Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really bad adware problem


  • Please log in to reply
11 replies to this topic

#1 FiktionWeLiv

FiktionWeLiv

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 13 August 2005 - 07:18 PM

well for some reason i cant get rid of these ads that seem to keep on popping up on my computer. ive run adaware, spybot, avast and nothing seems to help. so a tech guy from work told me to try hijack this, but i have no idea what to do with it. some help would be really great


heres the log file

Logfile of HijackThis v1.99.1
Scan saved at 7:06:06 PM, on 8/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SXLXLK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\JOHNNY\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\sxlxlk.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: runu.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24c71afdaca1a2...ip/RdxIE601.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://ww2.reciperewards.com/bundles/reciperewards.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:16 PM

Posted 15 August 2005 - 10:16 AM

Hello FiktionWeLiv and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\sxlxlk.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - Startup: runu.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24c71afdaca1a2...ip/RdxIE601.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://ww2.reciperewards.com/bundles/reciperewards.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\SYSTEM\AUNPS2.DLL
C:\WINDOWS\SYSTEM\DATADX.DLL
C:\WINDOWS\sxlxlk.exe
C:\PROGRAM FILES\CAS\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 FiktionWeLiv

FiktionWeLiv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 23 August 2005 - 12:47 AM

still having a problem with pop-up, mostly of which is from searc-h.com


and when you told me to delete the files, i couldnt find these 2
C:\WINDOWS\SYSTEM\AUNPS2.DLL
C:\WINDOWS\sxlxlk.exe


plus i just recently got this thing thats running called MSVEG2 and im not sure what it is, but it started up like the other day and i cant close it out, and when i do, it comes back shortly there after

well anyway, heres my updated log, any help again would be greatly appreciated

Logfile of HijackThis v1.99.1
Scan saved at 12:36:59 AM, on 8/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSVEG2.EXE
C:\WINDOWS\SYSTEM\MSVEG2.EXE
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKCU\..\Run: [MSVEG2] C:\WINDOWS\SYSTEM\MSVEG2.exe
O4 - HKCU\..\RunOnce: [MSVEG2] C:\WINDOWS\SYSTEM\MSVEG2.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted IP range: 64.127.104.144
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:16 PM

Posted 23 August 2005 - 09:41 AM

Hi FiktionWeLiv. I think there is something else in there that we are not seeing. Let's try a different scanner and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 FiktionWeLiv

FiktionWeLiv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 24 August 2005 - 04:12 PM

is this what you meant to post?

UPX!
FSG!
PEC2
PECompact2
Umonitor
qoologic
aspack
PTech
urllogic
ad-beh
ad-behNior.com
sYVLLSAKY
_rtneg3
SAHAgent
buddy.exe
ZepMon
aurora.exe
;2x(V]@BMD
Tlji7Mk
KavSvc
69.59.186.63
209.66.67.134
66.63.167.97
66.63.167.77
abetterinternet.com
8B!7F\(T
testpopup
web-nex
yourkey
winsync
rec2_run

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:16 PM

Posted 25 August 2005 - 11:30 AM

Hi FiktionWeLiv. Nope, that is the 'patterns.txt' file. When WinPFind is run it will create a file in the same folder as WinPFind.exe named 'WinPFind.txt'. I need the contents from the WinPFind.txt file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 FiktionWeLiv

FiktionWeLiv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 26 August 2005 - 12:52 PM

oh ok, my bad. here you go, i believe this one is right now.
thanks again



Windows OS and Versions
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 6/1/2004 6:54:48 PM 34304 C:\htloader.exe
69.59.186.63 8/12/2005 4:47:34 PM 204800 C:\installer.exe
209.66.67.134 8/12/2005 4:47:34 PM 204800 C:\installer.exe
66.63.167.97 8/12/2005 4:47:34 PM 204800 C:\installer.exe
66.63.167.77 8/12/2005 4:47:34 PM 204800 C:\installer.exe
web-nex 8/12/2005 4:47:34 PM 204800 C:\installer.exe
winsync 8/12/2005 4:47:34 PM 204800 C:\installer.exe
rec2_run 8/12/2005 4:47:34 PM 204800 C:\installer.exe
UPX! 8/6/2005 6:45:16 PM 25105 C:\MTE2NzY6ODoxNg.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PTech 8/26/2005 12:08:32 AM RH 2318368 C:\WINDOWS\USER.DAT
winsync 8/26/2005 12:08:32 AM RH 3592224 C:\WINDOWS\SYSTEM.DAT
PECompact2 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\VPTNFILE.795
qoologic 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\VPTNFILE.795
SAHAgent 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\VPTNFILE.795
PECompact2 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\lpt$vpn.795
qoologic 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\lpt$vpn.795
SAHAgent 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\lpt$vpn.795
UPX! 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X
FSG! 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X
aspack 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X
PTech 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X

