new HijackThis log along with a new WinPFind log
I will review the new information when it comes in.

OT

Additional note:
It appears that there are multiple anti-virus applications and multiple firewalls running on this computer. This is not recommended and can cause file access issues and the dual programs can even block each other from doing its job. I highly recommend that you choose whichever 1 of each of these that you want to keep and uninstall the others.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Cyndi_Truj

Cyndi_Truj
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 01 August 2005 - 09:19 AM

OT these were run from Normal startup, hope that is what you wanted
FYI I initially had only one virus/firewall program but after all the problems started I began dl add'l one to run to scan for problems that the others may not have been catching....personally which do you have more faith in








Logfile of HijackThis v1.99.1
Scan saved at 9:14:29 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lan4svc.exe
C:\WINDOWS\System32\svchost.exe
C:\WinPFind\WinPFind\WinPFind\WinPFind.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [c1o9Rfc4Q] lan4svc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Common Files\Microsoft Shared\Artgalry\ARTGALRY.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.0.0.0.0
O16 - DPF: Aurigma Image Uploader 2.0 -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120676611140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120676886235
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/.../weblaunch2.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\aai2dvag.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe










WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
FSG! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
PTech 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
aurora.exe 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
qoologic 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
urllogic 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
urllogic 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
abetterinternet.com 5/13/2005 6:49:36 PM 3857 C:\WINDOWS\jjhvv.dll
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 5/5/2005 9:27:00 PM 170053 C:\WINDOWS\tsc.exe
UPX! 5/22/2005 1:21:48 PM 288256 C:\WINDOWS\unshred1.exe
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
UPX! 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
Umonitor 7/31/2005 8:23:44 PM 417792 C:\WINDOWS\SYSTEM32\abtiveds.dll
WinShutDown 7/31/2005 8:23:44 PM 417792 C:\WINDOWS\SYSTEM32\abtiveds.dll
Umonitor 8/1/2005 2:53:52 AM 417792 C:\WINDOWS\SYSTEM32\CDMMTB32.DLL
WinShutDown 8/1/2005 2:53:52 AM 417792 C:\WINDOWS\SYSTEM32\CDMMTB32.DLL
UPX! 7/29/2005 11:52:14 AM 66048 C:\WINDOWS\SYSTEM32\cssrv8.exe
Umonitor 7/31/2005 11:05:30 PM 417792 C:\WINDOWS\SYSTEM32\dddskmgr.dll
WinShutDown 7/31/2005 11:05:30 PM 417792 C:\WINDOWS\SYSTEM32\dddskmgr.dll
PEC2 8/29/2002 3:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/1/2005 2:40:46 AM 417792 C:\WINDOWS\SYSTEM32\dkmv2clt.dll
WinShutDown 8/1/2005 2:40:46 AM 417792 C:\WINDOWS\SYSTEM32\dkmv2clt.dll
Umonitor 7/31/2005 10:52:12 PM 417792 C:\WINDOWS\SYSTEM32\dl3j.dll
WinShutDown 7/31/2005 10:52:12 PM 417792 C:\WINDOWS\SYSTEM32\dl3j.dll
