Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help getting rid of 0dp.com


  • Please log in to reply
5 replies to this topic

#1 ZackNeve

ZackNeve

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 31 July 2005 - 06:44 PM

hello, my computer is infected with a website 0dp.com, also there are other viruses infecting my computer right now. i have a huge popup problem and can not get anything done without one coming up! please help me, here is my hijackthis file

Logfile of HijackThis v1.99.0
Scan saved at 7:41:20 PM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\msst\mssts.exe
C:\WINDOWS\system32\apbrpa.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\system32\eqndat10.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\msst\msst.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\edlapi32.exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Zack.ZACK-S8NUPLAKD6\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users.WINDOWS\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apbrpa.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [yikclc] C:\WINDOWS\system32\yikclc.exe
O4 - HKLM\..\Run: [p78T33U] eqndat10.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [CLAUDIO] C:\PROGRA~1\XEMICO~1\Claudio\Claudio.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - HKCU\..\Run: [Ywr3RTYqR] edlapi32.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xyxnrcix.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/033dedbc9b1377...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://11731.kit.carpediem.fr/FanLucy.exe
O16 - DPF: {DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF} - http://www.haptek.com/products/player/auto...data/latest.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

please help me!, thanks
Zack

BC AdBot (Login to Remove)

 


#2 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 01 August 2005 - 04:48 PM

Hi Zack, and welcome to Bleeping Computer!

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.


Downloads
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET


Boot Into Safe Mode
Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Stop Potentially Runnning Processes
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\msst\mssts.exe
C:\WINDOWS\system32\apbrpa.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\system32\eqndat10.exe
C:\WINDOWS\system32\edlapi32.exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\ezula\mmod.exe


Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Instant Buzz
msst
etb
Claudio
Cas
Ezula
Vidctrl
AutoUpdate -- If you know who application installed this you may leave it, otherwise please uninstall



Stop NT Service

Part1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the " Security Agent " service and double-click on it to open the Properties dialog.
  • Click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window and press the Enter key:
  • sc delete Security Agent
  • Close the Command Prompt window
Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.shopnav.com/sidesearch.cg...5933&id=1.20030
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [msst] C:\Documents and Settings\All Users.WINDOWS\Application Data\msst\mssts.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apbrpa.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" <<--Did you install this? or do you know where it came from? If not, Check it as well
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [yikclc] C:\WINDOWS\system32\yikclc.exe
O4 - HKLM\..\Run: [p78T33U] eqndat10.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - HKCU\..\Run: [Ywr3RTYqR] edlapi32.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\xyxnrcix.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://11731.kit.carpediem.fr/FanLucy.exe
O16 - DPF: {DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF} - http://www.haptek.com/products/player/auto...data/latest.cab
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Instant Buzz\
C:\WINDOWS\cfgmgr52.dll
AUNPS2.DLL <<--Search for via "Start | Search"
C:\WINDOWS\system32\vidctrl\
C:\Documents and Settings\All Users.WINDOWS\Application Data\msst\
C:\WINDOWS\system32\apbrpa.exe
C:\Program Files\AutoUpdate\<<--Did you install this? or do you know where it came from? If not, Delete this folder as well.
C:\WINDOWS\etb\
C:\WINDOWS\ttupt.exe
C:\WINDOWS\system32\yikclc.exe
C:\WINDOWS\system32\eqndat10.exe
C:\WINDOWS\system32\edlapi32.exe
C:\Program Files\Cas\
C:\PROGRA~1\ezula\
C:\WINDOWS\system32\EZPOPS~1.EXE
C:\Program Files\Internet Explorer\xyxnrcix.exe
C:\WINDOWS\system32\scagent.exe


Run CleanUp! Set the program up as follows:
  • Click "Options..."
  • Move the arrow down to "Custom CleanUp!"
  • Put a check next to the following:

  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.


Reboot your system in Normal Mode.



