Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • This topic is locked This topic is locked
18 replies to this topic

#1 Persephone

Persephone

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 04 August 2005 - 03:18 PM

I have no clue to what im looking at. Would someone take a look see. Id most appreciate it. Thanks :thumbsup:


Logfile of HijackThis v1.99.1
Scan saved at 4:11:13, on 8/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\3dmoused.exe
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\PROGRAM FILES\ACCOONA\ASEARCHASSIST.DLL (file missing)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRAM FILES\DESKTOP ARCHITECT\DATRAY.EXE" -S
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .ply: C:\PROGRA~1\INTERN~1\PLUGINS\npPetz.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Netscape Browser\PLUGINS\NPSWF32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Chat 1.2 - http://cs2.chat.yahoo.com/c121/chat.cab
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://www.hearme.com/join/signup/hearme.exe
O16 - DPF: Yahoo! Chat 1.3 - http://cs3.chat.yahoo.com/c126/chat.cab
O16 - DPF: {E4B48560-123D-11d3-A73F-0060083E64FF} (Communities.com TPV Support) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
O16 - DPF: Communities.com The Palace Viewer - http://www.thepalace.com/TPV/CC_TPV.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002082...all/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.2.5.28/mahj...g-ob-assets.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:21 PM

Posted 05 August 2005 - 10:20 AM

Hello Persephone and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Important
Your copy of HijackThis needs to be in a folder of it's own. If it is run from Temporary folders the backups and HijackThis itself could be accidentally deleted if the Temporary folders are cleaned. If it is run from the desktop then the backup files and folders can clutter up the desktop and be accidentally deleted. If it is run from inside a compressed file then the backups are not created at all.
  • Please open My Computer
  • Double-click on Local Disk (C:)
  • Click on the File menu, point to New and then click on Folder. Name the folder 'HijackThis' or 'HJT'.
  • Unzip to or copy and paste HijackThis.exe to the new folder (do not run HijackThis directly out of the sfx or compressed file).
Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\PROGRAM FILES\ACCOONA\ASEARCHASSIST.DLL (file missing)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\PROGRAM FILES\ACCOONA\ <--folder
Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Persephone

Persephone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 05 August 2005 - 02:42 PM

Hello Thanks for your help first off :thumbsup: Ive gotten to step 6 but when I tried to do the scans...well I seem to be missing my iexplorer. So I downloaded Ie6 and did all that ,it didnt help..i am lost :flowers:

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:21 PM

Posted 05 August 2005 - 02:51 PM

Hi Persephone. What happens when you start it up? Are there any messages pertaining to errors or anything else?

Try this:

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Persephone

Persephone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 05 August 2005 - 02:56 PM

After starting it says something about updating..it happened rather fast. Ill check again after I do what you have said :thumbsup:

#6 Persephone

Persephone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 05 August 2005 - 03:34 PM

Okay ive done what you said and as soon as I open the winpfind I got file not found ..then this came up Access violation at address 0044c273 in module winpfind.exe read of address ffffffff. I may have the numbers wrong.
Ive got iexplore.exe on the d drive is there anyway I can bring it over to c? Im sooo sorry I have no idea what im doing or talking about hehe thank you for you patience :thumbsup:

Edited by Persephone, 05 August 2005 - 03:47 PM.


#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:21 PM

Posted 05 August 2005 - 05:43 PM

Hi Persephone. Has WinPFind been extracted to its own folder on the hard drive or is it being run out of the zip file. It must be in a folder of its own allong with a file named 'patterns.txt'.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 Persephone

Persephone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 05 August 2005 - 07:35 PM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 8/5/05 5:32:58 25105 c:\MTE2NzY6ODoxNg.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 9/6/04 11:43:12 1036800 c:\windows\VSAPI32.DLL
aspack 9/6/04 11:43:12 1036800 c:\windows\VSAPI32.DLL
PECompact2 9/6/04 11:43:10 9664824 c:\windows\VPTNFILE.168
aspack 7/20/02 18:11:08 180224 c:\windows\pinkheartsglitter_ss.scr
aspack 7/22/02 4:14:20 228352 c:\windows\outofmindss.scr
UPX! 8/30/04 7:04:36 17409 c:\windows\questmod.exe
UPX! 7/18/05 8:37:56 17408 c:\windows\icont.exe.tcf
UPX! 8/4/05 10:03:48 82432 c:\windows\ru.exe