Umonitor 7/31/2005 2:08:00 AM 417792 C:\WINDOWS\SYSTEM32\eh.dll
WinShutDown 7/31/2005 2:08:00 AM 417792 C:\WINDOWS\SYSTEM32\eh.dll
Umonitor 7/31/2005 3:55:02 AM 417792 C:\WINDOWS\SYSTEM32\fdclient.dll
WinShutDown 7/31/2005 3:55:02 AM 417792 C:\WINDOWS\SYSTEM32\fdclient.dll
Umonitor 7/27/2005 1:11:34 PM 417792 C:\WINDOWS\SYSTEM32\iHsads.dll
WinShutDown 7/27/2005 1:11:34 PM 417792 C:\WINDOWS\SYSTEM32\iHsads.dll
Umonitor 8/1/2005 2:21:32 AM 417792 C:\WINDOWS\SYSTEM32\ktdes.dll
WinShutDown 8/1/2005 2:21:32 AM 417792 C:\WINDOWS\SYSTEM32\ktdes.dll
Umonitor 8/1/2005 12:54:20 AM 417792 C:\WINDOWS\SYSTEM32\mbise.dll
WinShutDown 8/1/2005 12:54:20 AM 417792 C:\WINDOWS\SYSTEM32\mbise.dll
PECompact2 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 7/31/2005 7:58:36 AM 417792 C:\WINDOWS\SYSTEM32\mwxlegih.dll
WinShutDown 7/31/2005 7:58:36 AM 417792 C:\WINDOWS\SYSTEM32\mwxlegih.dll
Umonitor 7/31/2005 10:54:54 PM 417792 C:\WINDOWS\SYSTEM32\mzxml3r.dll
WinShutDown 7/31/2005 10:54:54 PM 417792 C:\WINDOWS\SYSTEM32\mzxml3r.dll
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 7/31/2005 11:22:30 PM 417792 C:\WINDOWS\SYSTEM32\ohethk32.dll
WinShutDown 7/31/2005 11:22:30 PM 417792 C:\WINDOWS\SYSTEM32\ohethk32.dll
Umonitor 7/31/2005 10:28:32 PM 417792 C:\WINDOWS\SYSTEM32\pcrfctrs.dll
WinShutDown 7/31/2005 10:28:32 PM 417792 C:\WINDOWS\SYSTEM32\pcrfctrs.dll
Umonitor 7/31/2005 9:55:48 PM 417792 C:\WINDOWS\SYSTEM32\podx5032.dll
WinShutDown 7/31/2005 9:55:48 PM 417792 C:\WINDOWS\SYSTEM32\podx5032.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
Umonitor 8/1/2005 1:03:32 AM 417792 C:\WINDOWS\SYSTEM32\tXembed.dll
WinShutDown 8/1/2005 1:03:32 AM 417792 C:\WINDOWS\SYSTEM32\tXembed.dll
Umonitor 8/1/2005 1:24:36 AM 417792 C:\WINDOWS\SYSTEM32\wapns.dll
WinShutDown 8/1/2005 1:24:36 AM 417792 C:\WINDOWS\SYSTEM32\wapns.dll
winsync 8/29/2002 3:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/1/2005 12:25:28 AM 417792 C:\WINDOWS\SYSTEM32\wpweb.dll
WinShutDown 8/1/2005 12:25:28 AM 417792 C:\WINDOWS\SYSTEM32\wpweb.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/6/2005 2:04:16 PM 0 C:\WINDOWS\inf\oem29.inf
8/1/2005 8:48:20 AM 1024 C:\WINDOWS\system32\config\default.LOG
8/1/2005 8:44:34 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/1/2005 8:45:04 AM 1024 C:\WINDOWS\system32\config\SECURITY.LOG
8/1/2005 8:50:04 AM 1024 C:\WINDOWS\system32\config\software.LOG
8/1/2005 8:49:46 AM 1024 C:\WINDOWS\system32\config\system.LOG
7/24/2005 2:07:00 AM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/26/2005 11:05:20 AM 190 C:\WINDOWS\Tasks\RUTASK.job
8/1/2005 8:12:06 AM 6 C:\WINDOWS\Tasks\SA.DAT
7/29/2005 10:04:56 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CLE3WLUZ\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GDEVS9A3\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OPIJG5MF\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WH274XUR\desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/11/2005 8:54:44 PM 793 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
3/23/2005 7:39:12 PM 1759 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/26/2004 12:13:50 AM 763 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
8/1/2005 3:22:44 AM 928 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
7/26/2005 11:59:02 AM 120 C:\Documents and Settings\Cyndi.SPANISHFLY\Application Data\Sskdmns.dll