Please run a Scan at any 2 of the Following sites
Symantec/Norton
Trend Micro
BitDefender On-Line Virus Scan
Panda ActiveScan
F-Secure
Kaspersky

Make sure that you choose the "fix" or "clean" option when available


Please post a fresh Hijack This log so that we can check if your system is clean.
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#3 ZackNeve

ZackNeve
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 03 August 2005 - 01:01 PM

thanks for all of ur help, here is an updated version of my HJT file with the new HJT
Logfile of HijackThis v1.99.1
Scan saved at 1:58:35 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\drik.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Zack.ZACK-S8NUPLAKD6\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\apbrpa.exe reg_run
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [CLAUDIO] C:\PROGRA~1\XEMICO~1\Claudio\Claudio.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...34/sdcregie.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/033dedbc9b1377...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://11731.kit.carpediem.fr/FanLucy.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\soecli.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 04 August 2005 - 01:02 AM

Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
Download Track qoo
  • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#5 ZackNeve

ZackNeve
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 04 August 2005 - 11:54 AM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 7/28/2005 7:06:10 PM 17408 C:\WINDOWS\icont.exe
PTech 6/3/2004 3:12:36 PM 20522 C:\WINDOWS\landing.html
UPX! 12/4/2004 1:56:58 PM 44032 C:\WINDOWS\Unwash5.exe