Checking %System% folder...
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\IODKCS32.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\GYI32.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\RICNS4.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\EZSHARED.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\STLWAPI.DLL
Umonitor 11/3/98 1:01:02 324608 c:\windows\SYSTEM\ipebase11.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\II_NDI.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\IU50_QCX.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\SQI_CI.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\oytext32.dll
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\FZWPP.DLL
aspack 11/13/01 2:21:58 343359 c:\windows\SYSTEM\Illusion.scr
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\mbjet40.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\nWbapi32.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\DADIM.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\QRV.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\TNAPI.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\SFTUP4.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\rgaenh.dll
qoologic 10/24/04 2:40:16 7134544 c:\windows\SYSTEM\pav.sig
aspack 10/24/04 2:40:16 7134544 c:\windows\SYSTEM\pav.sig
SAHAgent 10/24/04 2:40:16 7134544 c:\windows\SYSTEM\pav.sig
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\DZDIM700.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\rmg32.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\WPICORE.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\DKDIM.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\Jpngle.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\MFNET32.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\lcfpx70n.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\nGbapi32.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\mhc71.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\xnlparse.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\MLPRINT.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\llpcd80n.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\NESWAN16.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\MMR2CENU.DLL
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\ID32.DLL
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\PDRESHP.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\mcidntld.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\SXNS.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\IRITPKI.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\LIWMF80N.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\miwdat10.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\xblparse.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\DDCPROP.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\TQD32.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\VPK32116.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\MKHTMLED.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\BTTMETER.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\IJCFGDLL.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\scbapi.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\mnvcr71.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\IFNPSTUB.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\RFCLTC1.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\RXOCURS.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\LBPRXY.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\Bkt.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\mhrd3x40.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\curtc.dll
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\WBNNET16.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\MFRCLR40.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\DBWSOCK.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\CBGMGR32.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\SMSTHUNK.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\AARESX32.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\OXE32.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\cmrtc.dll
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\NGTAPI.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\DEUSIC32.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\AAIVM6AA.DLL
Umonitor 6/21/05 1:57:14 405504 c:\windows\SYSTEM\AUIVPEAA.DLL
Umonitor 7/11/05 7:03:28 405504 c:\windows\SYSTEM\DBCPCSVC.DLL
Umonitor 7/11/05 7:03:28 405504 c:\windows\SYSTEM\WWNMM.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\VQK32116.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\JXVAPRXY.DLL
Umonitor 7/11/05 7:03:28 405504 c:\windows\SYSTEM\HBK3ANIM.DLL
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\PBLCOMM.DLL
Umonitor 7/11/05 7:03:28 405504 c:\windows\SYSTEM\axl71.dll
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\MICD30.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\RRABASE.DLL
Umonitor 7/11/05 7:03:28 405504 c:\windows\SYSTEM\hrzcon12.dll
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\MCC71CHT.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\DNKMAINT.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\vcpodbc.dll
