Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

loadingwebsite.com, etc.. can't get rid of


  • Please log in to reply
21 replies to this topic

#1 Jotodd

Jotodd

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 04 August 2005 - 07:03 PM

Hi, I am using windows 98 - I have no idea how to get rid of these pop ups or even where they came from other than perhaps my kids. I have run AVG, adaware and still can't get rid of them. I downloaded hijack this and the following is my log

(moderator edit: moved log to HJT forum for team review. jgweed)

Logfile of HijackThis v1.99.1
Scan saved at 4:33:39 PM, on 8/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\YAHOO!\YPSR\YPSR.EXE
C:\WINDOWS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YT.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [M6j] C:\WINDOWS\M6J.EXE
O4 - HKLM\..\Run: [q43P36W] TLB42LOC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] C:\Program Files\HP CD-Writer\VERITAS StorageGuard\SGTRAY.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [xql] C:\WINDOWS\xql.exe
O4 - HKCU\..\Run: [b3sFRWanO] VBRAPI16.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...351/mcfscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.0.46/popf...u-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.3.0.46/swee...h-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.1.3.28/mlsl...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.2.51/whac...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.66/word...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game5.pogo.com/applet-6.1.3.21/domi...o-ob-assets.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb06.pogo.com/game/deluxe/insa...aploader_v6.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.2.51/vide...k-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.5.28/word...p-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/back...n-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.1.4.22/flin...r-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/wate...l-ob-assets.cab
O16 - DPF: Animal Ark by pogo - http://playweb03.pogo.com/applet-6.0.4.37/...l-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.com/applet-6.1.2.25/chec...s-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.31/popp...t-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.0.53/jumb...e-ob-assets.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...bridge-c292.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/vid...r-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.2.5.28/hear...s-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.3.0.46/supe...o-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.4.37/ccta...k-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.1.3.21/jigs...w-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.1.1.21/slot...i-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.5.28/pino...e-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.1.1.29/worl...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.28/spid...r-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.2.2.51/mahj...g-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/sque...s-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.1.3.21/turb...1-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/free...l-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.5.28/lott...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/pool...l-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/popp...2-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/draw...r-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/harv...t-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/ches...2-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.3.0.46/blac...k-ob-assets.cab
O16 - DPF: Vert Skater by pogo - http://game1.pogo.com/applet-6.2.0.30/vert...r-ob-assets.cab
O16 - DPF: Quick Shot by pogo - http://game1.pogo.com/applet-6.2.0.30/quic...t-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.37/slot...z-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/cana...a-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/peak...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paig...w-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spad...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.41/chec...g-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.3.0.53/slot...a-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.5.28/aces...s-ob-assets.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c18.cab
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.5.28/omah...a-ob-assets.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.3.0.46/keno...o-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/crib...e-ob-assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.2.4.23/euch...e-ob-assets.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://lakesidecamp.myphotos.cc:8080/activ...sCamControl.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.46/popp...a-ob-assets.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Any help and/or suggestions would be greatly appreciated. Thank you in advance.

JoAnna

Edited by jgweed, 04 August 2005 - 11:08 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:17 AM

Posted 05 August 2005 - 11:53 AM

Hello Jotodd and welcome to the BC malware forum. Let's start by having a few of these files checked out.

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:C:\WINDOWS\M6J.EXE
TLB42LOC.EXE (search for this file)
C:\WINDOWS\xql.exe
VBRAPI16.EXE (search for this file)

Several scanning engines will be used to check the files for any threats. Please post the results of the scans back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 05 August 2005 - 05:19 PM

Hi OT,

I tried to scan them and browse them, couldn't find the ones you asked me to search for and it all came up with this message...

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Am I doing something wrong? A blonde moment perhaps :thumbsup:

Jo

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:17 AM

Posted 05 August 2005 - 06:05 PM

Hi Jotodd. Let's see if we can find them ourselves. Open Windows Explorer and navigate to the C:\WINDOWS\ folder. In teh right-hand pane click on the colunm heading for Name to sort the files by name. Scroll down through the list of files and see if these 2 files are there:M6J.EXE
xql.exe

Now, in the left-hand pane, right-click on the (C:) drive and selct Find from the menu. Type TLB42LOC.EXE into the Named: editbox and click the Find Now button. Write down all locations if this file is found.

