Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Back Check


  • Please log in to reply
10 replies to this topic

#1 LonMon

LonMon

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Connecticut
  • Local time:01:03 PM

Posted 06 August 2005 - 11:29 PM

Helping a friend's daughter with a system that has been on the net, in the wild FOR THREE YEARS! So you can just imagine why it finally, basically wouldn't run.

What I have done so far:

Stopped restore, set view files, run latest CWShredder, AdAware, SpyBot, Trend Micro (both), ETRemove.exe (which worked well on Nails.exe), Symantec Anti Virus (which I loaded as soon as I could), did add/delete S/W, loaded MS Updates, dumped all temp files - and recycle bin, cleared the prefetch, and deleted a fair number of associated files. All that said I have one IE Popup that still springs out occasionaly and I can't figure out what I am missing.

Bottom Line: I have these entries that I am at a loss to find out how to make them stop and I can't find research on them. They don't show up ANYWHERE when I search but are in HJT. They are:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\upkzuk.exe reg_run
O4 - HKCU\..\Run: [cnxv6m] C:\WINDOWS\System32\cnxv6m.exe

I also am curious about these three - are they a threat? There seems to be a variety of opinions:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

Anyway here is the entire log. Thanks in advance for the review of my ten hours of effort!!

==========================================

Logfile of HijackThis v1.99.1
Scan saved at 11:44:11 PM, on 08/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rika.exe
C:\Tech Tools\HJT Ver 1-9-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\upkzuk.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [cnxv6m] C:\WINDOWS\System32\cnxv6m.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1123311414441
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1123311548834
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


Thanks Again. LonMon
Technology is fundamentally worthless if you don't understand the problem you are trying to solve.

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:03 PM

Posted 07 August 2005 - 09:14 AM

Hello LonMon and welcome to the BC malware forum. it appears that we have an infection called Qoologic here. There are usually more files involved than appear in a HijackThis log so I would like to run a couple of different scanners to find the rest of them.

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Thanks.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 LonMon

LonMon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Connecticut
  • Local time:01:03 PM

Posted 07 August 2005 - 11:09 AM

Thanks for the quick reply!! Have posts below:

Here is the Trackgoo report:

=======================

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"IPInSightLAN 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"
"IPInSightMonitor 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"msresearch"="C:\\WINDOWS\\msresearch.exe"
"KavSvc"="C:\\WINDOWS\\System32\\upkzuk.exe reg_run"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- mxnymngf
{9938a6af-ff80-41ea-8fae-5f1547c31e62}
C:\WINDOWS\System32\oukmo.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\Program Files\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

America Online 7.0 Tray Icon.lnk
DESKTOP.INI
rika.exe
==============================
C:\Documents and Settings\Kate Oliver\Start Menu\Programs\Startup

America Online 7.0 Tray Icon.lnk
DESKTOP.INI
rika.exe
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


ACCESS.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
HDWWIZ.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NCPA.CPL Microsoft Corporation
NUSRMGR.CPL Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
redit.cpl
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

====================================


And here is the WinPfind report:

====================================

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 05/23/2005 8:56:26 PM 597716 C:\WINDOWS\del.tmp
web-nex 08/06/2005 12:13:10 AM 1886 C:\WINDOWS\IE4 Error Log.txt
PECompact2 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\LPT$VPN.761
qoologic 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\LPT$VPN.761
SAHAgent 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\LPT$VPN.761
web-nex 08/07/2005 12:01:06 AM 4260 C:\WINDOWS\mzonm.dll
UPX! 05/03/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 08/05/2005 7:48:48 PM 82432 C:\WINDOWS\ru.exe
UPX! 08/06/2005 12:09:24 AM 65024 C:\WINDOWS\thin-114-1-x-x.exe
UPX! 01/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\VPTNFILE.761
qoologic 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\VPTNFILE.761
SAHAgent 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\VPTNFILE.761
UPX! 02/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 02/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
PEC2 05/14/2005 12:29:50 AM 328145 C:\WINDOWS\wf70ld.sys
PECompact2 05/14/2005 12:29:50 AM 328145 C:\WINDOWS\wf70ld.sys