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\Smace.dll
Umonitor 7/11/05 7:03:28 405504 c:\windows\SYSTEM\ojbcjt32.dll
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\MESIP32.DLL
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\MRYUV.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\hegtpusd.dll
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\QGV.DLL
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\DN8VB.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\RRR20.DLL
Umonitor 7/14/05 1:29:26 405504 c:\windows\SYSTEM\mrxml4.dll
UPX! 7/9/05 5:03:06 433152 c:\windows\SYSTEM\aswB165.TMP
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\Tvavel.dll
UPX! 7/9/05 5:03:06 433152 c:\windows\SYSTEM\ASWBOOT.EXE
69.59.186.63 8/2/05 13:09:44 29696 c:\windows\SYSTEM\datadx.dll
209.66.67.134 8/2/05 13:09:44 29696 c:\windows\SYSTEM\datadx.dll
66.63.167.97 8/2/05 13:09:44 29696 c:\windows\SYSTEM\datadx.dll
66.63.167.77 8/2/05 13:09:44 29696 c:\windows\SYSTEM\datadx.dll
web-nex 8/2/05 13:09:44 29696 c:\windows\SYSTEM\datadx.dll
winsync 8/2/05 13:09:44 29696 c:\windows\SYSTEM\datadx.dll
rec2_run 8/2/05 13:09:44 29696 c:\windows\SYSTEM\datadx.dll
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\crrtc.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
8/5/05 7:00:48 11837472 c:\windows\SYSTEM.DAT
6/20/05 13:23:52 774176 c:\windows\HWINFO.DAT
8/5/05 6:58:02 639735 c:\windows\ShellIconCache
8/4/05 15:09:30 98724 c:\windows\ttfCache
8/5/05 7:00:48 1548320 c:\windows\USER.DAT
7/26/05 9:36:40 54156 c:\windows\QTFont.qfn
8/4/05 10:03:48 82432 c:\windows\ru.exe
7/3/05 23:37:16 10841 c:\windows\SYSTEM\ATMdftxx.GID
6/27/05 9:40:12 8192 c:\windows\SYSTEM\RATINGS.POL
8/5/05 2:15:26 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
8/5/05 2:18:40 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\OHE3S963\desktop.ini
8/5/05 2:18:42 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\MWPHNRNB\desktop.ini
8/5/05 2:18:50 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\KVUB6T4T\desktop.ini
8/5/05 2:18:52 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\YL6T0LWJ\desktop.ini
8/5/05 2:18:52 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\1TEYYGJG\desktop.ini
8/5/05 2:18:54 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\DWSFT1KP\desktop.ini
8/5/05 2:18:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\S1URCH27\desktop.ini
8/5/05 2:18:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\4UAO9SX8\desktop.ini
8/5/05 2:18:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\C1AZ09YV\desktop.ini
8/5/05 2:18:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\KD6JS5Q3\desktop.ini
8/5/05 2:19:28 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\WXQNGXSR\desktop.ini
8/5/05 2:19:32 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\0TC9QJ4X\desktop.ini
8/5/05 2:19:34 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\P4FARF1N\desktop.ini
8/5/05 2:19:40 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\FD2RGH0P\desktop.ini
8/5/05 2:19:44 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\MIYAOJYO\desktop.ini
8/5/05 2:19:48 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\YLYBCVS5\desktop.ini
8/5/05 2:22:52 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\C455XW4O\desktop.ini
8/5/05 2:23:10 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\49AZWXMR\desktop.ini
8/5/05 2:23:12 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\CG9HFGWW\desktop.ini
8/5/05 2:25:54 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\0H2NOLQJ\desktop.ini
8/5/05 2:25:54 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\6DYHGZ0R\desktop.ini
8/5/05 2:26:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\C9INSTEN\desktop.ini
8/5/05 2:26:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\RIY9KP0V\desktop.ini
8/5/05 2:26:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\OPEZ05QJ\desktop.ini
8/5/05 2:26:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\KPMR8TUF\desktop.ini
8/5/05 2:28:42 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\544A7H23\desktop.ini
8/5/05 2:31:44 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\6NVSTS9T\desktop.ini
8/5/05 2:33:24 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\YXQV4LUV\desktop.ini
8/5/05 2:34:04 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\6JQXAZO7\desktop.ini
8/5/05 2:36:04 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\8CHTBRPG\desktop.ini
8/5/05 2:36:38 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\W5MVK5EJ\desktop.ini
8/5/05 2:36:38 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\8VM5MV0J\desktop.ini
8/5/05 2:15:26 113 c:\windows\TEMP\History\History.IE5\desktop.ini
8/5/05 6:21:18 75837 c:\windows\Desktop\New Briefcase\Briefcase Database
7/22/05 12:24:00 1252 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
8/4/05 10:03:46 6 c:\windows\Tasks\SA.DAT
8/4/05 11:00:00 218 c:\windows\Tasks\3A2608649DA1F6C3.job
8/4/05 10:03:50 182 c:\windows\Tasks\RUTASK.job
7/14/05 9:57:32 227 c:\windows\assembly\Desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/14/05 10:22:42 0 C:\WINDOWS\All Users\Application Data\REGISTRY.INI