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{DA5165D3-2E9E-4E96-A2A8-3AF977C7AD82} = C:\WINDOWS\system32\mhaatext.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CounterSpy File Shredder
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\PROGRA~1\INCRED~1\bin\ImShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
ttupt C:\WINDOWS\ttupt.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
System service62 C:\WINDOWS\etb\pokapoka62.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
sunasServ C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
sunasDTServ C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
MSKDetectorExe C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
Media Access C:\Program Files\Media Access\MediaAccK.exe
MCUpdateExe C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Display Settings C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
CARPService carpserv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
c1o9Rfc4Q lan4svc.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoRun 0
NoFind 0
NoRecentDocsMenu 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate
= C:\WINDOWS\system32\aai2dvag.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Scan Complete
WinPFind v1.2.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/1/2005 9:10:17 AM

#8 Cyndi_Truj

Cyndi_Truj
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 01 August 2005 - 09:22 AM

Also don't know if it mattered but when using WinPFind I was unable to copy all and paste fom clipboard...it did most but refused to do select ones for some reason so the ones that would not copy...I copied and pased individually and reboted after EACH one just to be sure that they had been done also.

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 01 August 2005 - 06:05 PM

Hi Cyndi_Truj. We have a number of new files here so let's take care of those. Please print these directions and then proceed with the following steps in order.

Step #1

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer in Safe Mode.

Step #2

Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\jjhvv.dll
      C:\WINDOWS\unshred1.exe
      C:\WINDOWS\SYSTEM32\abtiveds.dll
      C:\WINDOWS\SYSTEM32\CDMMTB32.DLL
      C:\WINDOWS\SYSTEM32\cssrv8.exe
      C:\WINDOWS\SYSTEM32\dddskmgr.dll
      C:\WINDOWS\SYSTEM32\dkmv2clt.dll
      C:\WINDOWS\SYSTEM32\dl3j.dll
      C:\WINDOWS\SYSTEM32\eh.dll
      C:\WINDOWS\SYSTEM32\fdclient.dll
      C:\WINDOWS\SYSTEM32\iHsads.dll
      C:\WINDOWS\SYSTEM32\ktdes.dll
      C:\WINDOWS\SYSTEM32\mbise.dll
      C:\WINDOWS\SYSTEM32\mwxlegih.dll
      C:\WINDOWS\SYSTEM32\mzxml3r.dll
      C:\WINDOWS\SYSTEM32\ohethk32.dll
      C:\WINDOWS\SYSTEM32\pcrfctrs.dll
      C:\WINDOWS\SYSTEM32\podx5032.dll
      C:\WINDOWS\SYSTEM32\tXembed.dll
      C:\WINDOWS\SYSTEM32\wapns.dll
      C:\WINDOWS\SYSTEM32\wpweb.dll
      C:\WINDOWS\Tasks\RUTASK.job
      C:\Documents and Settings\Cyndi.SPANISHFLY\Application Data\Sskdmns.dll
      C:\WINDOWS\system32\mhaatext.dll
      C:\WINDOWS\ttupt.exe
      C:\WINDOWS\etb\pokapoka62.exe
      C:\Program Files\Media Access\MediaAccK.exe
      C:\WINDOWS\system32\aai2dvag.dll
      C:\WINDOWS\system32\lan4svc.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Your system will reboot now. Reboot back into Safe Mode.

Step #3

Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\Media Access\ <--folder
Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [c1o9Rfc4Q] lan4svc.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} -
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\aai2dvag.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

OK. Reboot your computer normally, perform a new scan with HijackThis and with WinPFind. Use the Add Reply button to post your new log files back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 Cyndi_Truj

Cyndi_Truj
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 02 August 2005 - 09:33 PM

OT been having major probs with computer after trying to the last instructions listed have been unable to start in safe or normal mode...had to restore back to Sat and try the fixes and cleanings all over again, so you may see some changes but here is the latest


Logfile of HijackThis v1.99.1
Scan saved at 8:16:04 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120676611140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120676886235
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/.../weblaunch2.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\uaerenv.dll










WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
FSG! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
PTech 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
aurora.exe 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 5/5/2005 9:27:00 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
UPX! 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
Umonitor 8/2/2005 6:40:52 PM 417792 C:\WINDOWS\SYSTEM32\daquery.dll
WinShutDown 8/2/2005 6:40:52 PM 417792 C:\WINDOWS\SYSTEM32\daquery.dll
PEC2 8/29/2002 3:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/1/2005 11:50:00 PM 417792 C:\WINDOWS\SYSTEM32\doocx.dll
WinShutDown 8/1/2005 11:50:00 PM 417792 C:\WINDOWS\SYSTEM32\doocx.dll
Umonitor 7/30/2005 12:51:52 PM 417792 C:\WINDOWS\SYSTEM32\FrsVpn.dll
WinShutDown 7/30/2005 12:51:52 PM 417792 C:\WINDOWS\SYSTEM32\FrsVpn.dll
Umonitor 8/1/2005 9:55:40 AM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown 8/1/2005 9:55:40 AM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
Umonitor 8/2/2005 7:28:52 PM 417792 C:\WINDOWS\SYSTEM32\kzdest.dll
WinShutDown 8/2/2005 7:28:52 PM 417792 C:\WINDOWS\SYSTEM32\kzdest.dll
PECompact2 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
Umonitor 8/2/2005 8:11:44 PM 417792 C:\WINDOWS\SYSTEM32\RFCRES.dll
WinShutDown 8/2/2005 8:11:44 PM 417792 C:\WINDOWS\SYSTEM32\RFCRES.dll
Umonitor 8/1/2005 11:20:30 PM 417792 C:\WINDOWS\SYSTEM32\rxaenh.dll
WinShutDown 8/1/2005 11:20:30 PM 417792 C:\WINDOWS\SYSTEM32\rxaenh.dll
Umonitor 7/29/2005 10:52:28 PM 417792 C:\WINDOWS\SYSTEM32\sRfrslv.dll
WinShutDown 7/29/2005 10:52:28 PM 417792 C:\WINDOWS\SYSTEM32\sRfrslv.dll
Umonitor 8/1/2005 11:07:40 PM 417792 C:\WINDOWS\SYSTEM32\strio600.dll
WinShutDown 8/1/2005 11:07:40 PM 417792 C:\WINDOWS\SYSTEM32\strio600.dll
Umonitor 8/2/2005 6:25:10 PM 417792 C:\WINDOWS\SYSTEM32\tCembed.dll
WinShutDown 8/2/2005 6:25:10 PM 417792 C:\WINDOWS\SYSTEM32\tCembed.dll
Umonitor 8/1/2005 8:41:04 PM 417792 C:\WINDOWS\SYSTEM32\vrrifier.dll
WinShutDown 8/1/2005 8:41:04 PM 417792 C:\WINDOWS\SYSTEM32\vrrifier.dll
winsync 8/29/2002 3:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/2/2005 7:39:52 PM 417792 C:\WINDOWS\SYSTEM32\wrweb.dll
WinShutDown 8/2/2005 7:39:52 PM 417792 C:\WINDOWS\SYSTEM32\wrweb.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/6/2005 2:04:16 PM 0 C:\WINDOWS\inf\oem29.inf
8/2/2005 8:48:14 PM 1024 C:\WINDOWS\system32\config\default.LOG
8/2/2005 9:15:02 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/2/2005 8:57:28 PM 1024 C:\WINDOWS\system32\config\SECURITY.LOG
8/2/2005 9:15:56 PM 1024 C:\WINDOWS\system32\config\software.LOG
8/2/2005 9:15:10 PM 1024 C:\WINDOWS\system32\config\system.LOG
8/2/2005 8:11:42 PM 1024 C:\WINDOWS\system32\config\userdifr.LOG
7/24/2005 2:07:00 AM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/2/2005 8:47:20 PM 6 C:\WINDOWS\Tasks\SA.DAT
7/29/2005 10:04:56 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CLE3WLUZ\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GDEVS9A3\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OPIJG5MF\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WH274XUR\desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/2/2005 5:54:52 PM 852 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{7A605BDC-7FFA-40A9-8134-F93443A8E0ED} = C:\WINDOWS\system32\strio600.dll
{EC0D3698-9A1D-4DF3-B515-EE0CA05B6EC5} = C:\WINDOWS\system32\kzdest.dll
{DA5165D3-2E9E-4E96-A2A8-3AF977C7AD82} = C:\WINDOWS\system32\wrweb.dll
{62C5B765-194B-4D59-89A3-1C624E73E9C4} = C:\WINDOWS\system32\RFCRES.dll
{07236793-5154-41FE-B787-7BC70AFBF7B8} = C:\WINDOWS\system32\cy3250mt.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CounterSpy File Shredder
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem
= C:\WINDOWS\system32\uaerenv.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Scan Complete
WinPFind v1.2.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/2/2005 9:17:51 PM