Items found in C:\WINDOWS\hosts

UPX! 7/28/2005 5:40:02 PM 17408 C:\WINDOWS\icont.exe
69.59.186.63 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
209.66.67.134 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
web-nex 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
winsync 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
web-nex 8/6/2005 3:03:50 PM 4018 C:\WINDOWS\mrjrj.dll
69.59.186.63 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
209.66.67.134 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
web-nex 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
winsync 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 8/10/2005 4:38:34 PM 189859 C:\WINDOWS\dsr.exe
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IJSCLASS.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\HFTPLUG.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\JJT.DLL
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MPJTER35.DLL
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MWVCRT20.DLL
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\IKNPSTUB.DLL
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MGEXCL40.DLL
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\ILITPKI.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\wfp.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OKE2DISP.DLL
UPX! 8/22/2001 7:00:00 PM 86030 C:\WINDOWS\SYSTEM\msdjgk.dll
UPX! 8/22/2001 7:00:00 PM 170496 C:\WINDOWS\SYSTEM\msiaih.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\AGIFILE.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\JTVACYPT.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\SWVRTGUI.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NMSHELL.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MLVCRT10.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NATOS.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\RSAUI.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\KUUSER.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\WEICORE.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DKDREF.DLL
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\iypcv20.dll
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\DCACTFRM.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\IXSCONFG.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\CGBVIEW.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DVDMOPRP.DLL
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\NVONN16.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\QHDIT.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\NJARCH16.DLL
UPX! 3/31/2004 5:55:24 PM 172544 C:\WINDOWS\SYSTEM\npkcsvc.exe
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\MLRATING.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\WGNNET16.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\mJpi32x.dll
Umonitor 7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MVRLE32.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\dknhupnp.dll
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\RHATHUNK.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\IXETCPLC.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\OKTWA400.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\RYCLTSPX.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\KSRNEL32.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\USMCLN32.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OTMREG.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\DUTIME.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MWRLE32.DLL
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\TDbHook.dll
Umonitor 7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\MWI.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\VRPODBC.DLL
PEC2 10/26/2004 4:38:24 PM 716800 C:\WINDOWS\SYSTEM\DivX.dll
PECompact2 10/26/2004 4:38:24 PM 716800 C:\WINDOWS\SYSTEM\DivX.dll
Umonitor 7/21/2005 3:30:42 PM 405504 C:\WINDOWS\SYSTEM\ILNPSTUB.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\NQRSDE.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MHREPL35.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MHVCRT10.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\bebmm.dll
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM\LegitCheckControl.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\pu.dll
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\vzdx16.dll
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\SFMSETUP.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\LPDIS90W.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\CQICONFG.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\IRM32.DLL
Umonitor 7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\RXAUI.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\ptwave.dll
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DRSKCOPY.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\SPWIUDLL.DLL
SAHAgent 5/13/2005 7:02:46 PM 35 C:\WINDOWS\SYSTEM\70tovmto.ini
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\WANMM.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\LigitCheckControl.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\OIEDLG.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\KURNEL32.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\FQ20ENU.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\OHGFS400.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\PMUSTAB.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\LVRT.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\PMWRPROF.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IDROP.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\QNVD.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\ibam6sti.dll
UPX! 7/9/2005 4:03:06 AM 433152 C:\WINDOWS\SYSTEM\aswBoot.exe
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\NSWRSDA.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\dgwave.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\VXB32.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MIEXCH40.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MVVCRT40.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DXNDI.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\ANFERROR.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DSTMSFT.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\PGvFilt.dll
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MYJINT35.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IXAGING.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\NFWMSDRM.DLL
Umonitor 7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\Jbngle.dll
Umonitor 8/10/2005 4:37:56 PM 405504 C:\WINDOWS\SYSTEM\pxbole32.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\VT40032.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MMC30.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\QVVD.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\HEZPOM01.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NSWRSNL.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\LDMSP80N.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IKIRCL.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\LEEFX90W.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\DX32GT.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IDITPKI.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\CXBINET.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OAEPRO32.DLL
UPX! 8/6/2005 1:17:48 AM 67072 C:\WINDOWS\SYSTEM\dpsl08.exe
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\ijpmp20.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\SXEM0409.DLL
UPX! 8/18/2005 11:37:24 AM 68096 C:\WINDOWS\SYSTEM\stifxe.exe
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\HRSETUP.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IjagXpr5.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\dzlphimm.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\STWIUDLL.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\hxaghlpr.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NFSHELL.DLL
UPX! 8/18/2005 11:43:24 AM 68096 C:\WINDOWS\SYSTEM\mf3pms.exe
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MZVCRT20.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\VKRUN300.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\pevcodec.dll
UPX! 8/18/2005 5:03:08 PM 68096 C:\WINDOWS\SYSTEM\msimdb.exe
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\CQTDLL.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\meiaih.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MEHTMLER.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OVTWA400.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\SJI.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\sypdate.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\JHMD400.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\miiosd32.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\ixfxsrvc.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\LNEFX80N.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\cpral.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\itagr5.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IYGUTIL.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\mtikbdmx.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NYRSENG.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\RNCNS4.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\DYMSVINN.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OUETHK32.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\wrpui.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\AIIFILE.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\SHCUR32.DLL
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\davxdec_0407.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\irpmp20.dll
Umonitor 8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\PUlmDevC.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/26/2005 1:42:40 AM RH 2318368 C:\WINDOWS\USER.DAT
8/26/2005 1:34:36 AM RH 3592224 C:\WINDOWS\SYSTEM.DAT
8/26/2005 1:37:52 AM RH 8552480 C:\WINDOWS\CLASSES.DAT
8/25/2005 5:49:54 PM H 17503 C:\WINDOWS\ttfCache
8/25/2005 8:29:40 PM H 54156 C:\WINDOWS\QTFont.qfn
8/9/2005 11:40:34 PM H 1285402 C:\WINDOWS\ShellIconCache
8/24/2005 12:18:14 PM H 19450 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IJSCLASS.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\HFTPLUG.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\JJT.DLL
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MPJTER35.DLL
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MWVCRT20.DLL
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\IKNPSTUB.DLL
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MGEXCL40.DLL
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\ILITPKI.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\wfp.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OKE2DISP.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\AGIFILE.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\JTVACYPT.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\SWVRTGUI.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NMSHELL.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MLVCRT10.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NATOS.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\RSAUI.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\KUUSER.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\WEICORE.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DKDREF.DLL
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\iypcv20.dll
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\DCACTFRM.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\IXSCONFG.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\CGBVIEW.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DVDMOPRP.DLL
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\NVONN16.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\QHDIT.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\NJARCH16.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\MLRATING.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\WGNNET16.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\mJpi32x.dll
7/9/2005 9:41:36 AM R S 405504 C:\WINDOWS\SYSTEM\MVRLE32.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\dknhupnp.dll
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\RHATHUNK.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\IXETCPLC.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\OKTWA400.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\RYCLTSPX.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\KSRNEL32.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\USMCLN32.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OTMREG.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\DUTIME.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MWRLE32.DLL
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\TDbHook.dll
7/14/2005 1:19:10 PM R S 405504 C:\WINDOWS\SYSTEM\MWI.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\VRPODBC.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\NQRSDE.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MHREPL35.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MHVCRT10.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\bebmm.dll
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\pu.dll
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\vzdx16.dll
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\SFMSETUP.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\LPDIS90W.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\CQICONFG.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\IRM32.DLL
7/21/2005 3:30:42 PM R S 405504 C:\WINDOWS\SYSTEM\RXAUI.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\ptwave.dll
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DRSKCOPY.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\SPWIUDLL.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\WANMM.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\LigitCheckControl.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\OIEDLG.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\KURNEL32.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\FQ20ENU.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\OHGFS400.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\PMUSTAB.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\LVRT.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\PMWRPROF.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IDROP.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\QNVD.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\ibam6sti.dll
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\NSWRSDA.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\dgwave.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\VXB32.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MIEXCH40.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MVVCRT40.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DXNDI.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\ANFERROR.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\DSTMSFT.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\PGvFilt.dll
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\MYJINT35.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IXAGING.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\NFWMSDRM.DLL
7/26/2005 8:14:02 PM R S 405504 C:\WINDOWS\SYSTEM\Jbngle.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\usidrv.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\VT40032.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\MMC30.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\QVVD.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\HEZPOM01.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NSWRSNL.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\LDMSP80N.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IKIRCL.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\LEEFX90W.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\DX32GT.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IDITPKI.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\CXBINET.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\OAEPRO32.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\ijpmp20.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\SXEM0409.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\HRSETUP.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\IjagXpr5.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\dzlphimm.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\STWIUDLL.DLL
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\hxaghlpr.dll
8/10/2005 4:37:56 PM R S 405504 C:\WINDOWS\SYSTEM\NFSHELL.DLL

Checking for CPL files...