Checking %System% folder...
Umonitor 7/22/2005 12:20:16 PM 417792 C:\WINDOWS\SYSTEM32\aaferror.dll
WinShutDown 7/22/2005 12:20:16 PM 417792 C:\WINDOWS\SYSTEM32\aaferror.dll
Umonitor 7/22/2005 1:20:44 PM 417792 C:\WINDOWS\SYSTEM32\aypmgmts.dll
WinShutDown 7/22/2005 1:20:44 PM 417792 C:\WINDOWS\SYSTEM32\aypmgmts.dll
Umonitor 7/22/2005 3:30:00 AM 417792 C:\WINDOWS\SYSTEM32\azmparse.dll
WinShutDown 7/22/2005 3:30:00 AM 417792 C:\WINDOWS\SYSTEM32\azmparse.dll
Umonitor 7/22/2005 3:30:22 AM 417792 C:\WINDOWS\SYSTEM32\bqowselc.dll
WinShutDown 7/22/2005 3:30:22 AM 417792 C:\WINDOWS\SYSTEM32\bqowselc.dll
Umonitor 8/4/2005 12:08:48 PM 417792 C:\WINDOWS\SYSTEM32\cBrds.dll
WinShutDown 8/4/2005 12:08:48 PM 417792 C:\WINDOWS\SYSTEM32\cBrds.dll
Umonitor 7/22/2005 2:33:50 PM 417792 C:\WINDOWS\SYSTEM32\cgsetacl.dll
WinShutDown 7/22/2005 2:33:50 PM 417792 C:\WINDOWS\SYSTEM32\cgsetacl.dll
Umonitor 7/22/2005 11:12:00 AM 417792 C:\WINDOWS\SYSTEM32\cilbact.dll
WinShutDown 7/22/2005 11:12:00 AM 417792 C:\WINDOWS\SYSTEM32\cilbact.dll
Umonitor 7/22/2005 6:10:42 PM 417792 C:\WINDOWS\SYSTEM32\daserver.dll
WinShutDown 7/22/2005 6:10:42 PM 417792 C:\WINDOWS\SYSTEM32\daserver.dll
69.59.186.63 8/4/2005 12:08:10 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134 8/4/2005 12:08:10 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97 8/4/2005 12:08:10 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77 8/4/2005 12:08:10 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
web-nex 8/4/2005 12:08:10 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
winsync 8/4/2005 12:08:10 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run 8/4/2005 12:08:10 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 7/22/2005 7:06:40 AM 417792 C:\WINDOWS\SYSTEM32\drmasf.dll
WinShutDown 7/22/2005 7:06:40 AM 417792 C:\WINDOWS\SYSTEM32\drmasf.dll
UPX! 8/29/2003 1:57:48 PM 64000 C:\WINDOWS\SYSTEM32\EGDHTML_1020.dll
Umonitor 7/22/2005 2:34:42 PM 417792 C:\WINDOWS\SYSTEM32\eisadu.dll
WinShutDown 7/22/2005 2:34:42 PM 417792 C:\WINDOWS\SYSTEM32\eisadu.dll
KavSvc 8/4/2005 12:08:20 AM 34816 C:\WINDOWS\SYSTEM32\enipnoy.dll
69.59.186.63 8/4/2005 12:08:20 AM 34816 C:\WINDOWS\SYSTEM32\enipnoy.dll
209.66.67.134 8/4/2005 12:08:20 AM 34816 C:\WINDOWS\SYSTEM32\enipnoy.dll
testpopup 8/4/2005 12:08:20 AM 34816 C:\WINDOWS\SYSTEM32\enipnoy.dll
web-nex 8/4/2005 12:08:20 AM 34816 C:\WINDOWS\SYSTEM32\enipnoy.dll
yourkey 8/4/2005 12:08:20 AM 34816 C:\WINDOWS\SYSTEM32\enipnoy.dll
Umonitor 7/30/2005 2:16:32 AM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown 7/30/2005 2:16:32 AM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
Umonitor 7/22/2005 6:11:12 PM 417792 C:\WINDOWS\SYSTEM32\itssuba.dll
WinShutDown 7/22/2005 6:11:12 PM 417792 C:\WINDOWS\SYSTEM32\itssuba.dll
Umonitor 8/3/2005 10:25:02 AM 417792 C:\WINDOWS\SYSTEM32\jpt.dll
WinShutDown 8/3/2005 10:25:02 AM 417792 C:\WINDOWS\SYSTEM32\jpt.dll
Umonitor 7/22/2005 8:33:32 AM 417792 C:\WINDOWS\SYSTEM32\kkdpo.dll
WinShutDown 7/22/2005 8:33:32 AM 417792 C:\WINDOWS\SYSTEM32\kkdpo.dll
Umonitor 7/22/2005 4:33:38 AM 417792 C:\WINDOWS\SYSTEM32\kmdcr.dll
WinShutDown 7/22/2005 4:33:38 AM 417792 C:\WINDOWS\SYSTEM32\kmdcr.dll
Umonitor 7/22/2005 3:51:52 PM 417792 C:\WINDOWS\SYSTEM32\KNDAL.DLL
WinShutDown 7/22/2005 3:51:52 PM 417792 C:\WINDOWS\SYSTEM32\KNDAL.DLL
Umonitor 7/22/2005 4:33:26 AM 417792 C:\WINDOWS\SYSTEM32\KSDAL.DLL