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 02 August 2005 - 11:03 PM

Hi Cyndi_Truj. After reviewing your log I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can hide malware from us when we are performing a fix, so we would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot so reboot normally.

Now please create a new Hijackthis Log and post it here as a reply. I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 Cyndi_Truj

Cyndi_Truj
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 03 August 2005 - 03:53 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:46:04 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120676611140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120676886235
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/.../weblaunch2.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\uaerenv.dll







NEW WINPFIND

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
FSG! 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
PTech 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys
aurora.exe 8/25/2004 8:15:24 PM 200331264 C:\hiberfil.sys

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\lpt$vpn.749
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 5/5/2005 9:27:00 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
qoologic 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
SAHAgent 7/27/2005 2:36:26 PM 15465411 C:\WINDOWS\VPTNFILE.749
UPX! 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 5/5/2005 9:27:00 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
Umonitor 8/2/2005 6:40:52 PM 417792 C:\WINDOWS\SYSTEM32\daquery.dll
WinShutDown 8/2/2005 6:40:52 PM 417792 C:\WINDOWS\SYSTEM32\daquery.dll
PEC2 8/29/2002 3:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/2/2005 10:35:20 PM 417792 C:\WINDOWS\SYSTEM32\dftmsft.dll
WinShutDown 8/2/2005 10:35:20 PM 417792 C:\WINDOWS\SYSTEM32\dftmsft.dll
Umonitor 8/1/2005 11:50:00 PM 417792 C:\WINDOWS\SYSTEM32\doocx.dll
WinShutDown 8/1/2005 11:50:00 PM 417792 C:\WINDOWS\SYSTEM32\doocx.dll
Umonitor 7/30/2005 12:51:52 PM 417792 C:\WINDOWS\SYSTEM32\FrsVpn.dll
WinShutDown 7/30/2005 12:51:52 PM 417792 C:\WINDOWS\SYSTEM32\FrsVpn.dll
Umonitor 8/1/2005 9:55:40 AM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown 8/1/2005 9:55:40 AM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
Umonitor 8/2/2005 7:28:52 PM 417792 C:\WINDOWS\SYSTEM32\kzdest.dll
WinShutDown 8/2/2005 7:28:52 PM 417792 C:\WINDOWS\SYSTEM32\kzdest.dll
PECompact2 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
Umonitor 8/2/2005 8:11:44 PM 417792 C:\WINDOWS\SYSTEM32\RFCRES.dll
WinShutDown 8/2/2005 8:11:44 PM 417792 C:\WINDOWS\SYSTEM32\RFCRES.dll
Umonitor 8/2/2005 10:05:18 PM 417792 C:\WINDOWS\SYSTEM32\rfpsnd.dll
WinShutDown 8/2/2005 10:05:18 PM 417792 C:\WINDOWS\SYSTEM32\rfpsnd.dll
Umonitor 8/1/2005 11:20:30 PM 417792 C:\WINDOWS\SYSTEM32\rxaenh.dll
WinShutDown 8/1/2005 11:20:30 PM 417792 C:\WINDOWS\SYSTEM32\rxaenh.dll
Umonitor 7/29/2005 10:52:28 PM 417792 C:\WINDOWS\SYSTEM32\sRfrslv.dll
WinShutDown 7/29/2005 10:52:28 PM 417792 C:\WINDOWS\SYSTEM32\sRfrslv.dll
Umonitor 8/1/2005 11:07:40 PM 417792 C:\WINDOWS\SYSTEM32\strio600.dll
WinShutDown 8/1/2005 11:07:40 PM 417792 C:\WINDOWS\SYSTEM32\strio600.dll
Umonitor 8/2/2005 6:25:10 PM 417792 C:\WINDOWS\SYSTEM32\tCembed.dll
WinShutDown 8/2/2005 6:25:10 PM 417792 C:\WINDOWS\SYSTEM32\tCembed.dll
Umonitor 8/1/2005 8:41:04 PM 417792 C:\WINDOWS\SYSTEM32\vrrifier.dll
WinShutDown 8/1/2005 8:41:04 PM 417792 C:\WINDOWS\SYSTEM32\vrrifier.dll
winsync 8/29/2002 3:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/2/2005 7:39:52 PM 417792 C:\WINDOWS\SYSTEM32\wrweb.dll