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:16 PM

Posted 26 August 2005 - 01:22 PM

Hi FiktionWeLiv. that is only a partial log but I think I can see enough to try something else.

It looks like we have an L2M infection here. Please do the following:
  • Download l2m9xfix.exe and save it to your desktop.
  • Locate the l2m9xfix.exe file on your desktop and double-click on it to extract the files.
  • Click on the Install button when prompted. It will create a folder on the desktop named l2m9xfix and extract the files into it.
  • Open the l2m9xfix folder on the desktop and double-click the file RunThis.bat.
  • A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.
  • Now restart your computer, and post the following logs back here:The log.txt file from the l2m9xfix folder
    A new HijackThis log
    A new WinPFind log
If all of the logs do not fit into 1 post then make multiple posts to get all of the information posted.

I will review the new information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 FiktionWeLiv

FiktionWeLiv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 26 August 2005 - 11:02 PM

ok...heres the log.txt file

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\AGIFILE.DLL
C:\WINDOWS\system\AGIFILE.DLL
C:\WINDOWS\system\AGIFILE.DLL
C:\WINDOWS\system\AGIFILE.DLL
C:\WINDOWS\system\AIIFILE.DLL
C:\WINDOWS\system\AIIFILE.DLL
C:\WINDOWS\system\AIIFILE.DLL
C:\WINDOWS\system\AIIFILE.DLL
C:\WINDOWS\system\ANFERROR.DLL
C:\WINDOWS\system\ANFERROR.DLL
C:\WINDOWS\system\ANFERROR.DLL
C:\WINDOWS\system\ANFERROR.DLL
C:\WINDOWS\system\bebmm.dll
C:\WINDOWS\system\bebmm.dll
C:\WINDOWS\system\bebmm.dll
C:\WINDOWS\system\bebmm.dll
C:\WINDOWS\system\CGBVIEW.DLL
C:\WINDOWS\system\CGBVIEW.DLL
C:\WINDOWS\system\CGBVIEW.DLL
C:\WINDOWS\system\CGBVIEW.DLL
C:\WINDOWS\system\CKBINET.DLL
C:\WINDOWS\system\CKBINET.DLL
C:\WINDOWS\system\CKBINET.DLL
C:\WINDOWS\system\CKBINET.DLL
C:\WINDOWS\system\cpral.dll
C:\WINDOWS\system\cpral.dll
C:\WINDOWS\system\cpral.dll
C:\WINDOWS\system\cpral.dll
C:\WINDOWS\system\CQICONFG.DLL
C:\WINDOWS\system\CQICONFG.DLL
C:\WINDOWS\system\CQICONFG.DLL
C:\WINDOWS\system\CQICONFG.DLL
C:\WINDOWS\system\CQTDLL.DLL
C:\WINDOWS\system\CQTDLL.DLL
C:\WINDOWS\system\CQTDLL.DLL
C:\WINDOWS\system\CQTDLL.DLL
C:\WINDOWS\system\CWUTOA.DLL
C:\WINDOWS\system\CWUTOA.DLL
C:\WINDOWS\system\CWUTOA.DLL
C:\WINDOWS\system\CWUTOA.DLL
C:\WINDOWS\system\CXBINET.DLL
C:\WINDOWS\system\CXBINET.DLL
C:\WINDOWS\system\CXBINET.DLL
C:\WINDOWS\system\CXBINET.DLL
C:\WINDOWS\system\davxdec_0407.dll
C:\WINDOWS\system\davxdec_0407.dll
C:\WINDOWS\system\davxdec_0407.dll
C:\WINDOWS\system\davxdec_0407.dll
C:\WINDOWS\system\DCACTFRM.DLL
C:\WINDOWS\system\DCACTFRM.DLL
C:\WINDOWS\system\DCACTFRM.DLL
C:\WINDOWS\system\DCACTFRM.DLL
C:\WINDOWS\system\dgwave.dll
C:\WINDOWS\system\dgwave.dll
C:\WINDOWS\system\dgwave.dll
C:\WINDOWS\system\dgwave.dll
C:\WINDOWS\system\DKDREF.DLL
C:\WINDOWS\system\DKDREF.DLL
C:\WINDOWS\system\DKDREF.DLL
C:\WINDOWS\system\DKDREF.DLL
C:\WINDOWS\system\dknhupnp.dll
C:\WINDOWS\system\dknhupnp.dll
C:\WINDOWS\system\dknhupnp.dll
C:\WINDOWS\system\dknhupnp.dll
C:\WINDOWS\system\DMMSVINN.DLL
C:\WINDOWS\system\DMMSVINN.DLL
C:\WINDOWS\system\DMMSVINN.DLL
C:\WINDOWS\system\DMMSVINN.DLL
C:\WINDOWS\system\DRSKCOPY.DLL
C:\WINDOWS\system\DRSKCOPY.DLL
C:\WINDOWS\system\DRSKCOPY.DLL
C:\WINDOWS\system\DRSKCOPY.DLL
C:\WINDOWS\system\DSTMSFT.DLL
C:\WINDOWS\system\DSTMSFT.DLL
C:\WINDOWS\system\DSTMSFT.DLL
C:\WINDOWS\system\DSTMSFT.DLL
C:\WINDOWS\system\DUTIME.DLL
C:\WINDOWS\system\DUTIME.DLL
C:\WINDOWS\system\DUTIME.DLL
C:\WINDOWS\system\DUTIME.DLL
C:\WINDOWS\system\DVDMOPRP.DLL
C:\WINDOWS\system\DVDMOPRP.DLL
C:\WINDOWS\system\DVDMOPRP.DLL
C:\WINDOWS\system\DVDMOPRP.DLL
C:\WINDOWS\system\DX32GT.DLL
C:\WINDOWS\system\DX32GT.DLL