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
7/10/05 12:28:02 501 C:\WINDOWS\Application Data\dm.ini
11/25/04 23:56:20 2448 C:\WINDOWS\Application Data\dw.log
7/14/05 11:27:44 238408 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\GoBack
{6809e580-a3a7-11d1-9a00-00a0c945b006} = C:\Program Files\Wild File\GoBack\ShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ScanMenu
{48f45200-91e6-11ce-8a4f-0080c81a28d4} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = blank
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = blank
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}
ButtonText = AOL Toolbar :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
EnsoniqMixer starter.exe
Primax 3-D Mouse 3dmoused.exe
THGuard "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
avast! C:\Program Files\Alwil Software\Avast4\ashServ.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
DisablePwdCaching 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
Btn_Back 0
Btn_Forward 0
Btn_Stop 0
Btn_Refresh 0
Btn_Home 0
Btn_Search 0
Btn_History 0
Btn_Favorites 0
Btn_Folders 0
Btn_Fullscreen 0
Btn_Tools 0
Btn_MailNews 0
Btn_Size 0
Btn_Print 0
Btn_Edit 0
Btn_Discussions 0
Btn_Cut 0
Btn_Copy 0
Btn_Paste 0
Btn_Encoding 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
AVI400 C:\WINDOWS\SYSTEM\AVI400.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL

<<< WARNING! - NOT A VALID WIN98*Grinler KEY! >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit =
Shell =
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
<<< WARNING! - NOT A VALID WIN98*Grinler KEY! >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/5/05 8:21:18


Is that what you wanted me to do? :thumbsup:

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:21 PM

Posted 05 August 2005 - 09:01 PM

Hi Persephone. Ok, e have some files to remove here. Please print these directions and tehn proceed with the folloing steps in order.