WinShutDown 7/22/2005 4:33:26 AM 417792 C:\WINDOWS\SYSTEM32\KSDAL.DLL
Umonitor 7/22/2005 9:48:46 AM 417792 C:\WINDOWS\SYSTEM32\kxdusl.dll
WinShutDown 7/22/2005 9:48:46 AM 417792 C:\WINDOWS\SYSTEM32\kxdusl.dll
Umonitor 7/22/2005 7:08:10 AM 417792 C:\WINDOWS\SYSTEM32\lgk.dll
WinShutDown 7/22/2005 7:08:10 AM 417792 C:\WINDOWS\SYSTEM32\lgk.dll
Umonitor 7/22/2005 8:33:54 AM 417792 C:\WINDOWS\SYSTEM32\mdl_qic.dll
WinShutDown 7/22/2005 8:33:54 AM 417792 C:\WINDOWS\SYSTEM32\mdl_qic.dll
Umonitor 7/22/2005 3:52:54 PM 417792 C:\WINDOWS\SYSTEM32\mdrd3x40.dll
WinShutDown 7/22/2005 3:52:54 PM 417792 C:\WINDOWS\SYSTEM32\mdrd3x40.dll
Umonitor 7/22/2005 7:30:34 PM 417792 C:\WINDOWS\SYSTEM32\mitscax.dll
WinShutDown 7/22/2005 7:30:34 PM 417792 C:\WINDOWS\SYSTEM32\mitscax.dll
Umonitor 7/22/2005 2:04:58 AM 417792 C:\WINDOWS\SYSTEM32\mkafd.dll
WinShutDown 7/22/2005 2:04:58 AM 417792 C:\WINDOWS\SYSTEM32\mkafd.dll
Umonitor 7/22/2005 9:49:10 AM 417792 C:\WINDOWS\SYSTEM32\moc71.dll
WinShutDown 7/22/2005 9:49:10 AM 417792 C:\WINDOWS\SYSTEM32\moc71.dll
Umonitor 7/22/2005 4:56:58 PM 417792 C:\WINDOWS\SYSTEM32\mpvbvm50.dll
WinShutDown 7/22/2005 4:56:58 PM 417792 C:\WINDOWS\SYSTEM32\mpvbvm50.dll
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 7/22/2005 2:05:10 AM 417792 C:\WINDOWS\SYSTEM32\mzieftp.dll
WinShutDown 7/22/2005 2:05:10 AM 417792 C:\WINDOWS\SYSTEM32\mzieftp.dll
Umonitor 7/22/2005 7:30:58 PM 417792 C:\WINDOWS\SYSTEM32\njmsapi.dll
WinShutDown 7/22/2005 7:30:58 PM 417792 C:\WINDOWS\SYSTEM32\njmsapi.dll
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 7/22/2005 4:57:20 PM 417792 C:\WINDOWS\SYSTEM32\nyhtml.dll
WinShutDown 7/22/2005 4:57:20 PM 417792 C:\WINDOWS\SYSTEM32\nyhtml.dll
Umonitor 7/21/2005 11:46:02 PM 417792 C:\WINDOWS\SYSTEM32\ouengl32.dll
WinShutDown 7/21/2005 11:46:02 PM 417792 C:\WINDOWS\SYSTEM32\ouengl32.dll
Umonitor 7/22/2005 8:40:32 PM 417792 C:\WINDOWS\SYSTEM32\owe2.dll
WinShutDown 7/22/2005 8:40:32 PM 417792 C:\WINDOWS\SYSTEM32\owe2.dll
Umonitor 7/21/2005 11:45:54 PM 417792 C:\WINDOWS\SYSTEM32\oxpdx32.dll
WinShutDown 7/21/2005 11:45:54 PM 417792 C:\WINDOWS\SYSTEM32\oxpdx32.dll
Umonitor 7/22/2005 1:22:22 PM 417792 C:\WINDOWS\SYSTEM32\qadwipes.dll
WinShutDown 7/22/2005 1:22:22 PM 417792 C:\WINDOWS\SYSTEM32\qadwipes.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
Umonitor 7/21/2005 5:44:52 PM 417792 C:\WINDOWS\SYSTEM32\rygapi.dll
WinShutDown 7/21/2005 5:44:52 PM 417792 C:\WINDOWS\SYSTEM32\rygapi.dll
Umonitor 8/4/2005 12:13:52 PM 417792 C:\WINDOWS\SYSTEM32\sjorprop.dll
WinShutDown 8/4/2005 12:13:52 PM 417792 C:\WINDOWS\SYSTEM32\sjorprop.dll
Umonitor 7/21/2005 4:25:04 PM 417792 C:\WINDOWS\SYSTEM32\snhannel.dll
WinShutDown 7/21/2005 4:25:04 PM 417792 C:\WINDOWS\SYSTEM32\snhannel.dll
Umonitor 7/22/2005 9:52:00 PM 417792 C:\WINDOWS\SYSTEM32\sporage.dll
WinShutDown 7/22/2005 9:52:00 PM 417792 C:\WINDOWS\SYSTEM32\sporage.dll
Umonitor 7/22/2005 6:02:18 AM 417792 C:\WINDOWS\SYSTEM32\strwvdrv.dll
WinShutDown 7/22/2005 6:02:18 AM 417792 C:\WINDOWS\SYSTEM32\strwvdrv.dll
Umonitor 7/21/2005 5:45:12 PM 417792 C:\WINDOWS\SYSTEM32\sunsapi.dll
WinShutDown 7/21/2005 5:45:12 PM 417792 C:\WINDOWS\SYSTEM32\sunsapi.dll
Umonitor 7/21/2005 4:24:56 PM 417792 C:\WINDOWS\SYSTEM32\sYfrdm.dll
WinShutDown 7/21/2005 4:24:56 PM 417792 C:\WINDOWS\SYSTEM32\sYfrdm.dll
Umonitor 7/21/2005 6:52:52 PM 417792 C:\WINDOWS\SYSTEM32\tGpisrv.dll