C:\WINDOWS\system\DX32GT.DLL
C:\WINDOWS\system\DX32GT.DLL
C:\WINDOWS\system\DXNDI.DLL
C:\WINDOWS\system\DXNDI.DLL
C:\WINDOWS\system\DXNDI.DLL
C:\WINDOWS\system\DXNDI.DLL
C:\WINDOWS\system\DYMSVINN.DLL
C:\WINDOWS\system\DYMSVINN.DLL
C:\WINDOWS\system\DYMSVINN.DLL
C:\WINDOWS\system\DYMSVINN.DLL
C:\WINDOWS\system\dzlphimm.dll
C:\WINDOWS\system\dzlphimm.dll
C:\WINDOWS\system\dzlphimm.dll
C:\WINDOWS\system\dzlphimm.dll
C:\WINDOWS\system\FQ20ENU.DLL
C:\WINDOWS\system\FQ20ENU.DLL
C:\WINDOWS\system\FQ20ENU.DLL
C:\WINDOWS\system\FQ20ENU.DLL
C:\WINDOWS\system\HEZPOM01.DLL
C:\WINDOWS\system\HEZPOM01.DLL
C:\WINDOWS\system\HEZPOM01.DLL
C:\WINDOWS\system\HEZPOM01.DLL
C:\WINDOWS\system\HFTPLUG.DLL
C:\WINDOWS\system\HFTPLUG.DLL
C:\WINDOWS\system\HFTPLUG.DLL
C:\WINDOWS\system\HFTPLUG.DLL
C:\WINDOWS\system\HRSETUP.DLL
C:\WINDOWS\system\HRSETUP.DLL
C:\WINDOWS\system\HRSETUP.DLL
C:\WINDOWS\system\HRSETUP.DLL
C:\WINDOWS\system\hxaghlpr.dll
C:\WINDOWS\system\hxaghlpr.dll
C:\WINDOWS\system\hxaghlpr.dll
C:\WINDOWS\system\hxaghlpr.dll
C:\WINDOWS\system\ibam6sti.dll
C:\WINDOWS\system\ibam6sti.dll
C:\WINDOWS\system\ibam6sti.dll
C:\WINDOWS\system\ibam6sti.dll
C:\WINDOWS\system\IDITPKI.DLL
C:\WINDOWS\system\IDITPKI.DLL
C:\WINDOWS\system\IDITPKI.DLL
C:\WINDOWS\system\IDITPKI.DLL
C:\WINDOWS\system\IDROP.DLL
C:\WINDOWS\system\IDROP.DLL
C:\WINDOWS\system\IDROP.DLL
C:\WINDOWS\system\IDROP.DLL
C:\WINDOWS\system\IGMUI.DLL
C:\WINDOWS\system\IGMUI.DLL
C:\WINDOWS\system\IGMUI.DLL
C:\WINDOWS\system\IGMUI.DLL
C:\WINDOWS\system\IjagXpr5.dll
C:\WINDOWS\system\IjagXpr5.dll
C:\WINDOWS\system\IjagXpr5.dll
C:\WINDOWS\system\IjagXpr5.dll
C:\WINDOWS\system\ijpmp20.dll
C:\WINDOWS\system\ijpmp20.dll
C:\WINDOWS\system\ijpmp20.dll
C:\WINDOWS\system\ijpmp20.dll
C:\WINDOWS\system\IJSCLASS.DLL
C:\WINDOWS\system\IJSCLASS.DLL
C:\WINDOWS\system\IJSCLASS.DLL
C:\WINDOWS\system\IJSCLASS.DLL
C:\WINDOWS\system\IKIRCL.DLL
C:\WINDOWS\system\IKIRCL.DLL
C:\WINDOWS\system\IKIRCL.DLL
C:\WINDOWS\system\IKIRCL.DLL
C:\WINDOWS\system\IKNPSTUB.DLL
C:\WINDOWS\system\IKNPSTUB.DLL
C:\WINDOWS\system\IKNPSTUB.DLL
C:\WINDOWS\system\IKNPSTUB.DLL
C:\WINDOWS\system\ILITPKI.DLL
C:\WINDOWS\system\ILITPKI.DLL
C:\WINDOWS\system\ILITPKI.DLL
C:\WINDOWS\system\ILITPKI.DLL
C:\WINDOWS\system\ILNPSTUB.DLL
C:\WINDOWS\system\ILNPSTUB.DLL
C:\WINDOWS\system\ILNPSTUB.DLL
C:\WINDOWS\system\ILNPSTUB.DLL
C:\WINDOWS\system\IRM32.DLL
C:\WINDOWS\system\IRM32.DLL
C:\WINDOWS\system\IRM32.DLL
C:\WINDOWS\system\IRM32.DLL
C:\WINDOWS\system\irpmp20.dll
C:\WINDOWS\system\irpmp20.dll
C:\WINDOWS\system\irpmp20.dll
C:\WINDOWS\system\irpmp20.dll
C:\WINDOWS\system\itagr5.dll
C:\WINDOWS\system\itagr5.dll
C:\WINDOWS\system\itagr5.dll
C:\WINDOWS\system\itagr5.dll
C:\WINDOWS\system\IXAGING.DLL
C:\WINDOWS\system\IXAGING.DLL
C:\WINDOWS\system\IXAGING.DLL
C:\WINDOWS\system\IXAGING.DLL
C:\WINDOWS\system\IXETCPLC.DLL
C:\WINDOWS\system\IXETCPLC.DLL
C:\WINDOWS\system\IXETCPLC.DLL
C:\WINDOWS\system\IXETCPLC.DLL
C:\WINDOWS\system\ixfxsrvc.dll
C:\WINDOWS\system\ixfxsrvc.dll
C:\WINDOWS\system\ixfxsrvc.dll
C:\WINDOWS\system\ixfxsrvc.dll
C:\WINDOWS\system\IXSCONFG.DLL
C:\WINDOWS\system\IXSCONFG.DLL
C:\WINDOWS\system\IXSCONFG.DLL
C:\WINDOWS\system\IXSCONFG.DLL
C:\WINDOWS\system\IYGUTIL.DLL
C:\WINDOWS\system\IYGUTIL.DLL
C:\WINDOWS\system\IYGUTIL.DLL
C:\WINDOWS\system\IYGUTIL.DLL
C:\WINDOWS\system\iypcv20.dll
C:\WINDOWS\system\iypcv20.dll
C:\WINDOWS\system\iypcv20.dll
C:\WINDOWS\system\iypcv20.dll
C:\WINDOWS\system\Jbngle.dll
C:\WINDOWS\system\Jbngle.dll
C:\WINDOWS\system\Jbngle.dll
C:\WINDOWS\system\Jbngle.dll
C:\WINDOWS\system\JHMD400.DLL
C:\WINDOWS\system\JHMD400.DLL
C:\WINDOWS\system\JHMD400.DLL
C:\WINDOWS\system\JHMD400.DLL
C:\WINDOWS\system\JJT.DLL
C:\WINDOWS\system\JJT.DLL
C:\WINDOWS\system\JJT.DLL
C:\WINDOWS\system\JJT.DLL
C:\WINDOWS\system\JTVACYPT.DLL
C:\WINDOWS\system\JTVACYPT.DLL