Download the Pocket Killbox and unzip the contents of KillBox.zip to your desktop.
  • Open Notepad and copy/paste the text in the quotebox below into the new document

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"AVI400"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

  • Save the document to your desktop as fixreg.reg and close Notepad.
  • Locate the fixreg.reg file on your desktop and right-click on it
  • Choose Merge from the popup menu and answer Yes or Ok to any further prompts. You should get a message that the file was merged successfully.
  • Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • c:\windows\questmod.exe
      c:\windows\icont.exe.tcf
      c:\windows\ru.exe
      c:\windows\SYSTEM\IODKCS32.DLL
      c:\windows\SYSTEM\GYI32.DLL
      c:\windows\SYSTEM\RICNS4.DLL
      c:\windows\SYSTEM\EZSHARED.DLL
      c:\windows\SYSTEM\STLWAPI.DLL
      c:\windows\SYSTEM\ipebase11.dll
      c:\windows\SYSTEM\II_NDI.DLL
      c:\windows\SYSTEM\IU50_QCX.DLL
      c:\windows\SYSTEM\SQI_CI.DLL
      c:\windows\SYSTEM\oytext32.dll
      c:\windows\SYSTEM\FZWPP.DLL
      c:\windows\SYSTEM\mbjet40.dll
      c:\windows\SYSTEM\nWbapi32.dll
      c:\windows\SYSTEM\DADIM.DLL
      c:\windows\SYSTEM\QRV.DLL
      c:\windows\SYSTEM\TNAPI.DLL
      c:\windows\SYSTEM\SFTUP4.DLL
      c:\windows\SYSTEM\rgaenh.dll
      c:\windows\SYSTEM\DZDIM700.DLL
      c:\windows\SYSTEM\rmg32.dll
      c:\windows\SYSTEM\WPICORE.DLL
      c:\windows\SYSTEM\DKDIM.DLL
      c:\windows\SYSTEM\Jpngle.dll
      c:\windows\SYSTEM\MFNET32.DLL
      c:\windows\SYSTEM\lcfpx70n.dll
      c:\windows\SYSTEM\nGbapi32.dll
      c:\windows\SYSTEM\mhc71.dll
      c:\windows\SYSTEM\xnlparse.dll
      c:\windows\SYSTEM\MLPRINT.DLL
      c:\windows\SYSTEM\llpcd80n.dll
      c:\windows\SYSTEM\NESWAN16.DLL
      c:\windows\SYSTEM\MMR2CENU.DLL
      c:\windows\SYSTEM\ID32.DLL
      c:\windows\SYSTEM\PDRESHP.DLL
      c:\windows\SYSTEM\mcidntld.dll
      c:\windows\SYSTEM\SXNS.DLL
      c:\windows\SYSTEM\IRITPKI.DLL
      c:\windows\SYSTEM\LIWMF80N.DLL
      c:\windows\SYSTEM\miwdat10.dll
      c:\windows\SYSTEM\xblparse.dll
      c:\windows\SYSTEM\DDCPROP.DLL
      c:\windows\SYSTEM\TQD32.DLL
      c:\windows\SYSTEM\VPK32116.DLL
      c:\windows\SYSTEM\MKHTMLED.DLL
      c:\windows\SYSTEM\BTTMETER.DLL
      c:\windows\SYSTEM\IJCFGDLL.DLL
      c:\windows\SYSTEM\scbapi.dll
      c:\windows\SYSTEM\mnvcr71.dll
      c:\windows\SYSTEM\IFNPSTUB.DLL
      c:\windows\SYSTEM\RFCLTC1.DLL
      c:\windows\SYSTEM\RXOCURS.DLL
      c:\windows\SYSTEM\LBPRXY.DLL
      c:\windows\SYSTEM\Bkt.dll
      c:\windows\SYSTEM\mhrd3x40.dll
      c:\windows\SYSTEM\curtc.dll
      c:\windows\SYSTEM\WBNNET16.DLL
      c:\windows\SYSTEM\MFRCLR40.DLL
      c:\windows\SYSTEM\DBWSOCK.DLL
      c:\windows\SYSTEM\CBGMGR32.DLL
      c:\windows\SYSTEM\SMSTHUNK.DLL
      c:\windows\SYSTEM\AARESX32.DLL
      c:\windows\SYSTEM\OXE32.DLL
      c:\windows\SYSTEM\cmrtc.dll
      c:\windows\SYSTEM\NGTAPI.DLL
      c:\windows\SYSTEM\DEUSIC32.DLL
      c:\windows\SYSTEM\AAIVM6AA.DLL
      c:\windows\SYSTEM\AUIVPEAA.DLL
      c:\windows\SYSTEM\DBCPCSVC.DLL
      c:\windows\SYSTEM\WWNMM.DLL
      c:\windows\SYSTEM\VQK32116.DLL
      c:\windows\SYSTEM\JXVAPRXY.DLL
      c:\windows\SYSTEM\HBK3ANIM.DLL
      c:\windows\SYSTEM\PBLCOMM.DLL
      c:\windows\SYSTEM\axl71.dll
      c:\windows\SYSTEM\MICD30.DLL
      c:\windows\SYSTEM\RRABASE.DLL
      c:\windows\SYSTEM\hrzcon12.dll
      c:\windows\SYSTEM\MCC71CHT.DLL
      c:\windows\SYSTEM\DNKMAINT.DLL
      c:\windows\SYSTEM\vcpodbc.dll
      c:\windows\SYSTEM\Smace.dll
      c:\windows\SYSTEM\ojbcjt32.dll
      c:\windows\SYSTEM\MESIP32.DLL
      c:\windows\SYSTEM\MRYUV.DLL
      c:\windows\SYSTEM\hegtpusd.dll
      c:\windows\SYSTEM\QGV.DLL
      c:\windows\SYSTEM\DN8VB.DLL
      c:\windows\SYSTEM\RRR20.DLL
      c:\windows\SYSTEM\mrxml4.dll
      c:\windows\SYSTEM\Tvavel.dll
      c:\windows\SYSTEM\datadx.dll
      c:\windows\SYSTEM\crrtc.dll
      c:\windows\ru.exe
      3A2608649DA1F6C3.job
      c:\windows\Tasks\RUTASK.job
      C:\WINDOWS\All Users\Application Data\REGISTRY.INI
      C:\WINDOWS\SYSTEM\AVI400.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
  • Reboot and post a new HijackThis log along with a new WinPFind log
I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 Persephone