WinShutDown 7/21/2005 6:52:52 PM 417792 C:\WINDOWS\SYSTEM32\tGpisrv.dll
Umonitor 7/22/2005 6:02:50 AM 417792 C:\WINDOWS\SYSTEM32\tpaffic.dll
WinShutDown 7/22/2005 6:02:50 AM 417792 C:\WINDOWS\SYSTEM32\tpaffic.dll
Umonitor 7/21/2005 6:52:58 PM 417792 C:\WINDOWS\SYSTEM32\tqappcmp.dll
WinShutDown 7/21/2005 6:52:58 PM 417792 C:\WINDOWS\SYSTEM32\tqappcmp.dll
Umonitor 7/21/2005 7:53:54 PM 417792 C:\WINDOWS\SYSTEM32\vcrifier.dll
WinShutDown 7/21/2005 7:53:54 PM 417792 C:\WINDOWS\SYSTEM32\vcrifier.dll
Umonitor 7/21/2005 9:06:54 PM 417792 C:\WINDOWS\SYSTEM32\VI6STKIT.DLL
WinShutDown 7/21/2005 9:06:54 PM 417792 C:\WINDOWS\SYSTEM32\VI6STKIT.DLL
Umonitor 7/21/2005 9:07:02 PM 417792 C:\WINDOWS\SYSTEM32\vps_ps.dll
WinShutDown 7/21/2005 9:07:02 PM 417792 C:\WINDOWS\SYSTEM32\vps_ps.dll
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 7/21/2005 10:35:00 PM 417792 C:\WINDOWS\SYSTEM32\wcbcheck.dll
WinShutDown 7/21/2005 10:35:00 PM 417792 C:\WINDOWS\SYSTEM32\wcbcheck.dll
Umonitor 7/22/2005 12:19:34 PM 417792 C:\WINDOWS\SYSTEM32\wferrenu.dll
WinShutDown 7/22/2005 12:19:34 PM 417792 C:\WINDOWS\SYSTEM32\wferrenu.dll
Umonitor 7/21/2005 10:34:54 PM 417792 C:\WINDOWS\SYSTEM32\whfapi.dll
WinShutDown 7/21/2005 10:34:54 PM 417792 C:\WINDOWS\SYSTEM32\whfapi.dll
Umonitor 7/21/2005 7:54:06 PM 417792 C:\WINDOWS\SYSTEM32\WO5INF32.DLL
WinShutDown 7/21/2005 7:54:06 PM 417792 C:\WINDOWS\SYSTEM32\WO5INF32.DLL
Umonitor 7/22/2005 11:11:18 AM 417792 C:\WINDOWS\SYSTEM32\wtaueng1.dll
WinShutDown 7/22/2005 11:11:18 AM 417792 C:\WINDOWS\SYSTEM32\wtaueng1.dll
Umonitor 7/22/2005 8:49:32 PM 417792 C:\WINDOWS\SYSTEM32\wxidx.dll
WinShutDown 7/22/2005 8:49:32 PM 417792 C:\WINDOWS\SYSTEM32\wxidx.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/28/2005 12:04:46 PM 0 C:\WINDOWS\inf\oem12.inf
8/4/2005 12:17:00 PM 12288 C:\WINDOWS\SYSTEM32\config\default.LOG
8/4/2005 12:16:56 PM 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
8/4/2005 12:16:46 PM 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
8/4/2005 12:17:00 PM 200704 C:\WINDOWS\SYSTEM32\config\software.LOG
8/4/2005 12:16:52 PM 937984 C:\WINDOWS\SYSTEM32\config\system.LOG
7/13/2005 10:04:02 PM 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
8/4/2005 12:00:02 PM 234 C:\WINDOWS\TASKS\B26C294C91E7D964.job
8/4/2005 12:15:12 PM 6 C:\WINDOWS\TASKS\SA.DAT
8/3/2005 1:51:52 PM 113 C:\WINDOWS\TEMP\History\History.IE5\desktop.ini
8/3/2005 1:51:50 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
8/3/2005 1:58:04 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0J234NO7\desktop.ini
8/3/2005 3:33:04 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\CN8EPZN7\desktop.ini
8/3/2005 3:33:04 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\KXMBOD2R\desktop.ini
8/3/2005 1:58:04 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\XT31I4HS\desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/4/2005 12:08:22 AM 81920 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\drik.exe
9/3/2003 11:57:28 AM 1730 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
1/2/2005 11:02:38 PM 21416 C:\Documents and Settings\Zack.ZACK-S8NUPLAKD6\Application Data\GDIPFONTCACHEV1.DAT
5/5/2004 4:23:44 PM 104 C:\Documents and Settings\Zack.ZACK-S8NUPLAKD6\Application Data\stats.mst
9/6/2004 3:53:26 PM 216097 C:\Documents and Settings\Zack.ZACK-S8NUPLAKD6\Application Data\tvmknwrd.dll