C:\WINDOWS\system\JTVACYPT.DLL
C:\WINDOWS\system\JTVACYPT.DLL
C:\WINDOWS\system\KSRNEL32.DLL
C:\WINDOWS\system\KSRNEL32.DLL
C:\WINDOWS\system\KSRNEL32.DLL
C:\WINDOWS\system\KSRNEL32.DLL
C:\WINDOWS\system\KURNEL32.DLL
C:\WINDOWS\system\KURNEL32.DLL
C:\WINDOWS\system\KURNEL32.DLL
C:\WINDOWS\system\KURNEL32.DLL
C:\WINDOWS\system\KUUSER.DLL
C:\WINDOWS\system\KUUSER.DLL
C:\WINDOWS\system\KUUSER.DLL
C:\WINDOWS\system\KUUSER.DLL
C:\WINDOWS\system\LDMSP80N.DLL
C:\WINDOWS\system\LDMSP80N.DLL
C:\WINDOWS\system\LDMSP80N.DLL
C:\WINDOWS\system\LDMSP80N.DLL
C:\WINDOWS\system\LEEFX90W.DLL
C:\WINDOWS\system\LEEFX90W.DLL
C:\WINDOWS\system\LEEFX90W.DLL
C:\WINDOWS\system\LEEFX90W.DLL
C:\WINDOWS\system\LigitCheckControl.DLL
C:\WINDOWS\system\LigitCheckControl.DLL
C:\WINDOWS\system\LigitCheckControl.DLL
C:\WINDOWS\system\LigitCheckControl.DLL
C:\WINDOWS\system\LNEFX80N.DLL
C:\WINDOWS\system\LNEFX80N.DLL
C:\WINDOWS\system\LNEFX80N.DLL
C:\WINDOWS\system\LNEFX80N.DLL
C:\WINDOWS\system\LPDIS90W.DLL
C:\WINDOWS\system\LPDIS90W.DLL
C:\WINDOWS\system\LPDIS90W.DLL
C:\WINDOWS\system\LPDIS90W.DLL
C:\WINDOWS\system\LVRT.DLL
C:\WINDOWS\system\LVRT.DLL
C:\WINDOWS\system\LVRT.DLL
C:\WINDOWS\system\LVRT.DLL
C:\WINDOWS\system\MEHTMLER.DLL
C:\WINDOWS\system\MEHTMLER.DLL
C:\WINDOWS\system\MEHTMLER.DLL
C:\WINDOWS\system\MEHTMLER.DLL
C:\WINDOWS\system\meiaih.dll
C:\WINDOWS\system\meiaih.dll
C:\WINDOWS\system\meiaih.dll
C:\WINDOWS\system\meiaih.dll
C:\WINDOWS\system\MGEXCL40.DLL
C:\WINDOWS\system\MGEXCL40.DLL
C:\WINDOWS\system\MGEXCL40.DLL
C:\WINDOWS\system\MGEXCL40.DLL
C:\WINDOWS\system\MHREPL35.DLL
C:\WINDOWS\system\MHREPL35.DLL
C:\WINDOWS\system\MHREPL35.DLL
C:\WINDOWS\system\MHREPL35.DLL
C:\WINDOWS\system\MHVCRT10.DLL
C:\WINDOWS\system\MHVCRT10.DLL
C:\WINDOWS\system\MHVCRT10.DLL
C:\WINDOWS\system\MHVCRT10.DLL
C:\WINDOWS\system\MIEXCH40.DLL
C:\WINDOWS\system\MIEXCH40.DLL
C:\WINDOWS\system\MIEXCH40.DLL
C:\WINDOWS\system\MIEXCH40.DLL
C:\WINDOWS\system\miiosd32.dll
C:\WINDOWS\system\miiosd32.dll
C:\WINDOWS\system\miiosd32.dll
C:\WINDOWS\system\miiosd32.dll
C:\WINDOWS\system\mJpi32x.dll
C:\WINDOWS\system\mJpi32x.dll
C:\WINDOWS\system\mJpi32x.dll
C:\WINDOWS\system\mJpi32x.dll
C:\WINDOWS\system\MLRATING.DLL
C:\WINDOWS\system\MLRATING.DLL
C:\WINDOWS\system\MLRATING.DLL
C:\WINDOWS\system\MLRATING.DLL
C:\WINDOWS\system\MLVCRT10.DLL
C:\WINDOWS\system\MLVCRT10.DLL
C:\WINDOWS\system\MLVCRT10.DLL
C:\WINDOWS\system\MLVCRT10.DLL
C:\WINDOWS\system\MMC30.DLL
C:\WINDOWS\system\MMC30.DLL
C:\WINDOWS\system\MMC30.DLL
C:\WINDOWS\system\MMC30.DLL
C:\WINDOWS\system\MPJTER35.DLL
C:\WINDOWS\system\MPJTER35.DLL
C:\WINDOWS\system\MPJTER35.DLL
C:\WINDOWS\system\MPJTER35.DLL
C:\WINDOWS\system\MPTASK.DLL
C:\WINDOWS\system\MPTASK.DLL
C:\WINDOWS\system\MPTASK.DLL
C:\WINDOWS\system\MPTASK.DLL
C:\WINDOWS\system\mtikbdmx.dll
C:\WINDOWS\system\mtikbdmx.dll
C:\WINDOWS\system\mtikbdmx.dll
C:\WINDOWS\system\mtikbdmx.dll
C:\WINDOWS\system\MVRLE32.DLL
C:\WINDOWS\system\MVRLE32.DLL
C:\WINDOWS\system\MVRLE32.DLL
C:\WINDOWS\system\MVRLE32.DLL
C:\WINDOWS\system\MVVCRT40.DLL
C:\WINDOWS\system\MVVCRT40.DLL
C:\WINDOWS\system\MVVCRT40.DLL
C:\WINDOWS\system\MVVCRT40.DLL
C:\WINDOWS\system\MVWEBDVD.DLL
C:\WINDOWS\system\MVWEBDVD.DLL
C:\WINDOWS\system\MVWEBDVD.DLL
C:\WINDOWS\system\MVWEBDVD.DLL
C:\WINDOWS\system\MWI.DLL
C:\WINDOWS\system\MWI.DLL
C:\WINDOWS\system\MWI.DLL
C:\WINDOWS\system\MWI.DLL
C:\WINDOWS\system\MWRLE32.DLL
C:\WINDOWS\system\MWRLE32.DLL
C:\WINDOWS\system\MWRLE32.DLL
C:\WINDOWS\system\MWRLE32.DLL
C:\WINDOWS\system\MWVCRT20.DLL
C:\WINDOWS\system\MWVCRT20.DLL
C:\WINDOWS\system\MWVCRT20.DLL
C:\WINDOWS\system\MWVCRT20.DLL
C:\WINDOWS\system\MYJINT35.DLL
C:\WINDOWS\system\MYJINT35.DLL
C:\WINDOWS\system\MYJINT35.DLL
C:\WINDOWS\system\MYJINT35.DLL
C:\WINDOWS\system\MZVCRT20.DLL
C:\WINDOWS\system\MZVCRT20.DLL