Repeat the above find for the VBRAPI16.EXE file.

Post the information back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 06 August 2005 - 02:10 PM

Hi OT,

There are no files found for either one of them.

TY
Jo

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:17 AM

Posted 06 August 2005 - 02:28 PM

Hi Jotodd. Ok, then let's get rid of all theose entries.

Step #1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\Run: [M6j] C:\WINDOWS\M6J.EXE
O4 - HKLM\..\Run: [q43P36W] TLB42LOC.EXE
O4 - HKLM\..\Run: [xql] C:\WINDOWS\xql.exe
O4 - HKCU\..\Run: [b3sFRWanO] VBRAPI16.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...bridge-c292.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc.../bridge-c18.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Reboot the machine to finishe the fix.

Step #2

Please run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #3

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #4

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 07 August 2005 - 01:57 PM

Hi OT,

I ran Housecall which found 5 and fixed them. I ran bitdefender which found 18 and 3 of them couldn't be repaired so I deleted them. They were from AOL AIM. I ran ad-aware se which found 216 files so I quarantined and deleted them. I tried running panda and got an error message so it wouldn't complete. During all of the scans I still had the pop ups but not from loadingwebsite from some other ones. So far as I am typing this I don't have any yet but we will see. I rebooted and ran hijack and here is the log...

Logfile of HijackThis v1.99.1
Scan saved at 2:58:27 PM, on 8/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YT.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] C:\Program Files\HP CD-Writer\VERITAS StorageGuard\SGTRAY.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...351/mcfscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.0.46/popf...u-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.3.0.46/swee...h-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.1.3.28/mlsl...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.2.51/whac...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.66/word...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game5.pogo.com/applet-6.1.3.21/domi...o-ob-assets.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb06.pogo.com/game/deluxe/insa...aploader_v6.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.2.51/vide...k-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.5.28/word...p-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/back...n-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.1.4.22/flin...r-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/wate...l-ob-assets.cab
O16 - DPF: Animal Ark by pogo - http://playweb03.pogo.com/applet-6.0.4.37/...l-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.com/applet-6.1.2.25/chec...s-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.31/popp...t-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.0.53/jumb...e-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/vid...r-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.2.5.28/hear...s-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.3.0.46/supe...o-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.4.37/ccta...k-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.1.3.21/jigs...w-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.1.1.21/slot...i-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.5.28/pino...e-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.1.1.29/worl...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.28/spid...r-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.2.2.51/mahj...g-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/sque...s-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.1.3.21/turb...1-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/free...l-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.5.28/lott...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/pool...l-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/popp...2-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/draw...r-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/harv...t-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/ches...2-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.3.0.46/blac...k-ob-assets.cab
O16 - DPF: Vert Skater by pogo - http://game1.pogo.com/applet-6.2.0.30/vert...r-ob-assets.cab
O16 - DPF: Quick Shot by pogo - http://game1.pogo.com/applet-6.2.0.30/quic...t-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.37/slot...z-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/cana...a-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/peak...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paig...w-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spad...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.41/chec...g-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.3.0.53/slot...a-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.5.28/aces...s-ob-assets.cab
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.5.28/omah...a-ob-assets.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.3.0.46/keno...o-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/crib...e-ob-assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.2.4.23/euch...e-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.46/popp...a-ob-assets.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab


Was a day and 1/2 process so I hope it works :thumbsup:
TY
JO

#8 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 07 August 2005 - 05:11 PM

Hi OT,

Quick update, pop ups are back in full force this one is searc-h.com I don't even have my browser up and they pop up one right after the other. :thumbsup:

TY Jo

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:17 AM

Posted 07 August 2005 - 11:02 PM

Hi Jotodd. the log is clean so we will have to look elsewhere for problems.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2005 - 10:56 AM

Hi OT,

I have tried and tried to run the scan but it never finishes it - let it run overnight too and it didn't finish. Any suggestions?