Persephone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 05 August 2005 - 10:37 PM

Ive done what you have told me but when I open Killbox there is nothing there to highlight ..im not sure what to do.. :thumbsup:


Okay I think ive managed to find the files but if it is the right way it would take me a week to find them all.. and then when I do find one when I press Ctrl and C nothing happens..I really dont think im doing this right

Edited by Persephone, 05 August 2005 - 11:18 PM.


#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:21 PM

Posted 06 August 2005 - 09:13 AM

Hi Persephone. When you highlight the files and press ctrl-C you won't see anything happen. The files are copied to the windows clipboard. Just follow the directions as laid to to then paste that list from the clipboard to the Killbox program.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 Persephone

Persephone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 06 August 2005 - 12:35 PM

Mornin OldTimer :thumbsup: Ive went through the list did what you said to all the ones I could find...which was most of them...okay ready? When I do the paste from clipboard nothing shows up in the files to delete.

I bet you would like me to jump in a lake huh? :flowers:

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:21 PM

Posted 06 August 2005 - 12:55 PM

Hi Persephone. Unfortunately then you will have to delete them all manually.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):c:\windows\questmod.exe
c:\windows\icont.exe.tcf
c:\windows\ru.exe
c:\windows\SYSTEM\IODKCS32.DLL
c:\windows\SYSTEM\GYI32.DLL
c:\windows\SYSTEM\RICNS4.DLL
c:\windows\SYSTEM\EZSHARED.DLL
c:\windows\SYSTEM\STLWAPI.DLL
c:\windows\SYSTEM\ipebase11.dll
c:\windows\SYSTEM\II_NDI.DLL
c:\windows\SYSTEM\IU50_QCX.DLL
c:\windows\SYSTEM\SQI_CI.DLL
c:\windows\SYSTEM\oytext32.dll
c:\windows\SYSTEM\FZWPP.DLL
c:\windows\SYSTEM\mbjet40.dll
c:\windows\SYSTEM\nWbapi32.dll
c:\windows\SYSTEM\DADIM.DLL
c:\windows\SYSTEM\QRV.DLL
c:\windows\SYSTEM\TNAPI.DLL
c:\windows\SYSTEM\SFTUP4.DLL
c:\windows\SYSTEM\rgaenh.dll
c:\windows\SYSTEM\DZDIM700.DLL
c:\windows\SYSTEM\rmg32.dll
c:\windows\SYSTEM\WPICORE.DLL
c:\windows\SYSTEM\DKDIM.DLL
c:\windows\SYSTEM\Jpngle.dll
c:\windows\SYSTEM\MFNET32.DLL
c:\windows\SYSTEM\lcfpx70n.dll
c:\windows\SYSTEM\nGbapi32.dll
c:\windows\SYSTEM\mhc71.dll
c:\windows\SYSTEM\xnlparse.dll
c:\windows\SYSTEM\MLPRINT.DLL
c:\windows\SYSTEM\llpcd80n.dll
c:\windows\SYSTEM\NESWAN16.DLL
c:\windows\SYSTEM\MMR2CENU.DLL
c:\windows\SYSTEM\ID32.DLL
c:\windows\SYSTEM\PDRESHP.DLL
c:\windows\SYSTEM\mcidntld.dll
c:\windows\SYSTEM\SXNS.DLL
c:\windows\SYSTEM\IRITPKI.DLL
c:\windows\SYSTEM\LIWMF80N.DLL
c:\windows\SYSTEM\miwdat10.dll
c:\windows\SYSTEM\xblparse.dll
c:\windows\SYSTEM\DDCPROP.DLL
c:\windows\SYSTEM\TQD32.DLL
c:\windows\SYSTEM\VPK32116.DLL
c:\windows\SYSTEM\MKHTMLED.DLL
c:\windows\SYSTEM\BTTMETER.DLL
c:\windows\SYSTEM\IJCFGDLL.DLL
c:\windows\SYSTEM\scbapi.dll
c:\windows\SYSTEM\mnvcr71.dll
c:\windows\SYSTEM\IFNPSTUB.DLL
c:\windows\SYSTEM\RFCLTC1.DLL
c:\windows\SYSTEM\RXOCURS.DLL
c:\windows\SYSTEM\LBPRXY.DLL
c:\windows\SYSTEM\Bkt.dll
c:\windows\SYSTEM\mhrd3x40.dll
c:\windows\SYSTEM\curtc.dll
c:\windows\SYSTEM\WBNNET16.DLL
c:\windows\SYSTEM\MFRCLR40.DLL
c:\windows\SYSTEM\DBWSOCK.DLL
c:\windows\SYSTEM\CBGMGR32.DLL
c:\windows\SYSTEM\SMSTHUNK.DLL
c:\windows\SYSTEM\AARESX32.DLL
c:\windows\SYSTEM\OXE32.DLL
c:\windows\SYSTEM\cmrtc.dll
c:\windows\SYSTEM\NGTAPI.DLL
c:\windows\SYSTEM\DEUSIC32.DLL
c:\windows\SYSTEM\AAIVM6AA.DLL
c:\windows\SYSTEM\AUIVPEAA.DLL
c:\windows\SYSTEM\DBCPCSVC.DLL
c:\windows\SYSTEM\WWNMM.DLL
c:\windows\SYSTEM\VQK32116.DLL
c:\windows\SYSTEM\JXVAPRXY.DLL
c:\windows\SYSTEM\HBK3ANIM.DLL
c:\windows\SYSTEM\PBLCOMM.DLL
c:\windows\SYSTEM\axl71.dll
c:\windows\SYSTEM\MICD30.DLL
c:\windows\SYSTEM\RRABASE.DLL
c:\windows\SYSTEM\hrzcon12.dll
c:\windows\SYSTEM\MCC71CHT.DLL
c:\windows\SYSTEM\DNKMAINT.DLL
c:\windows\SYSTEM\vcpodbc.dll
c:\windows\SYSTEM\Smace.dll
c:\windows\SYSTEM\ojbcjt32.dll
c:\windows\SYSTEM\MESIP32.DLL
c:\windows\SYSTEM\MRYUV.DLL
c:\windows\SYSTEM\hegtpusd.dll
c:\windows\SYSTEM\QGV.DLL
c:\windows\SYSTEM\DN8VB.DLL
c:\windows\SYSTEM\RRR20.DLL
c:\windows\SYSTEM\mrxml4.dll
c:\windows\SYSTEM\Tvavel.dll
c:\windows\SYSTEM\datadx.dll
c:\windows\SYSTEM\crrtc.dll
c:\windows\ru.exe
3A2608649DA1F6C3.job
c:\windows\Tasks\RUTASK.job
C:\WINDOWS\All Users\Application Data\REGISTRY.INI
C:\WINDOWS\SYSTEM\AVI400.exe