C:\WINDOWS\system\MZVCRT20.DLL
C:\WINDOWS\system\MZVCRT20.DLL
C:\WINDOWS\system\NATOS.DLL
C:\WINDOWS\system\NATOS.DLL
C:\WINDOWS\system\NATOS.DLL
C:\WINDOWS\system\NATOS.DLL
C:\WINDOWS\system\NFSHELL.DLL
C:\WINDOWS\system\NFSHELL.DLL
C:\WINDOWS\system\NFSHELL.DLL
C:\WINDOWS\system\NFSHELL.DLL
C:\WINDOWS\system\NFWMSDRM.DLL
C:\WINDOWS\system\NFWMSDRM.DLL
C:\WINDOWS\system\NFWMSDRM.DLL
C:\WINDOWS\system\NFWMSDRM.DLL
C:\WINDOWS\system\NJARCH16.DLL
C:\WINDOWS\system\NJARCH16.DLL
C:\WINDOWS\system\NJARCH16.DLL
C:\WINDOWS\system\NJARCH16.DLL
C:\WINDOWS\system\NJWRSHU.DLL
C:\WINDOWS\system\NJWRSHU.DLL
C:\WINDOWS\system\NJWRSHU.DLL
C:\WINDOWS\system\NJWRSHU.DLL
C:\WINDOWS\system\NMSHELL.DLL
C:\WINDOWS\system\NMSHELL.DLL
C:\WINDOWS\system\NMSHELL.DLL
C:\WINDOWS\system\NMSHELL.DLL
C:\WINDOWS\system\NOWRSFI.DLL
C:\WINDOWS\system\NOWRSFI.DLL
C:\WINDOWS\system\NOWRSFI.DLL
C:\WINDOWS\system\NOWRSFI.DLL
C:\WINDOWS\system\NQRSDE.DLL
C:\WINDOWS\system\NQRSDE.DLL
C:\WINDOWS\system\NQRSDE.DLL
C:\WINDOWS\system\NQRSDE.DLL
C:\WINDOWS\system\NSWRSDA.DLL
C:\WINDOWS\system\NSWRSDA.DLL
C:\WINDOWS\system\NSWRSDA.DLL
C:\WINDOWS\system\NSWRSDA.DLL
C:\WINDOWS\system\NSWRSNL.DLL
C:\WINDOWS\system\NSWRSNL.DLL
C:\WINDOWS\system\NSWRSNL.DLL
C:\WINDOWS\system\NSWRSNL.DLL
C:\WINDOWS\system\NVONN16.DLL
C:\WINDOWS\system\NVONN16.DLL
C:\WINDOWS\system\NVONN16.DLL
C:\WINDOWS\system\NVONN16.DLL
C:\WINDOWS\system\NYRSENG.DLL
C:\WINDOWS\system\NYRSENG.DLL
C:\WINDOWS\system\NYRSENG.DLL
C:\WINDOWS\system\NYRSENG.DLL
C:\WINDOWS\system\OAEPRO32.DLL
C:\WINDOWS\system\OAEPRO32.DLL
C:\WINDOWS\system\OAEPRO32.DLL
C:\WINDOWS\system\OAEPRO32.DLL
C:\WINDOWS\system\OHGFS400.DLL
C:\WINDOWS\system\OHGFS400.DLL
C:\WINDOWS\system\OHGFS400.DLL
C:\WINDOWS\system\OHGFS400.DLL
C:\WINDOWS\system\OIEDLG.DLL
C:\WINDOWS\system\OIEDLG.DLL
C:\WINDOWS\system\OIEDLG.DLL
C:\WINDOWS\system\OIEDLG.DLL
C:\WINDOWS\system\OKE2DISP.DLL
C:\WINDOWS\system\OKE2DISP.DLL
C:\WINDOWS\system\OKE2DISP.DLL
C:\WINDOWS\system\OKE2DISP.DLL
C:\WINDOWS\system\OKTWA400.DLL
C:\WINDOWS\system\OKTWA400.DLL
C:\WINDOWS\system\OKTWA400.DLL
C:\WINDOWS\system\OKTWA400.DLL
C:\WINDOWS\system\OTMREG.DLL
C:\WINDOWS\system\OTMREG.DLL
C:\WINDOWS\system\OTMREG.DLL
C:\WINDOWS\system\OTMREG.DLL
C:\WINDOWS\system\OUETHK32.DLL
C:\WINDOWS\system\OUETHK32.DLL
C:\WINDOWS\system\OUETHK32.DLL
C:\WINDOWS\system\OUETHK32.DLL
C:\WINDOWS\system\OVTWA400.DLL
C:\WINDOWS\system\OVTWA400.DLL
C:\WINDOWS\system\OVTWA400.DLL
C:\WINDOWS\system\OVTWA400.DLL
C:\WINDOWS\system\pevcodec.dll
C:\WINDOWS\system\pevcodec.dll
C:\WINDOWS\system\pevcodec.dll
C:\WINDOWS\system\pevcodec.dll
C:\WINDOWS\system\PGvFilt.dll
C:\WINDOWS\system\PGvFilt.dll
C:\WINDOWS\system\PGvFilt.dll
C:\WINDOWS\system\PGvFilt.dll
C:\WINDOWS\system\plgfilt.dll
C:\WINDOWS\system\plgfilt.dll
C:\WINDOWS\system\plgfilt.dll
C:\WINDOWS\system\plgfilt.dll
C:\WINDOWS\system\PMUSTAB.DLL
C:\WINDOWS\system\PMUSTAB.DLL
C:\WINDOWS\system\PMUSTAB.DLL
C:\WINDOWS\system\PMUSTAB.DLL
C:\WINDOWS\system\PMWRPROF.DLL
C:\WINDOWS\system\PMWRPROF.DLL
C:\WINDOWS\system\PMWRPROF.DLL
C:\WINDOWS\system\PMWRPROF.DLL
C:\WINDOWS\system\ptwave.dll
C:\WINDOWS\system\ptwave.dll
C:\WINDOWS\system\ptwave.dll
C:\WINDOWS\system\ptwave.dll
C:\WINDOWS\system\pu.dll
C:\WINDOWS\system\pu.dll
C:\WINDOWS\system\pu.dll
C:\WINDOWS\system\pu.dll
C:\WINDOWS\system\PUlmDevC.dll
C:\WINDOWS\system\PUlmDevC.dll
C:\WINDOWS\system\PUlmDevC.dll
C:\WINDOWS\system\PUlmDevC.dll
C:\WINDOWS\system\pxbole32.dll
C:\WINDOWS\system\pxbole32.dll
C:\WINDOWS\system\pxbole32.dll
C:\WINDOWS\system\pxbole32.dll
C:\WINDOWS\system\QHDIT.DLL
C:\WINDOWS\system\QHDIT.DLL
C:\WINDOWS\system\QHDIT.DLL
C:\WINDOWS\system\QHDIT.DLL
C:\WINDOWS\system\QNVD.DLL
C:\WINDOWS\system\QNVD.DLL
C:\WINDOWS\system\QNVD.DLL
C:\WINDOWS\system\QNVD.DLL
C:\WINDOWS\system\QVVD.DLL
C:\WINDOWS\system\QVVD.DLL