TY

Jo

#11 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 13 August 2005 - 04:13 PM

Hi OT,

After 3 days of trying, here is the log FINALLY :thumbsup:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 2/16/05 11:06:16 AM 218112 C:\Program Files\HijackThis.exe

Checking %WinDir% folder...
PTech 8/13/05 4:34:46 PM 14807080 c:\windows\SYSTEM.DAT
aspack 9/4/04 1:26:14 PM 4226749 c:\windows\msbb_kyf.dat
PTech 9/4/04 1:26:14 PM 4226749 c:\windows\msbb_kyf.dat

Items found in c:\windows\hosts

UPX! 7/25/05 6:40:02 PM 67072 c:\windows\!update.exe
UPX! 2/16/05 11:06:16 AM 218112 c:\windows\HijackThis.exe
UPX! 6/13/05 12:27:18 PM 77824 c:\windows\ysb.dll
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
PECompact2 8/4/05 2:54:10 PM 15552195 c:\windows\VPTNFILE.761
qoologic 8/4/05 2:54:10 PM 15552195 c:\windows\VPTNFILE.761
SAHAgent 8/4/05 2:54:10 PM 15552195 c:\windows\VPTNFILE.761
SAHAgent 8/7/05 3:05:48 AM 5259 c:\windows\HC52F0.TMP
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 8/4/05 2:54:10 PM 15552195 c:\windows\lpt$vpn.761
qoologic 8/4/05 2:54:10 PM 15552195 c:\windows\lpt$vpn.761
SAHAgent 8/4/05 2:54:10 PM 15552195 c:\windows\lpt$vpn.761
SAHAgent 8/7/05 1:42:54 AM 922 c:\windows\SPYWARE_REPORT.DAT
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
SAHAgent 8/7/05 3:05:46 AM 1639 c:\windows\VS_REPORT

Checking %System% folder...
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MXLTUS40.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\EDSET16.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MRJT3032.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\SXFTPUB.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\LBCMP10N.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\WLLP32T.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MVCUIA32.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\CJC.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\TYPI.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\DFNMPNTW.DLL
PTech 11/9/99 2:55:54 PM 88571 c:\windows\SYSTEM\MDACRDME.HTM
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\EWUTIX13.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\METCP.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\WZV8DMOE.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\RKOCURS.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MDOEACCT.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MNLOCUSR.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MUIMG32.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\GVDEF.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\SOLFREG.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\CLOOSUSR.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\ANCODC32.DLL
WinShutDown 6/28/96 7:00:00 AM 69120 c:\windows\SYSTEM\WPAUTO.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\SWFTPUB.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MDIOLE.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MQXML.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\GNDEF.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\AYMUI.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\ATCTRES.DLL
WinShutDown 6/28/96 7:00:00 AM 57856 c:\windows\SYSTEM\PFAUTO.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\JZEG1X32.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\WVNG.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\VQODCTL.DLL
UPX! 9/13/04 8:37:46 PM 344064 c:\windows\SYSTEM\in9bDs.dll
SAHAgent 9/13/04 8:37:46 PM 344064 c:\windows\SYSTEM\in9bDs.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\lypsd11n.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\AMD.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\ODESVR32.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\LDFAX80N.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\SVAPI32.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MFRD3X40.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\WCCTHUNK.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\WV2THK.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MTSDM.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MORPJT40.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\PKPWRENU.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\DGCOBJ.DLL
UPX! 9/27/04 4:55:36 PM 69632 c:\windows\SYSTEM\thinInstOIT61MegaV2s.dlltmp
aspack 9/27/04 4:55:36 PM 69632 c:\windows\SYSTEM\thinInstOIT61MegaV2s.dlltmp
UPX! 11/18/04 1:59:48 PM 245760 c:\windows\SYSTEM\RXBarsetupV2.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\CIM.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\ECIFLNX2.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\SGVSCALE.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MWPIU.DLL
FSG! 2/15/05 4:14:52 PM 398742 c:\windows\SYSTEM\ERCVQWk1.xml
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\wqpdxm.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\wqpns.dll
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\LIDIS11n.dll
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\MZJTER40.DLL
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\TXPI.DLL
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\SSAPI32.DLL
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\CHFG95.DLL
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\labmp60n.dll
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\RUAPH.DLL
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\MNSDM.DLL
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\BMSInj36.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\lqcal10N.dll
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\NWSWAN16.DLL
Umonitor 7/15/05 5:21:18 PM 405504 c:\windows\SYSTEM\WKT32RES.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\hjzjui04.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\mgisam11.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\lpwmf10N.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\Jzst500.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\ivwphbk.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\Toavel.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\MkFWUnst.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\mdc71.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\wbpns.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\imengine.dll
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\lgann10N.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\SYELLWP.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\LHIMG80N.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\CIT32.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\WTTRLOCL.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\wzpns.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\Uyderwater.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\AIENTCTL.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\wxvdmoe.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\Lgpng11n.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MUSHRUI.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\PGTORERC.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MXVCRT40.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\RU32RV10.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\DWOUND3D.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\LHROCOL.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\isetcfg.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\SBLWOA.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\eD001.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\EQICMY20.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\rlcltspx.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
8/13/05 4:42:10 PM 2211872 c:\windows\USER.DAT
8/13/05 4:34:46 PM 14807080 c:\windows\SYSTEM.DAT
7/30/05 2:56:08 AM 56624 c:\windows\ttfCache
8/13/05 4:31:44 PM 1004453 c:\windows\ShellIconCache
8/13/05 4:23:24 PM 1294 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\83Y1C3E9\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\KLM4GTII\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\1KUA23VW\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\8PENGDAB\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\H4N2R7XR\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\TDK28F1Z\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\IGD9N7F3\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\Y3KB2ZE5\desktop.ini
8/1/05 8:53:00 AM 6 c:\windows\Tasks\SA.DAT