Post back a new HijackThis log and a new WinPFind log.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 Persephone

Persephone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 06 August 2005 - 08:54 PM

Evening OldTimer :thumbsup: Its done and here ya go...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 9/6/04 11:43:12 1036800 c:\windows\VSAPI32.DLL
aspack 9/6/04 11:43:12 1036800 c:\windows\VSAPI32.DLL
PECompact2 9/6/04 11:43:10 9664824 c:\windows\VPTNFILE.168
aspack 7/20/02 18:11:08 180224 c:\windows\pinkheartsglitter_ss.scr
aspack 7/22/02 4:14:20 228352 c:\windows\outofmindss.scr

Checking %System% folder...
aspack 11/13/01 2:21:58 343359 c:\windows\SYSTEM\Illusion.scr
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\MQDMO.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\IC32.DLL
qoologic 10/24/04 2:40:16 7134544 c:\windows\SYSTEM\pav.sig
aspack 10/24/04 2:40:16 7134544 c:\windows\SYSTEM\pav.sig
SAHAgent 10/24/04 2:40:16 7134544 c:\windows\SYSTEM\pav.sig
UPX! 7/9/05 5:03:06 433152 c:\windows\SYSTEM\aswB165.TMP
UPX! 7/9/05 5:03:06 433152 c:\windows\SYSTEM\ASWBOOT.EXE
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\UJDM16.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\mkxml4r.dll
UPX! 8/5/05 14:22:52 67072 c:\windows\SYSTEM\hpzght.exe
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\MRR2CENU.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\DYTIME.DLL
Umonitor 7/21/05 7:05:28 405504 c:\windows\SYSTEM\JLVAPRXY.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
8/6/05 9:25:40 11837472 c:\windows\SYSTEM.DAT
6/20/05 13:23:52 774176 c:\windows\HWINFO.DAT
8/4/05 15:09:30 98724 c:\windows\ttfCache
8/6/05 9:42:14 1548320 c:\windows\USER.DAT
7/26/05 9:36:40 54156 c:\windows\QTFont.qfn
7/3/05 23:37:16 10841 c:\windows\SYSTEM\ATMdftxx.GID
6/27/05 9:40:12 8192 c:\windows\SYSTEM\RATINGS.POL
8/5/05 2:15:26 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
8/5/05 2:18:40 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\OHE3S963\desktop.ini
8/5/05 2:18:42 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\MWPHNRNB\desktop.ini
8/5/05 2:18:50 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\KVUB6T4T\desktop.ini
8/5/05 2:18:52 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\YL6T0LWJ\desktop.ini
8/5/05 2:18:52 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\1TEYYGJG\desktop.ini
8/5/05 2:18:54 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\DWSFT1KP\desktop.ini
8/5/05 2:18:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\S1URCH27\desktop.ini
8/5/05 2:18:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\4UAO9SX8\desktop.ini
8/5/05 2:18:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\C1AZ09YV\desktop.ini
8/5/05 2:18:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\KD6JS5Q3\desktop.ini
8/5/05 2:19:28 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\WXQNGXSR\desktop.ini
8/5/05 2:19:32 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\0TC9QJ4X\desktop.ini
8/5/05 2:19:34 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\P4FARF1N\desktop.ini
8/5/05 2:19:40 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\FD2RGH0P\desktop.ini
8/5/05 2:19:44 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\MIYAOJYO\desktop.ini
8/5/05 2:19:48 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\YLYBCVS5\desktop.ini
8/5/05 2:22:52 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\C455XW4O\desktop.ini
8/5/05 2:23:10 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\49AZWXMR\desktop.ini
8/5/05 2:23:12 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\CG9HFGWW\desktop.ini
8/5/05 2:25:54 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\0H2NOLQJ\desktop.ini
8/5/05 2:25:54 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\6DYHGZ0R\desktop.ini
8/5/05 2:26:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\C9INSTEN\desktop.ini
8/5/05 2:26:56 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\RIY9KP0V\desktop.ini
8/5/05 2:26:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\OPEZ05QJ\desktop.ini
8/5/05 2:26:58 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\KPMR8TUF\desktop.ini
8/5/05 2:28:42 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\544A7H23\desktop.ini
8/5/05 2:31:44 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\6NVSTS9T\desktop.ini
8/5/05 2:33:24 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\YXQV4LUV\desktop.ini
8/5/05 2:34:04 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\6JQXAZO7\desktop.ini
8/5/05 2:36:04 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\8CHTBRPG\desktop.ini
8/5/05 2:36:38 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\W5MVK5EJ\desktop.ini
8/5/05 2:36:38 67 c:\windows\TEMP\Temporary Internet Files\Content.IE5\8VM5MV0J\desktop.ini
8/5/05 2:15:26 113 c:\windows\TEMP\History\History.IE5\desktop.ini
8/5/05 6:21:18 75837 c:\windows\Desktop\New Briefcase\Briefcase Database
7/22/05 12:24:00 1252 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
8/4/05 10:03:46 6 c:\windows\Tasks\SA.DAT
8/4/05 11:00:00 218 c:\windows\Tasks\3A2608649DA1F6C3.job
8/4/05 10:03:50 182 c:\windows\Tasks\RUTASK.job
7/14/05 9:57:32 227 c:\windows\assembly\Desktop.ini