C:\WINDOWS\system\QVVD.DLL
C:\WINDOWS\system\QVVD.DLL
C:\WINDOWS\system\RHATHUNK.DLL
C:\WINDOWS\system\RHATHUNK.DLL
C:\WINDOWS\system\RHATHUNK.DLL
C:\WINDOWS\system\RHATHUNK.DLL
C:\WINDOWS\system\RNCNS4.DLL
C:\WINDOWS\system\RNCNS4.DLL
C:\WINDOWS\system\RNCNS4.DLL
C:\WINDOWS\system\RNCNS4.DLL
C:\WINDOWS\system\RSAUI.DLL
C:\WINDOWS\system\RSAUI.DLL
C:\WINDOWS\system\RSAUI.DLL
C:\WINDOWS\system\RSAUI.DLL
C:\WINDOWS\system\RXAUI.DLL
C:\WINDOWS\system\RXAUI.DLL
C:\WINDOWS\system\RXAUI.DLL
C:\WINDOWS\system\RXAUI.DLL
C:\WINDOWS\system\RYCLTSPX.DLL
C:\WINDOWS\system\RYCLTSPX.DLL
C:\WINDOWS\system\RYCLTSPX.DLL
C:\WINDOWS\system\RYCLTSPX.DLL
C:\WINDOWS\system\SFMSETUP.DLL
C:\WINDOWS\system\SFMSETUP.DLL
C:\WINDOWS\system\SFMSETUP.DLL
C:\WINDOWS\system\SFMSETUP.DLL
C:\WINDOWS\system\SHCUR32.DLL
C:\WINDOWS\system\SHCUR32.DLL
C:\WINDOWS\system\SHCUR32.DLL
C:\WINDOWS\system\SHCUR32.DLL
C:\WINDOWS\system\SJI.DLL
C:\WINDOWS\system\SJI.DLL
C:\WINDOWS\system\SJI.DLL
C:\WINDOWS\system\SJI.DLL
C:\WINDOWS\system\SPWIUDLL.DLL
C:\WINDOWS\system\SPWIUDLL.DLL
C:\WINDOWS\system\SPWIUDLL.DLL
C:\WINDOWS\system\SPWIUDLL.DLL
C:\WINDOWS\system\STWIUDLL.DLL
C:\WINDOWS\system\STWIUDLL.DLL
C:\WINDOWS\system\STWIUDLL.DLL
C:\WINDOWS\system\STWIUDLL.DLL
C:\WINDOWS\system\SWVRTGUI.DLL
C:\WINDOWS\system\SWVRTGUI.DLL
C:\WINDOWS\system\SWVRTGUI.DLL
C:\WINDOWS\system\SWVRTGUI.DLL
C:\WINDOWS\system\SXEM0409.DLL
C:\WINDOWS\system\SXEM0409.DLL
C:\WINDOWS\system\SXEM0409.DLL
C:\WINDOWS\system\SXEM0409.DLL
C:\WINDOWS\system\sypdate.dll
C:\WINDOWS\system\sypdate.dll
C:\WINDOWS\system\sypdate.dll
C:\WINDOWS\system\sypdate.dll
C:\WINDOWS\system\TDbHook.dll
C:\WINDOWS\system\TDbHook.dll
C:\WINDOWS\system\TDbHook.dll
C:\WINDOWS\system\TDbHook.dll
C:\WINDOWS\system\usidrv.dll
C:\WINDOWS\system\usidrv.dll
C:\WINDOWS\system\usidrv.dll
C:\WINDOWS\system\usidrv.dll
C:\WINDOWS\system\USMCLN32.DLL
C:\WINDOWS\system\USMCLN32.DLL
C:\WINDOWS\system\USMCLN32.DLL
C:\WINDOWS\system\USMCLN32.DLL
C:\WINDOWS\system\VKRUN300.DLL
C:\WINDOWS\system\VKRUN300.DLL
C:\WINDOWS\system\VKRUN300.DLL
C:\WINDOWS\system\VKRUN300.DLL
C:\WINDOWS\system\VRPODBC.DLL
C:\WINDOWS\system\VRPODBC.DLL
C:\WINDOWS\system\VRPODBC.DLL
C:\WINDOWS\system\VRPODBC.DLL
C:\WINDOWS\system\VT40032.DLL
C:\WINDOWS\system\VT40032.DLL
C:\WINDOWS\system\VT40032.DLL
C:\WINDOWS\system\VT40032.DLL
C:\WINDOWS\system\VXB32.DLL
C:\WINDOWS\system\VXB32.DLL
C:\WINDOWS\system\VXB32.DLL
C:\WINDOWS\system\VXB32.DLL
C:\WINDOWS\system\vzdx16.dll
C:\WINDOWS\system\vzdx16.dll
C:\WINDOWS\system\vzdx16.dll
C:\WINDOWS\system\vzdx16.dll
C:\WINDOWS\system\WANMM.DLL
C:\WINDOWS\system\WANMM.DLL
C:\WINDOWS\system\WANMM.DLL
C:\WINDOWS\system\WANMM.DLL
C:\WINDOWS\system\WEICORE.DLL
C:\WINDOWS\system\WEICORE.DLL
C:\WINDOWS\system\WEICORE.DLL
C:\WINDOWS\system\WEICORE.DLL
C:\WINDOWS\system\wfp.dll
C:\WINDOWS\system\wfp.dll
C:\WINDOWS\system\wfp.dll
C:\WINDOWS\system\wfp.dll
C:\WINDOWS\system\WGNNET16.DLL
C:\WINDOWS\system\WGNNET16.DLL
C:\WINDOWS\system\WGNNET16.DLL
C:\WINDOWS\system\WGNNET16.DLL
C:\WINDOWS\system\wrpui.dll
C:\WINDOWS\system\wrpui.dll
C:\WINDOWS\system\wrpui.dll
C:\WINDOWS\system\wrpui.dll
C:\WINDOWS\system\WSV8DMOE.DLL
C:\WINDOWS\system\WSV8DMOE.DLL
C:\WINDOWS\system\WSV8DMOE.DLL
C:\WINDOWS\system\WSV8DMOE.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{626BBEFF-9C13-4360-8FD4-412131AD6477}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\USIDRV.DLL"
[HKEY_CLASSES_ROOT\CLSID\{626BBEFF-9C13-4360-8FD4-412131AD6477}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\USIDRV.DLL"
[HKEY_CLASSES_ROOT\CLSID\{626BBEFF-9C13-4360-8FD4-412131AD6477}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\USIDRV.DLL"
[HKEY_CLASSES_ROOT\CLSID\{626BBEFF-9C13-4360-8FD4-412131AD6477}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\USIDRV.DLL"