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
8/6/05 10:31:38 AM 12268 C:\WINDOWS\Application Data\dw.log
1/24/04 10:36:28 AM 141272 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
4/8/04 9:58:12 PM 534 C:\WINDOWS\Application Data\QuickBooks Templates.lnk
9/13/04 9:43:56 PM 44 C:\WINDOWS\Application Data\tvmcwrd.dll

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83bD3F}
= shellwp.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
{CD949A20-BDC8-11CE-8919-00608C39D066} = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{CD949A20-BDC8-11CE-8919-00608C39D066} = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YT.DLL
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = AIM Search : C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LexStart Lexstart.exe
RFX_auto_upgrade
SystemTray SysTray.Exe
HPDJ Taskbar Utility C:\WINDOWS\SYSTEM\hpztsb04.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
StorageGuard C:\Program Files\HP CD-Writer\VERITAS StorageGuard\SGTRAY.EXE
Adaptec DirectCD C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
HP CD-Writer C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
AVG7_CC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_AMSVR C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoCDBurning 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


Scan Complete
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/13/05 4:53:28 PM

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:17 AM

Posted 13 August 2005 - 06:21 PM

Hi Jotodd. It looks like we hit the mother-load here. let's see if we can't clean some of this up. Please print these directions and then proceed with the following steps in order.