Checking %System% folder...
SAHAgent 05/25/2005 10:08:52 PM 35 C:\WINDOWS\SYSTEM32\00ommott.ini
SAHAgent 08/04/2005 10:17:16 PM 3502 C:\WINDOWS\SYSTEM32\1hni8573.ini
PEC2 05/14/2005 12:29:50 AM 310936 C:\WINDOWS\SYSTEM32\6htfoi.exe
PECompact2 05/14/2005 12:29:50 AM 310936 C:\WINDOWS\SYSTEM32\6htfoi.exe
PEC2 08/17/2001 6:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
aspack 06/29/2005 10:03:30 PM 7168 C:\WINDOWS\SYSTEM32\dmnadnc.exe
SAHAgent 05/25/2005 10:08:52 PM 35 C:\WINDOWS\SYSTEM32\g4g60d76.ini
Umonitor 08/04/2005 10:17:18 PM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown 08/04/2005 10:17:18 PM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
Umonitor 06/29/2005 9:37:38 PM 417792 C:\WINDOWS\SYSTEM32\IQPUT.DLL
WinShutDown 06/29/2005 9:37:38 PM 417792 C:\WINDOWS\SYSTEM32\IQPUT.DLL
UPX! 08/04/2005 10:07:34 PM 66048 C:\WINDOWS\SYSTEM32\lftecl.exe
UPX! 08/05/2005 9:24:56 PM 67072 C:\WINDOWS\SYSTEM32\lon mod cnxv6m.exe
UPX! 06/29/2005 10:03:30 PM 23040 C:\WINDOWS\SYSTEM32\orixoip.dll
KavSvc 06/29/2005 10:03:30 PM 23040 C:\WINDOWS\SYSTEM32\orixoip.dll
testpopup 06/29/2005 10:03:30 PM 23040 C:\WINDOWS\SYSTEM32\orixoip.dll
web-nex 06/29/2005 10:03:30 PM 23040 C:\WINDOWS\SYSTEM32\orixoip.dll
yourkey 06/29/2005 10:03:30 PM 23040 C:\WINDOWS\SYSTEM32\orixoip.dll
KavSvc 06/29/2005 10:03:30 PM 17920 C:\WINDOWS\SYSTEM32\oukmo.dll
69.59.186.63 06/29/2005 10:03:30 PM 17920 C:\WINDOWS\SYSTEM32\oukmo.dll
209.66.67.134 06/29/2005 10:03:30 PM 17920 C:\WINDOWS\SYSTEM32\oukmo.dll
web-nex 06/29/2005 10:03:30 PM 17920 C:\WINDOWS\SYSTEM32\oukmo.dll
yourkey 06/29/2005 10:03:30 PM 17920 C:\WINDOWS\SYSTEM32\oukmo.dll
Umonitor 08/17/2001 6:00:00 PM 630784 C:\WINDOWS\SYSTEM32\RASDLG.DLL
aspack 06/02/2005 5:08:08 PM 25088 C:\WINDOWS\SYSTEM32\redit.cpl
Umonitor 06/25/2005 8:34:24 PM 417792 C:\WINDOWS\SYSTEM32\RKGWIZC.DLL
WinShutDown 06/25/2005 8:34:24 PM 417792 C:\WINDOWS\SYSTEM32\RKGWIZC.DLL
Umonitor 07/04/2005 12:58:24 PM 417792 C:\WINDOWS\SYSTEM32\SKCUR32.DLL
WinShutDown 07/04/2005 12:58:24 PM 417792 C:\WINDOWS\SYSTEM32\SKCUR32.DLL
UPX! 06/02/2005 5:08:08 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
KavSvc 06/02/2005 5:08:08 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
yourkey 06/02/2005 5:08:08 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
UPX! 06/02/2005 5:08:20 PM 65536 C:\WINDOWS\SYSTEM32\upkzuk.exe
KavSvc 06/02/2005 5:08:20 PM 65536 C:\WINDOWS\SYSTEM32\upkzuk.exe
web-nex 06/02/2005 5:08:20 PM 65536 C:\WINDOWS\SYSTEM32\upkzuk.exe
yourkey 06/02/2005 5:08:20 PM 65536 C:\WINDOWS\SYSTEM32\upkzuk.exe
Umonitor 06/25/2005 8:35:24 PM 417792 C:\WINDOWS\SYSTEM32\VJAME.DLL
WinShutDown 06/25/2005 8:35:24 PM 417792 C:\WINDOWS\SYSTEM32\VJAME.DLL
Umonitor 08/04/2005 10:19:20 PM 417792 C:\WINDOWS\SYSTEM32\VQA256.DLL
WinShutDown 08/04/2005 10:19:20 PM 417792 C:\WINDOWS\SYSTEM32\VQA256.DLL