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{689EFAEF-E909-4F59-91F6-D35E5567FA03} = C:\WINDOWS\system32\ilakeng.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gmxnmts
{65e0b48b-16b7-40c3-8cb1-dc0df23c6b6d} = C:\WINDOWS\system32\riswi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWS\system32\datadx.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{77E68763-4284-41d6-B7E7-B6E1F053A9E7}
ButtonText = EmpirePoker : C:\Program Files\EmpirePoker\EmpirePoker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
ButtonText = PartyPoker.com : C:\Program Files\PartyPoker\PartyPoker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{B29E2E99-817C-DFFB-699C-42806839DAAD} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{71AAABE5-1F0F-11D7-BD6F-004854603DCE} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB rundll32.exe E6F1873B.DLL,D9EBC318C
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
KavSvc C:\WINDOWS\system32\khpjhn.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
c:\WINDOWS\System32\
CLAUDIO C:\PROGRA~1\XEMICO~1\Claudio\Claudio.exe
AIM "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
Window Washer C:\Program Files\Webroot\Washer\wwDisp.exe
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun
1 lockdown.exe
2 vsmain.exe
3 msconfig.exe
4 zonealarm.exe
5 zapro.exe
6 blackd.exe
7 blackice.exe
8 processmonitor.exe
9 pmon.exe
10 smc.exe
11 generics.exe
12 netstat.exe
13 ethereal.exe
14 sniffem.exe
15 monitor.exe
16 lockdown2000.exe
17 webtrap.exe
18 programauditor.exe
19 sniffem.exe
20 jammer.exe
21 ldnetmon.exe
22 safeweb.exe
23 realmon.exe
24 guw32.exe
25 regmon.exe
26 netmon.exe
27 portmon.exe
28 filemon.exe
29 scan32.exe
1 lockdown.exe
2 vsmain.exe
3 msconfig.exe
4 zonealarm.exe
5 zapro.exe
6 blackd.exe
7 blackice.exe
8 processmonitor.exe
9 pmon.exe
10 smc.exe
11 generics.exe
12 netstat.exe
13 ethereal.exe
14 sniffem.exe
15 monitor.exe
16 lockdown2000.exe
17 webtrap.exe
18 programauditor.exe
19 sniffem.exe
20 jammer.exe
21 ldnetmon.exe
22 safeweb.exe
23 realmon.exe
24 guw32.exe
25 regmon.exe
26 netmon.exe
27 portmon.exe
28 filemon.exe
29 scan32.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = c:\windows\system32\userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager
= C:\WINDOWS\system32\soecli.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/4/2005 12:27:57 PM


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB"="rundll32.exe E6F1873B.DLL,D9EBC318C"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"KavSvc"="C:\\WINDOWS\\system32\\khpjhn.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- gmxnmts
{65e0b48b-16b7-40c3-8cb1-dc0df23c6b6d}
C:\WINDOWS\system32\riswi.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46}
C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {6EC11407-5B2E-4E25-8BDF-77445B52AB37}
C:\WINDOWS\system32\datadx.dll

==============================
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup

desktop.ini
drik.exe
Microsoft Office.lnk
==============================
C:\Documents and Settings\Zack.ZACK-S8NUPLAKD6\Start Menu\Programs\Startup

desktop.ini
drik.exe
Microsoft Office.lnk
desktop.ini
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
conres.cpl
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl140.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

#6 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 04 August 2005 - 05:25 PM

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Now Boot to safemode again
and Doubleclick WinPFind.exe again (After this first fix above, we will need a frsh log)
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete[LIST=1]
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users