Download the Pocket Killbox and unzip the contents of KillBox.zip to your desktop.
  • Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • c:\windows\msbb_kyf.dat
      c:\windows\!update.exe
      c:\windows\ysb.dll
      c:\windows\HC52F0.TMP
      c:\windows\SYSTEM\MXLTUS40.DLL
      c:\windows\SYSTEM\EDSET16.DLL
      c:\windows\SYSTEM\MRJT3032.DLL
      c:\windows\SYSTEM\SXFTPUB.DLL
      c:\windows\SYSTEM\LBCMP10N.DLL
      c:\windows\SYSTEM\WLLP32T.DLL
      c:\windows\SYSTEM\MVCUIA32.DLL
      c:\windows\SYSTEM\CJC.DLL
      c:\windows\SYSTEM\TYPI.DLL
      c:\windows\SYSTEM\EWUTIX13.DLL
      c:\windows\SYSTEM\METCP.DLL
      c:\windows\SYSTEM\WZV8DMOE.DLL
      c:\windows\SYSTEM\RKOCURS.DLL
      c:\windows\SYSTEM\MDOEACCT.DLL
      c:\windows\SYSTEM\MNLOCUSR.DLL
      c:\windows\SYSTEM\MUIMG32.DLL
      c:\windows\SYSTEM\GVDEF.DLL
      c:\windows\SYSTEM\SOLFREG.DLL
      c:\windows\SYSTEM\CLOOSUSR.DLL
      c:\windows\SYSTEM\ANCODC32.DLL
      c:\windows\SYSTEM\WPAUTO.DLL
      c:\windows\SYSTEM\SWFTPUB.DLL
      c:\windows\SYSTEM\MDIOLE.DLL
      c:\windows\SYSTEM\MQXML.DLL
      c:\windows\SYSTEM\GNDEF.DLL
      c:\windows\SYSTEM\AYMUI.DLL
      c:\windows\SYSTEM\ATCTRES.DLL
      c:\windows\SYSTEM\PFAUTO.DLL
      c:\windows\SYSTEM\JZEG1X32.DLL
      c:\windows\SYSTEM\WVNG.DLL
      c:\windows\SYSTEM\VQODCTL.DLL
      c:\windows\SYSTEM\in9bDs.dll
      c:\windows\SYSTEM\lypsd11n.dll
      c:\windows\SYSTEM\AMD.DLL
      c:\windows\SYSTEM\ODESVR32.DLL
      c:\windows\SYSTEM\LDFAX80N.DLL
      c:\windows\SYSTEM\SVAPI32.DLL
      c:\windows\SYSTEM\MFRD3X40.DLL
      c:\windows\SYSTEM\WCCTHUNK.DLL
      c:\windows\SYSTEM\WV2THK.DLL
      c:\windows\SYSTEM\MTSDM.DLL
      c:\windows\SYSTEM\MORPJT40.DLL
      c:\windows\SYSTEM\PKPWRENU.DLL
      c:\windows\SYSTEM\DGCOBJ.DLL
      c:\windows\SYSTEM\thinInstOIT61MegaV2s.dlltmp
      c:\windows\SYSTEM\RXBarsetupV2.dll
      c:\windows\SYSTEM\CIM.DLL
      c:\windows\SYSTEM\ECIFLNX2.DLL
      c:\windows\SYSTEM\SGVSCALE.DLL
      c:\windows\SYSTEM\MWPIU.DLL
      c:\windows\SYSTEM\ERCVQWk1.xml
      c:\windows\SYSTEM\wqpdxm.dll
      c:\windows\SYSTEM\wqpns.dll
      c:\windows\SYSTEM\LIDIS11n.dll
      c:\windows\SYSTEM\MZJTER40.DLL
      c:\windows\SYSTEM\TXPI.DLL
      c:\windows\SYSTEM\SSAPI32.DLL
      c:\windows\SYSTEM\CHFG95.DLL
      c:\windows\SYSTEM\labmp60n.dll
      c:\windows\SYSTEM\RUAPH.DLL
      c:\windows\SYSTEM\MNSDM.DLL
      c:\windows\SYSTEM\BMSInj36.dll
      c:\windows\SYSTEM\lqcal10N.dll
      c:\windows\SYSTEM\NWSWAN16.DLL
      c:\windows\SYSTEM\WKT32RES.DLL
      c:\windows\SYSTEM\hjzjui04.dll
      c:\windows\SYSTEM\mgisam11.dll
      c:\windows\SYSTEM\lpwmf10N.dll
      c:\windows\SYSTEM\Jzst500.dll
      c:\windows\SYSTEM\ivwphbk.dll
      c:\windows\SYSTEM\Toavel.dll
      c:\windows\SYSTEM\MkFWUnst.dll
      c:\windows\SYSTEM\mdc71.dll
      c:\windows\SYSTEM\wbpns.dll
      c:\windows\SYSTEM\imengine.dll
      c:\windows\SYSTEM\lgann10N.dll
      c:\windows\SYSTEM\SYELLWP.DLL
      c:\windows\SYSTEM\LHIMG80N.DLL
      c:\windows\SYSTEM\CIT32.DLL
      c:\windows\SYSTEM\WTTRLOCL.DLL
      c:\windows\SYSTEM\wzpns.dll
      c:\windows\SYSTEM\Uyderwater.dll
      c:\windows\SYSTEM\AIENTCTL.DLL
      c:\windows\SYSTEM\wxvdmoe.dll
      c:\windows\SYSTEM\Lgpng11n.dll
      c:\windows\SYSTEM\MUSHRUI.DLL
      c:\windows\SYSTEM\PGTORERC.DLL
      c:\windows\SYSTEM\MXVCRT40.DLL
      c:\windows\SYSTEM\RU32RV10.DLL
      c:\windows\SYSTEM\DWOUND3D.DLL
      c:\windows\SYSTEM\LHROCOL.DLL
      c:\windows\SYSTEM\isetcfg.dll
      c:\windows\SYSTEM\SBLWOA.DLL
      c:\windows\SYSTEM\eD001.dll
      c:\windows\SYSTEM\EQICMY20.DLL
      c:\windows\SYSTEM\rlcltspx.dll
      C:\WINDOWS\Application Data\tvmcwrd.dll
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
  • Reboot and post a new HijackThis log along with a new WinPFind log
I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 15 August 2005 - 06:23 PM