winsync 08/17/2001 6:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
PEC2 05/14/2005 12:29:50 AM 203457 C:\WINDOWS\SYSTEM32\wf70ld.sys
PECompact2 05/14/2005 12:29:50 AM 203457 C:\WINDOWS\SYSTEM32\wf70ld.sys
UPX! 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat
KavSvc 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat
web-nex 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat
yourkey 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
07/04/2005 1:03:48 PM 54156 C:\WINDOWS\QTFont.qfn
08/05/2005 7:48:48 PM 82432 C:\WINDOWS\ru.exe
08/06/2005 2:59:36 AM 0 C:\WINDOWS\INF\oem13.inf
07/21/2005 9:57:20 AM 401408 C:\WINDOWS\SYSTEM32\?ti2evxx.exe
08/07/2005 11:32:00 AM 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
08/07/2005 11:32:24 AM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
08/07/2005 11:32:10 AM 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
08/07/2005 11:33:20 AM 106496 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
08/07/2005 11:32:12 AM 925696 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
08/04/2005 10:18:10 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\7d10d5eb-9c0b-425f-b169-71a2f6426789
08/04/2005 10:18:10 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
08/06/2005 2:59:48 AM 13695 C:\WINDOWS\SYSTEM32\Restore\FILELIST.XML
08/07/2005 11:31:06 AM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08/21/2002 6:42:00 AM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
UPX! 08/06/2005 7:27:22 PM 65536 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rika.exe
KavSvc 08/06/2005 7:27:22 PM 65536 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rika.exe
web-nex 08/06/2005 7:27:22 PM 65536 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rika.exe
yourkey 08/06/2005 7:27:22 PM 65536 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rika.exe
08/06/2005 7:27:22 PM 65536 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rika.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
03/30/2003 4:22:34 PM 56952 C:\Documents and Settings\Kate Oliver\Application Data\GDIPFONTCACHEV1.DAT
08/06/2005 12:11:54 AM 410559 C:\Documents and Settings\Kate Oliver\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnymngf
{9938a6af-ff80-41ea-8fae-5f1547c31e62} = C:\WINDOWS\System32\oukmo.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
IPInSightLAN 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
msresearch C:\WINDOWS\msresearch.exe
KavSvc C:\WINDOWS\System32\upkzuk.exe reg_run
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
cnxv6m C:\WINDOWS\System32\cnxv6m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
fakb C:\WINDOWS\System32\fakb.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
cnxv6m C:\WINDOWS\System32\cnxv6m.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 08/07/2005 11:41:06 AM