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
7/10/05 12:28:02 501 C:\WINDOWS\Application Data\dm.ini
11/25/04 23:56:20 2448 C:\WINDOWS\Application Data\dw.log
7/14/05 11:27:44 238408 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\GoBack
{6809e580-a3a7-11d1-9a00-00a0c945b006} = C:\Program Files\Wild File\GoBack\ShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ScanMenu
{48f45200-91e6-11ce-8a4f-0080c81a28d4} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = blank
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = blank
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}
ButtonText = AOL Toolbar :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
EnsoniqMixer starter.exe
Primax 3-D Mouse 3dmoused.exe
THGuard "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
avast! C:\Program Files\Alwil Software\Avast4\ashServ.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
DisablePwdCaching 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
Btn_Back 0
Btn_Forward 0
Btn_Stop 0
Btn_Refresh 0
Btn_Home 0
Btn_Search 0
Btn_History 0
Btn_Favorites 0
Btn_Folders 0
Btn_Fullscreen 0
Btn_Tools 0
Btn_MailNews 0
Btn_Size 0
Btn_Print 0
Btn_Edit 0
Btn_Discussions 0
Btn_Cut 0
Btn_Copy 0
Btn_Paste 0
Btn_Encoding 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
AOLCDL C:\WINDOWS\SYSTEM\AOLCDL.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


Scan Complete
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/6/05 9:43:01




Logfile of HijackThis v1.99.1
Scan saved at 9:25:45, on 8/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\3dmoused.exe
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .ply: C:\PROGRA~1\INTERN~1\PLUGINS\npPetz.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Netscape Browser\PLUGINS\NPSWF32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Chat 1.2 - http://cs2.chat.yahoo.com/c121/chat.cab
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://www.hearme.com/join/signup/hearme.exe
O16 - DPF: Yahoo! Chat 1.3 - http://cs3.chat.yahoo.com/c126/chat.cab
O16 - DPF: {E4B48560-123D-11d3-A73F-0060083E64FF} (Communities.com TPV Support) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
O16 - DPF: Communities.com The Palace Viewer - http://www.thepalace.com/TPV/CC_TPV.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002082...all/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.2.5.28/mahj...g-ob-assets.cab

Edited by Persephone, 06 August 2005 - 08:55 PM.


#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:21 PM

Posted 06 August 2005 - 09:29 PM

Hi Persephone. That looks better. We still have a few files to delete so let's do this again.

Step #1

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"AOLCDL"=-


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer into DOS mode.

Step #2

Start in DOS Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Command Prompt only menu item.
  • Press the Enter key.
Now type eatch of the command lines below and press the Enter key after each one.cd\windows\system
attrib -s -h -r MQDMO.DLL
del MQDMO.DLL
attrib -s -h -r IC32.DLL
del IC32.DLL
attrib -s -h -r UJDM16.DLL
del UJDM16.DLL
attrib -s -h -r mkxml4r.dll
del mkxml4r.dll
attrib -s -h -r hpzght.exe
del hpzght.exe
attrib -s -h -r MRR2CENU.DLL
del MRR2CENU.DLL
attrib -s -h -r DYTIME.DLL
del DYTIME.DLL
attrib -s -h -r JLVAPRXY.DLL
del JLVAPRXY.DLL
attrib -s -h -r AOLCDL.exe
del AOLCDL.exe
cd..
cd tasks
attrib -s -h -r 3A2608649DA1F6C3.job
del 3A2608649DA1F6C3.job
attrib -s -h -r RUTASK.job
del RUTASK.job

Step #3

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users