Hi OT,

Here it is. There were a couple of new things on my computer that I deleted - related page and winfixer. Got rid of it. Here is the updated log... searc-h.com is still doing pop ups - this sucks lol.

Logfile of HijackThis v1.99.1
Scan saved at 7:26:26 PM, on 8/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YT.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] C:\Program Files\HP CD-Writer\VERITAS StorageGuard\SGTRAY.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...351/mcfscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.0.46/popf...u-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.3.0.46/swee...h-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.1.3.28/mlsl...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.2.51/whac...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.66/word...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game5.pogo.com/applet-6.1.3.21/domi...o-ob-assets.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb06.pogo.com/game/deluxe/insa...aploader_v6.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.2.51/vide...k-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.5.28/word...p-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/back...n-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.1.4.22/flin...r-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/wate...l-ob-assets.cab
O16 - DPF: Animal Ark by pogo - http://playweb03.pogo.com/applet-6.0.4.37/...l-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.com/applet-6.1.2.25/chec...s-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.31/popp...t-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.0.53/jumb...e-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/vid...r-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.com/applet-6.2.5.28/hear...s-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.3.0.46/supe...o-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.4.37/ccta...k-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.1.3.21/jigs...w-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-6.1.1.21/slot...i-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.5.28/pino...e-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.1.1.29/worl...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.28/spid...r-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.2.2.51/mahj...g-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/sque...s-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.1.3.21/turb...1-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/free...l-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.5.28/lott...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/pool...l-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/popp...2-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/draw...r-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/harv...t-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/ches...2-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.3.0.46/blac...k-ob-assets.cab
O16 - DPF: Vert Skater by pogo - http://game1.pogo.com/applet-6.2.0.30/vert...r-ob-assets.cab
O16 - DPF: Quick Shot by pogo - http://game1.pogo.com/applet-6.2.0.30/quic...t-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.37/slot...z-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/cana...a-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/peak...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paig...w-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spad...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.41/chec...g-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.3.0.53/slot...a-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.5.28/aces...s-ob-assets.cab
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.5.28/omah...a-ob-assets.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.3.0.46/keno...o-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/crib...e-ob-assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.2.4.23/euch...e-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.46/popp...a-ob-assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:17 AM

Posted 15 August 2005 - 08:01 PM

Hi Jotodd. I need a new WinPFind log too.

Thanks.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 Jotodd

Jotodd
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 15 August 2005 - 09:33 PM

Sorry OT,

Here it is...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 2/16/05 11:06:16 AM 218112 C:\Program Files\HijackThis.exe

Checking %WinDir% folder...
PTech 8/15/05 10:07:00 PM 14815272 c:\windows\SYSTEM.DAT
SAHAgent 8/15/05 10:07:00 PM 14815272 c:\windows\SYSTEM.DAT