================================

Standing by... And hoping the space shuttle has as much success as we will have!

Thanks for the help OldTimer

LonMon
Technology is fundamentally worthless if you don't understand the problem you are trying to solve.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:03 PM

Posted 07 August 2005 - 08:35 PM

Hi LonMon. It looks like we have a couple of different infections going on in here. Let's start with this.

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #4 for Merge Winlogon Notify Defaults by typing 4 and then pressing the Enter key.
  • Now select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the following logs back here (you might need to use 2 posts):The log from L2mFix
A new HijackThis log
A new TrackQoo log
A new WinPFind log

I will review the information when it comes in.

OT

Edited by OldTimer, 07 August 2005 - 08:36 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 LonMon

LonMon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Connecticut
  • Local time:01:03 PM

Posted 07 August 2005 - 10:36 PM

OT -

We are on a journey here I am thinking, aren't we? You are taking me places I have never been, with tools, that are quite cool, and which are unfamiliar. Great instructions though! will do L2mFix and HJT in this post and Track Qoo and WinPFind in the next.

OK - The log from L2mFix:

============================



L2Mfix 1.03a

Running From:
C:\Documents and Settings\Kate Oliver\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Kate Oliver\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Kate Oliver\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2032 'explorer.exe'
Killing PID 2032 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\IQPUT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\IQPUT.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RKGWIZC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\RKGWIZC.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SKCUR32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SKCUR32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VJAME.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VJAME.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VQA256.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VQA256.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\IQPUT.DLL
Successfully Deleted: C:\WINDOWS\system32\IQPUT.DLL
deleting: C:\WINDOWS\system32\IQPUT.DLL
Successfully Deleted: C:\WINDOWS\system32\IQPUT.DLL
deleting: C:\WINDOWS\system32\RKGWIZC.DLL
Successfully Deleted: C:\WINDOWS\system32\RKGWIZC.DLL
deleting: C:\WINDOWS\system32\RKGWIZC.DLL
Successfully Deleted: C:\WINDOWS\system32\RKGWIZC.DLL
deleting: C:\WINDOWS\system32\SKCUR32.DLL
Successfully Deleted: C:\WINDOWS\system32\SKCUR32.DLL
deleting: C:\WINDOWS\system32\SKCUR32.DLL
Successfully Deleted: C:\WINDOWS\system32\SKCUR32.DLL
deleting: C:\WINDOWS\system32\VJAME.DLL
Successfully Deleted: C:\WINDOWS\system32\VJAME.DLL
deleting: C:\WINDOWS\system32\VJAME.DLL
Successfully Deleted: C:\WINDOWS\system32\VJAME.DLL
deleting: C:\WINDOWS\system32\VQA256.DLL
Successfully Deleted: C:\WINDOWS\system32\VQA256.DLL
deleting: C:\WINDOWS\system32\VQA256.DLL
Successfully Deleted: C:\WINDOWS\system32\VQA256.DLL
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: IQPUT.DLL (140 bytes security) (deflated 48%)
adding: RKGWIZC.DLL (140 bytes security) (deflated 48%)
adding: SKCUR32.DLL (140 bytes security) (deflated 48%)
adding: VJAME.DLL (140 bytes security) (deflated 48%)
adding: VQA256.DLL (140 bytes security) (deflated 48%)
adding: guard.tmp (140 bytes security) (deflated 48%)
adding: clear.reg (140 bytes security) (deflated 2%)
adding: echo.reg (140 bytes security) (deflated 9%)
adding: DESKTOP.INI (140 bytes security) (stored 0%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 81%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: test.txt (140 bytes security) (deflated 83%)
adding: test2.txt (140 bytes security) (stored 0%)
adding: test3.txt (140 bytes security) (stored 0%)
adding: test5.txt (140 bytes security) (stored 0%)
adding: xfind.txt (140 bytes security) (deflated 79%)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
adding: backregs/shell.reg (140 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: IQPUT.DLL
deleting local copy: IQPUT.DLL
deleting local copy: RKGWIZC.DLL
deleting local copy: RKGWIZC.DLL
deleting local copy: SKCUR32.DLL
deleting local copy: SKCUR32.DLL
deleting local copy: VJAME.DLL
deleting local copy: VJAME.DLL
deleting local copy: VQA256.DLL
deleting local copy: VQA256.DLL
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\IQPUT.DLL
C:\WINDOWS\system32\IQPUT.DLL
C:\WINDOWS\system32\RKGWIZC.DLL
C:\WINDOWS\system32\RKGWIZC.DLL
C:\WINDOWS\system32\SKCUR32.DLL
C:\WINDOWS\system32\SKCUR32.DLL
C:\WINDOWS\system32\VJAME.DLL
C:\WINDOWS\system32\VJAME.DLL
C:\WINDOWS\system32\VQA256.DLL
C:\WINDOWS\system32\VQA256.DLL
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************



================================

And the HJT log:

================================

Logfile of HijackThis v1.99.1
Scan saved at 11:18:56 PM, on 08/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\upkzuk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Tech Tools\HJT Ver 1-9-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\upkzuk.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [cnxv6m] C:\WINDOWS\System32\cnxv6m.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123311414441
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123311548834
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

===============================

And now on to the next post!

Lon

Edited by LonMon, 07 August 2005 - 10:50 PM.

Technology is fundamentally worthless if you don't understand the problem you are trying to solve.

#6 LonMon

LonMon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Connecticut
  • Local time:01:03 PM

Posted 07 August 2005 - 10:41 PM

OT -

Another post with TrackQoo and WinPFind.

==============================

TrackQoo Log:

==============================

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"IPInSightLAN 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"
"IPInSightMonitor 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"msresearch"="C:\\WINDOWS\\msresearch.exe"
"KavSvc"="C:\\WINDOWS\\System32\\upkzuk.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- mxnymngf
{9938a6af-ff80-41ea-8fae-5f1547c31e62}
C:\WINDOWS\System32\oukmo.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\Program Files\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

America Online 7.0 Tray Icon.lnk
DESKTOP.INI
rika.exe
==============================
C:\Documents and Settings\Kate Oliver\Start Menu\Programs\Startup

America Online 7.0 Tray Icon.lnk
DESKTOP.INI
rika.exe
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


ACCESS.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
HDWWIZ.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NCPA.CPL Microsoft Corporation
NUSRMGR.CPL Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
redit.cpl
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

=================================

And the final is WinPFind Log:

=================================

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 05/23/2005 8:56:26 PM 597716 C:\WINDOWS\del.tmp
web-nex 08/06/2005 12:13:10 AM 1886 C:\WINDOWS\IE4 Error Log.txt
PECompact2 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\LPT$VPN.761
qoologic 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\LPT$VPN.761
SAHAgent 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\LPT$VPN.761
UPX! 05/03/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 08/05/2005 7:48:48 PM 82432 C:\WINDOWS\ru.exe
UPX! 08/06/2005 12:09:24 AM 65024 C:\WINDOWS\thin-114-1-x-x.exe
UPX! 01/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\VPTNFILE.761
qoologic 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\VPTNFILE.761
SAHAgent 08/04/2005 2:54:10 PM 15552195 C:\WINDOWS\VPTNFILE.761
UPX! 02/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 02/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
PEC2 05/14/2005 12:29:50 AM 328145 C:\WINDOWS\wf70ld.sys
PECompact2 05/14/2005 12:29:50 AM 328145 C:\WINDOWS\wf70ld.sys

Checking %System% folder...
SAHAgent 05/25/2005 10:08:52 PM 35 C:\WINDOWS\SYSTEM32\00ommott.ini
SAHAgent 08/04/2005 10:17:16 PM 3502 C:\WINDOWS\SYSTEM32\1hni8573.ini
PEC2 05/14/2005 12:29:50 AM 310936 C:\WINDOWS\SYSTEM32\6htfoi.exe
PECompact2 05/14/2005 12:29:50 AM 310936 C:\WINDOWS\SYSTEM32\6htfoi.exe
PEC2 08/17/2001 6:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
SAHAgent 05/25/2005 10:08:52 PM 35 C:\WINDOWS\SYSTEM32\g4g60d76.ini
UPX! 08/04/2005 10:07:34 PM 66048 C:\WINDOWS\SYSTEM32\lftecl.exe
UPX! 08/05/2005 9:24:56 PM 67072 C:\WINDOWS\SYSTEM32\lon mod cnxv6m.exe
Umonitor 08/17/2001 6:00:00 PM 630784 C:\WINDOWS\SYSTEM32\RASDLG.DLL
aspack 06/02/2005 5:08:08 PM 25088 C:\WINDOWS\SYSTEM32\redit.cpl
UPX! 06/02/2005 5:08:08 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
KavSvc 06/02/2005 5:08:08 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
yourkey 06/02/2005 5:08:08 PM 18432 C:\WINDOWS\SYSTEM32\supdate.dll
winsync 08/17/2001 6:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
PEC2 05/14/2005 12:29:50 AM 203457 C:\WINDOWS\SYSTEM32\wf70ld.sys
PECompact2 05/14/2005 12:29:50 AM 203457 C:\WINDOWS\SYSTEM32\wf70ld.sys
UPX! 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat
KavSvc 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat
web-nex 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat
yourkey 08/06/2005 7:16:20 PM 65536 C:\WINDOWS\SYSTEM32\wkauw.dat

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
07/04/2005 1:03:48 PM 54156 C:\WINDOWS\QTFont.qfn
08/05/2005 7:48:48 PM 82432 C:\WINDOWS\ru.exe
08/06/2005 2:59:36 AM 0 C:\WINDOWS\INF\oem13.inf
07/21/2005 9:57:20 AM 401408 C:\WINDOWS\SYSTEM32\?ti2evxx.exe
08/07/2005 11:13:46 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
08/07/2005 11:12:34 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
08/07/2005 11:16:24 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
08/07/2005 11:21:16 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
08/07/2005 11:16:52 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
08/04/2005 10:18:10 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\7d10d5eb-9c0b-425f-b169-71a2f6426789
08/04/2005 10:18:10 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
08/06/2005 2:59:48 AM 13695 C:\WINDOWS\SYSTEM32\Restore\FILELIST.XML
08/07/2005 11:12:32 PM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08/21/2002 6:42:00 AM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
03/30/2003 4:22:34 PM 56952 C:\Documents and Settings\Kate Oliver\Application Data\GDIPFONTCACHEV1.DAT
08/06/2005 12:11:54 AM 410559 C:\Documents and Settings\Kate Oliver\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnymngf
{9938a6af-ff80-41ea-8fae-5f1547c31e62} = C:\WINDOWS\System32\oukmo.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
IPInSightLAN 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
msresearch C:\WINDOWS\msresearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
cnxv6m C:\WINDOWS\System32\cnxv6m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
fakb C:\WINDOWS\System32\fakb.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
cnxv6m C:\WINDOWS\System32\cnxv6m.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 08/07/2005 11:26:17 PM

==================================

OK That's it from here. Will be standing by for next steps. Again - THANKS.