WinShutDown 8/2/2005 7:39:52 PM 417792 C:\WINDOWS\SYSTEM32\wrweb.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/6/2005 2:04:16 PM 0 C:\WINDOWS\inf\oem29.inf
8/3/2005 3:15:22 PM 1024 C:\WINDOWS\system32\config\default.LOG
8/3/2005 3:45:58 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/3/2005 3:14:08 PM 1024 C:\WINDOWS\system32\config\SECURITY.LOG
8/3/2005 3:45:26 PM 1024 C:\WINDOWS\system32\config\software.LOG
8/3/2005 3:36:08 PM 1024 C:\WINDOWS\system32\config\system.LOG
8/2/2005 10:35:18 PM 1024 C:\WINDOWS\system32\config\userdifr.LOG
7/24/2005 2:07:00 AM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/3/2005 2:58:10 PM 6 C:\WINDOWS\Tasks\SA.DAT
7/29/2005 10:04:56 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/29/2005 10:04:56 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CLE3WLUZ\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GDEVS9A3\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OPIJG5MF\desktop.ini
8/1/2005 8:44:36 AM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WH274XUR\desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/2/2005 5:54:52 PM 852 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{7A605BDC-7FFA-40A9-8134-F93443A8E0ED} = C:\WINDOWS\system32\strio600.dll
{EC0D3698-9A1D-4DF3-B515-EE0CA05B6EC5} = C:\WINDOWS\system32\kzdest.dll
{DA5165D3-2E9E-4E96-A2A8-3AF977C7AD82} = C:\WINDOWS\system32\wrweb.dll
{62C5B765-194B-4D59-89A3-1C624E73E9C4} = C:\WINDOWS\system32\RFCRES.dll
{07236793-5154-41FE-B787-7BC70AFBF7B8} = C:\WINDOWS\system32\rfpsnd.dll
{9EC486BD-09AD-4E86-976C-F04158655E08} = C:\WINDOWS\system32\dftmsft.dll
{212248DE-5E63-4F50-A046-9010AE53A2FE} = C:\WINDOWS\system32\meports.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CounterSpy File Shredder
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
WinTask driver C:\WINDOWS\system32\wintask.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
pccguide.exe "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
Media Access C:\Program Files\Media Access\MediaAccK.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Display Settings C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
CARPService carpserv.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions
= C:\WINDOWS\system32\uaerenv.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Scan Complete
WinPFind v1.2.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/3/2005 3:47:34 PM

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 03 August 2005 - 06:40 PM

Hi Cyndi_Truj. Let's try this again. MsConfig is still running and the log shows no services.

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot so reboot normally.

Now please create a new Hijackthis Log and post it here as a reply. I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 Cyndi_Truj

Cyndi_Truj
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 03 August 2005 - 10:46 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:40:46 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120676611140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120676886235
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/.../weblaunch2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\uaerenv.dll

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:09 AM

Posted 03 August 2005 - 10:59 PM

Hi Cyndi_Truj. There is something happening here behind the scenes. This log appears to have been run from Safe Mode. If is missing most of the run entires and all of the services.

Let's try this.

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the new L2m logs back here along with a new HijackThis log and a new WinPFind log and I will review the information when it comes in.

OT

Edited by OldTimer, 03 August 2005 - 10:59 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users