Items found in c:\windows\hosts

SAHAgent 6/9/05 5:36:16 AM 576 c:\windows\setup4021.ini
SAHAgent 6/6/05 7:28:24 AM 39936 c:\windows\update.exe
UPX! 8/14/05 6:57:34 PM 65024 c:\windows\thin-143-1-x-x.exe
aspack 8/14/05 6:57:52 PM 38912 c:\windows\bundle_mediamotor1004.exe
SAHAgent 6/14/05 11:34:14 AM 203264 c:\windows\atrc8parb_.exe
SAHAgent 6/8/05 6:16:02 AM 50176 c:\windows\umqltg4cl_.exe
SAHAgent 5/11/05 11:33:50 AM 30720 c:\windows\hqrhil7kg_.exe
SAHAgent 3/21/05 7:37:20 AM 36 c:\windows\umqltg4cl_.ini
SAHAgent 3/21/05 7:28:12 AM 36 c:\windows\hqrhil7kg_.ini
UPX! 2/16/05 11:06:16 AM 218112 c:\windows\HijackThis.exe
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
PECompact2 8/4/05 2:54:10 PM 15552195 c:\windows\VPTNFILE.761
qoologic 8/4/05 2:54:10 PM 15552195 c:\windows\VPTNFILE.761
SAHAgent 8/4/05 2:54:10 PM 15552195 c:\windows\VPTNFILE.761
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 8/4/05 2:54:10 PM 15552195 c:\windows\lpt$vpn.761
qoologic 8/4/05 2:54:10 PM 15552195 c:\windows\lpt$vpn.761
SAHAgent 8/4/05 2:54:10 PM 15552195 c:\windows\lpt$vpn.761
SAHAgent 8/7/05 1:42:54 AM 922 c:\windows\SPYWARE_REPORT.DAT
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
SAHAgent 8/7/05 3:05:46 AM 1639 c:\windows\VS_REPORT

Checking %System% folder...
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MARATELC.DLL
Umonitor 6/20/05 3:51:54 PM 405504 c:\windows\SYSTEM\DFNMPNTW.DLL
PTech 11/9/99 2:55:54 PM 88571 c:\windows\SYSTEM\MDACRDME.HTM
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\wbspdmoe.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\MACAT32.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\PENMAP.DLL
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\lmimg11n.dll
Umonitor 7/22/05 7:29:56 AM 405504 c:\windows\SYSTEM\oke2.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
8/15/05 10:06:58 PM 2211872 c:\windows\USER.DAT
8/15/05 10:07:00 PM 14815272 c:\windows\SYSTEM.DAT
7/30/05 2:56:08 AM 56624 c:\windows\ttfCache
8/15/05 8:40:42 PM 54156 c:\windows\QTFont.qfn
8/15/05 9:30:14 PM 739515 c:\windows\ShellIconCache
8/15/05 8:38:54 PM 1294 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\83Y1C3E9\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\KLM4GTII\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\1KUA23VW\desktop.ini
7/8/05 7:00:54 PM 67 c:\windows\Temporary Internet Files\Content.IE5\8PENGDAB\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\H4N2R7XR\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\TDK28F1Z\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\IGD9N7F3\desktop.ini
7/25/05 9:31:28 AM 67 c:\windows\Temporary Internet Files\Content.IE5\Y3KB2ZE5\desktop.ini
8/1/05 8:53:00 AM 6 c:\windows\Tasks\SA.DAT

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
8/15/05 9:22:06 PM 12621 C:\WINDOWS\Application Data\dw.log
1/24/04 10:36:28 AM 141272 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
4/8/04 9:58:12 PM 534 C:\WINDOWS\Application Data\QuickBooks Templates.lnk

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83bD3F}
= shellwp.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
{CD949A20-BDC8-11CE-8919-00608C39D066} = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{CD949A20-BDC8-11CE-8919-00608C39D066} = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRAM FILES\AIM\AIM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN4\YT.DLL
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = AIM Search : C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} = Related Page : C:\WINDOWS\SYSTEM\WINNB57.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LexStart Lexstart.exe
RFX_auto_upgrade
SystemTray SysTray.Exe
HPDJ Taskbar Utility C:\WINDOWS\SYSTEM\hpztsb04.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
StorageGuard C:\Program Files\HP CD-Writer\VERITAS StorageGuard\SGTRAY.EXE
Adaptec DirectCD C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
HP CD-Writer C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
AVG7_CC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_AMSVR C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
vidctrl C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoCDBurning 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


Scan Complete
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/15/05 10:23:04 PM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users