LonMon

Edited by LonMon, 07 August 2005 - 10:53 PM.

Technology is fundamentally worthless if you don't understand the problem you are trying to solve.

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:03 PM

Posted 08 August 2005 - 12:16 AM

Hi LonMon. Ok, L2MFix took care of the first part. Now let's see if we can take care of the 2nd part. It is an infection called Qoologic. Please print these directions and then proceed with the following steps in order.

Step #1

Download the Pocket Killbox and unzip the contents of KillBox.zip to your desktop.

Download CCleaner and install it but do not run it yet.

Step #2
  • Open Notepad and copy/paste the text in the quotebox below into the new document

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnymngf]
[-HKEY_CLASSES_ROOT\CLSID\{9938a6af-ff80-41ea-8fae-5f1547c31e62}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9938a6af-ff80-41ea-8fae-5f1547c31e62}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"fakb"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"cnxv6m"=-

  • Save the document to your desktop as fixreg.reg and close Notepad.
  • Locate the fixreg.reg file on your desktop and right-click on it
  • Choose Merge from the popup menu and answer Yes or Ok to any further prompts. You should get a message that the file was merged successfully.
Step #3
  • Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\del.tmp
      C:\WINDOWS\ru.exe
      C:\WINDOWS\thin-114-1-x-x.exe
      C:\WINDOWS\wf70ld.sys
      C:\WINDOWS\SYSTEM32\00ommott.ini
      C:\WINDOWS\SYSTEM32\1hni8573.ini
      C:\WINDOWS\SYSTEM32\6htfoi.exe
      C:\WINDOWS\SYSTEM32\g4g60d76.ini
      C:\WINDOWS\SYSTEM32\lftecl.exe
      C:\WINDOWS\SYSTEM32\lon mod cnxv6m.exe
      C:\WINDOWS\SYSTEM32\redit.cpl
      C:\WINDOWS\SYSTEM32\supdate.dll
      C:\WINDOWS\SYSTEM32\wf70ld.sys
      C:\WINDOWS\SYSTEM32\wkauw.dat
      C:\Documents and Settings\Kate Oliver\Application Data\Sskknwrd.dll
      C:\WINDOWS\System32\oukmo.dll
      C:\WINDOWS\msresearch.exe
      C:\WINDOWS\System32\cnxv6m.exe
      C:\WINDOWS\System32\fakb.exe
      C:\WINDOWS\System32\upkzuk.exe
      c:\nosunel.mht
      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rika.exe
      C:\Documents and Settings\Kate Oliver\Start Menu\Programs\Startup\rika.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • If not greyed out click the checkbox for Deltree (Include SubDirectories)
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Step #4
  • After the system reboots, start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
    • O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
      O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\upkzuk.exe reg_run
      O4 - HKCU\..\Run: [cnxv6m] C:\WINDOWS\System32\cnxv6m.exe
      O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
  • Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

Use the Add Reply button to post a new HijackThis log along with a new WinPFind log.

I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 LonMon

LonMon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Connecticut
  • Local time:01:03 PM

Posted 08 August 2005 - 04:02 PM

OT -

Have my dingers crossed! Have HJT log then, WinPFind and, last is an an Activescan log from Panda Software Scan (Ran Housecall too). The Active scan log lists a number of execute files and some others that were not disinfected. Do you see some of those that should be deleted?

=============================

Logfile of HijackThis v1.99.1
Scan saved at 4:33:38 PM, on 08/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Tech Tools\HJT Ver 1-9-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123311414441
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123311548834
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


=============================

WinPFind Log

=============================
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 08/07/2005 12:39:32 PM 15582563 C:\WINDOWS\lpt$vpn.763
qoologic 08/07/2005 12:39:32 PM 15582563 C:\WINDOWS\lpt$vpn.763
SAHAgent 08/07/2005 12:39:32 PM 15582563 C:\WINDOWS\lpt$vpn.763
web-nex 08/07/2005 11:12:44 PM 4260 C:\WINDOWS\mzonm.dll
UPX! 05/03/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 01/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 08/07/2005 12:39:32 PM 15582563 C:\WINDOWS\VPTNFILE.763
qoologic 08/07/2005 12:39:32 PM 15582563 C:\WINDOWS\VPTNFILE.763
SAHAgent 08/07/2005 12:39:32 PM 15582563 C:\WINDOWS\VPTNFILE.763
UPX! 02/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 02/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 08/17/2001 6:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
Umonitor 08/17/2001 6:00:00 PM 630784 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 08/17/2001 6:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
07/04/2005 1:03:48 PM 54156 C:\WINDOWS\QTFont.qfn
08/06/2005 2:59:36 AM 0 C:\WINDOWS\INF\oem13.inf
08/08/2005 1:38:50 PM 0 C:\WINDOWS\LastGood\INF\oem14.inf
08/08/2005 1:38:50 PM 0 C:\WINDOWS\LastGood\INF\oem14.PNF
07/21/2005 9:57:20 AM 401408 C:\WINDOWS\SYSTEM32\?ti2evxx.exe
08/08/2005 7:44:38 AM 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
08/08/2005 7:43:06 AM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
08/08/2005 10:43:16 AM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
08/08/2005 4:35:06 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
08/08/2005 1:39:02 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
08/04/2005 10:18:10 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\7d10d5eb-9c0b-425f-b169-71a2f6426789
08/04/2005 10:18:10 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
08/06/2005 2:59:48 AM 13695 C:\WINDOWS\SYSTEM32\Restore\FILELIST.XML
08/08/2005 7:41:34 AM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08/21/2002 6:42:00 AM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
03/30/2003 4:22:34 PM 56952 C:\Documents and Settings\Kate Oliver\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{339BB23F-A864-48C0-A59F-29EA915965EC} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
IPInSightLAN 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 08/08/2005 4:39:08 PM

===============================

And finally the Active Scan log -

===============================


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix\backup.zip[IQPUT.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix\backup.zip[RKGWIZC.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix\backup.zip[SKCUR32.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix\backup.zip[VJAME.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix\backup.zip[VQA256.DLL]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix\backup.zip[guard.tmp]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Kate Oliver\Desktop\l2mfix.exe[Process.exe]
Adware:adware/iedriver No disinfected C:\Documents and Settings\Kate Oliver\Favorites\Get out of Debt!.url
Adware:adware/weirdontheweb No disinfected C:\Documents and Settings\Kate Oliver\Favorites\WeirdOnTheWeb.url
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/Oemji No disinfected C:\Program Files\Common Files\Oem Common\robj1.dll
Adware:Adware/SideFind No disinfected C:\Program Files\Common Files\rwoo\rwooa.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\rwoo\rwood\rwooc.dll
Adware:Adware/SideFind No disinfected C:\Program Files\Common Files\rwoo\rwool.exe
Adware:Adware/SideFind No disinfected C:\Program Files\Common Files\rwoo\rwoom.exe
Adware:Adware/SideFind No disinfected C:\Program Files\Common Files\rwoo\rwoop.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Spyware:Spyware/Dyfuca No disinfected C:\Tech Tools\HJT Ver 1-9-1\backups\backup-20050806-023110-116.dll
Adware:Adware/Imibar No disinfected C:\Tech Tools\HJT Ver 1-9-1\backups\backup-20050806-023110-512.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/comet No disinfected C:\WINDOWS\Downloaded Program Files\cc.inf
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\website.ocx
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\website.ocx
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\msrjkiwy.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SSK3_B5.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM32\ASYCFILT.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM32\BATMETER.exe
Adware:Adware/Adshooter No disinfected C:\WINDOWS\SYSTEM32\ca.dll
Adware:Adware/Searchforit No disinfected C:\WINDOWS\SYSTEM32\ca2.dll
Adware:Adware/Mirar No disinfected C:\WINDOWS\SYSTEM32\Cache\876004.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM32\Cache\e121307.Stub.exe
Virus:Trj/Delf.EB Disinfected C:\WINDOWS\SYSTEM32\Cache\HelperInstall.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM32\Cache\installer.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\Cache\mn-quickinstall.exe
Adware:adware/searchtheweb No disinfected C:\WINDOWS\SYSTEM32\Cache\mswinstall.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\SYSTEM32\Cache\optimize.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\SYSTEM32\Cache\optimize1.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\SYSTEM32\Cache\optimize4.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\SYSTEM32\Cache\optimize5.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\SYSTEM32\Cache\optimize6.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\SYSTEM32\Cache\optimize7.exe
Virus:Trj/Downloader.DOJ Disinfected C:\WINDOWS\SYSTEM32\Cache\pi1_60.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\Cache\s030109.Stub.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\Cache\setup1024.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\Cache\smsca.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SYSTEM32\Cache\SSK3_B5 Advagency.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SYSTEM32\Cache\SSK3_B5.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\Cache\stlb2_dist41.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM32\Cache\ven_d1.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM32\Cache\verticlick_2_212.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM32\CCFGNT25.exe
Adware:Adware/Novo No disinfected C:\WINDOWS\SYSTEM32\CdmFiles\oauecnygdr.dll
Adware:Adware/DownloadWare No disinfected C:\WINDOWS\SYSTEM32\CdmFiles\oauecnygdr.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\gtjdpo.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\SYSTEM32\lply.dll
Virus:Trj/Qoologic.D Disinfected C:\WINDOWS\SYSTEM32\orixoip.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\?ti2evxx.exe
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Standing by... We going to have a Space Shuttle return tomorrow? Taking odds on landing site?

LonMon
Technology is fundamentally worthless if you don't understand the problem you are trying to solve.

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:03 PM

Posted 08 August 2005 - 04:38 PM

Hi LonMon. Looks better. Kind of curious about one of these files so let's get a little more info.

Open Notepad and copy/paste the text from the quotebox below into the new document:

dir C:\WINDOWS\System32\?ti2evxx.exe /a /s h > files.txt notepad files.txt

Include the information from the files.txt file in your next post.

Save the document to your desktop as findfile.bat and close Notepad. Locate the findfile.bat file on your desktop and double-click on it to run it. Notepad should open up with some information in it.

Post that information back here so I can review it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 LonMon

LonMon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Location:Connecticut
  • Local time:01:03 PM

Posted 08 August 2005 - 08:33 PM

OT -

Here you go. Almost looks like a corrupt file or something. Didn't want to run it that's for sure.

What about the files found by the Panda Scan that weren't deleted? Leave them?

=========================
findfile.txt
=========================

Volume in drive C has no label.
Volume Serial Number is E022-9295

Directory of C:\WINDOWS\System32

07/21/2005 09:57 AM 401,408 ?ti2evxx.exe
1 File(s) 401,408 bytes

Directory of C:\Documents and Settings\Kate Oliver\Desktop

08/08/2005 09:26 PM 0 files.txt
1 File(s) 0 bytes

Total Files Listed:
1 File(s) 0 bytes
0 Dir(s) 8,172,740,608 bytes free


Getting close to completion... I can feel it...

LonMon
Technology is fundamentally worthless if you don't understand the problem you are trying to solve.

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:03 PM

Posted 09 August 2005 - 09:46 PM

Hi LonMon. Ok, let's celan up the rest (including the files from Panda).

Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\Documents and Settings\Kate Oliver\Favorites\Get out of Debt!.url
      C:\Documents and Settings\Kate Oliver\Favorites\WeirdOnTheWeb.url
      C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
      C:\WINDOWS\cfgmgr52.dll
      C:\WINDOWS\cfgmgr52.ini
      C:\WINDOWS\Downloaded Program Files\cc.inf
      C:\WINDOWS\Downloaded Program Files\CONFLICT.1\website.ocx
      C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
      C:\WINDOWS\Downloaded Program Files\website.ocx
      C:\WINDOWS\Helper101.dll
      C:\WINDOWS\msrjkiwy.exe
      C:\WINDOWS\SSK3_B5.exe
      C:\WINDOWS\SYSTEM32\ASYCFILT.exe
      C:\WINDOWS\SYSTEM32\BATMETER.exe
      C:\WINDOWS\SYSTEM32\ca.dll
      C:\WINDOWS\SYSTEM32\ca2.dll
      C:\WINDOWS\SYSTEM32\CCFGNT25.exe
      C:\WINDOWS\SYSTEM32\CdmFiles\oauecnygdr.dll
      C:\WINDOWS\SYSTEM32\CdmFiles\oauecnygdr.exe
      C:\WINDOWS\SYSTEM32\gtjdpo.dll
      C:\WINDOWS\SYSTEM32\lply.dll
      C:\WINDOWS\SYSTEM32\orixoip.dll
      C:\WINDOWS\SYSTEM32\Shex.exe
      C:\WINDOWS\SYSTEM32\winupdt.008
      C:\WINDOWS\SYSTEM32\?ti2evxx.exe
      C:\WINDOWS\ucmoreiex.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Your system will reboot now.

Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\Cas\ <--folder
C:\Program Files\Common Files\Oem Common\ <--folder
C:\Program Files\Common Files\rwoo\ <--folder
C:\WINDOWS\SYSTEM32\Cache\ <--folder

OK. Reboot your computer normally and post back a new HijackThis log and a new WinPFind log.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users