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

#10 FiktionWeLiv

FiktionWeLiv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 26 August 2005 - 11:04 PM

heres the new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:40:17 PM, on 8/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSVEG2.EXE
C:\WINDOWS\SYSTEM\MSVEG2.EXE
C:\PROGRAM FILES\OPERA\OPERA.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\SYSTEM\WINNB57.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\SYSTEM\WINNB57.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [newexp] C:\WINDOWS\SYSTEM\newexp
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKCU\..\Run: [MSVEG2] C:\WINDOWS\SYSTEM\MSVEG2.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000117.exe
O4 - HKCU\..\RunOnce: [MSVEG2] C:\WINDOWS\SYSTEM\MSVEG2.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

#11 FiktionWeLiv

FiktionWeLiv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 26 August 2005 - 11:07 PM

and the winPfind.txt file


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 6/1/2004 6:54:48 PM 34304 C:\htloader.exe
69.59.186.63 8/12/2005 4:47:34 PM 204800 C:\installer.exe
209.66.67.134 8/12/2005 4:47:34 PM 204800 C:\installer.exe
66.63.167.97 8/12/2005 4:47:34 PM 204800 C:\installer.exe
66.63.167.77 8/12/2005 4:47:34 PM 204800 C:\installer.exe
web-nex 8/12/2005 4:47:34 PM 204800 C:\installer.exe
winsync 8/12/2005 4:47:34 PM 204800 C:\installer.exe
rec2_run 8/12/2005 4:47:34 PM 204800 C:\installer.exe
UPX! 8/6/2005 6:45:16 PM 25105 C:\MTE2NzY6ODoxNg.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PTech 8/26/2005 10:40:24 PM RH 2318368 C:\WINDOWS\USER.DAT
winsync 8/26/2005 10:39:44 PM RH 3592224 C:\WINDOWS\SYSTEM.DAT
PECompact2 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\VPTNFILE.795
qoologic 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\VPTNFILE.795
SAHAgent 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\VPTNFILE.795
PECompact2 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\lpt$vpn.795
qoologic 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\lpt$vpn.795
SAHAgent 8/22/2005 2:00:54 PM 15656561 C:\WINDOWS\lpt$vpn.795
UPX! 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X
FSG! 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X
aspack 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X
PTech 4/13/2005 11:06:28 PM HS 167092224 C:\WINDOWS\VMMHIBER.W9X
UPX! 8/26/2005 6:40:58 PM 82432 C:\WINDOWS\MTE2ODI6ODoxNg.exe

Items found in C:\WINDOWS\hosts

UPX! 7/28/2005 5:40:02 PM 17408 C:\WINDOWS\icont.exe
69.59.186.63 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
209.66.67.134 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
web-nex 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
winsync 8/14/2005 11:29:02 AM 46080 C:\WINDOWS\ffsfsds.dll
web-nex 8/6/2005 3:03:50 PM 4018 C:\WINDOWS\mrjrj.dll
69.59.186.63 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
209.66.67.134 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
web-nex 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
winsync 8/14/2005 11:29:02 AM 10240 C:\WINDOWS\erjrj.dll
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 8/10/2005 4:38:34 PM 189859 C:\WINDOWS\dsr.exe
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 8/22/2001 7:00:00 PM 86030 C:\WINDOWS\SYSTEM\msdjgk.dll
UPX! 8/22/2001 7:00:00 PM 170496 C:\WINDOWS\SYSTEM\msiaih.dll
UPX! 3/31/2004 5:55:24 PM 172544 C:\WINDOWS\SYSTEM\npkcsvc.exe
PEC2 10/26/2004 4:38:24 PM 716800 C:\WINDOWS\SYSTEM\DivX.dll
PECompact2 10/26/2004 4:38:24 PM 716800 C:\WINDOWS\SYSTEM\DivX.dll
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM\LegitCheckControl.DLL
SAHAgent 5/13/2005 7:02:46 PM 35 C:\WINDOWS\SYSTEM\70tovmto.ini
UPX! 7/9/2005 4:03:06 AM 433152 C:\WINDOWS\SYSTEM\aswBoot.exe
UPX! 8/6/2005 1:17:48 AM 67072 C:\WINDOWS\SYSTEM\dpsl08.exe
UPX! 8/18/2005 11:37:24 AM 68096 C:\WINDOWS\SYSTEM\stifxe.exe
UPX! 8/18/2005 11:43:24 AM 68096 C:\WINDOWS\SYSTEM\mf3pms.exe
UPX! 8/18/2005 5:03:08 PM 68096 C:\WINDOWS\SYSTEM\msimdb.exe

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/26/2005 10:41:32 PM RH 2318368 C:\WINDOWS\USER.DAT
8/26/2005 10:51:38 PM RH 3592224 C:\WINDOWS\SYSTEM.DAT
8/26/2005 10:39:44 PM RH 8552480 C:\WINDOWS\CLASSES.DAT
8/26/2005 5:06:38 PM H 17503 C:\WINDOWS\ttfCache
8/26/2005 6:48:04 PM H 54156 C:\WINDOWS\QTFont.qfn
8/26/2005 4:45:56 PM H 19450 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
8/22/2005 8:33:14 PM H 6 C:\WINDOWS\TASKS\SA.DAT
8/22/2005 10:52:58 PM HS 67 C:\WINDOWS\Temporary Internet Files\desktop.ini
8/26/2005 5:46:32 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
8/26/2005 5:47:08 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\0HMNK9I5\desktop.ini
8/26/2005 5:47:08 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\CNCDEDWN\desktop.ini
8/26/2005 5:47:10 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\OPERGTUJ\desktop.ini
8/26/2005 5:47:10 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\1NUP5LD2\desktop.ini
8/26/2005 10:38:24 PM HS 2368 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
8/22/2005 10:51:16 PM HS 118 C:\WINDOWS\Recent\Desktop.ini

Checking for CPL files...
Microsoft Corporation 6/8/2000 5:00:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
NVIDIA Corporation 3/3/2004 10:29:00 AM 73728 C:\WINDOWS\SYSTEM\NVTUICPL.CPL
Microsoft Corporation 8/29/2002 7:07:38 AM 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 62464 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 111616 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 104368 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 389872 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\THEMES.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15152 C:\WINDOWS\SYSTEM\WUAUCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM\QuickTime.cpl
Intel Corporation 6/27/2000 3:16:10 PM 84480 C:\WINDOWS\SYSTEM\igfxcpl.cpl
Adobe Systems, Inc. 8/24/2000 3:46:38 PM 266240 C:\WINDOWS\SYSTEM\Adobe Gamma.cpl
Microsoft Corporation 2/19/2001 7:07:36 PM 108032 C:\WINDOWS\SYSTEM\INPUT98.CPL
Sun Microsystems 8/5/2003 9:02:56 AM 45175 C:\WINDOWS\SYSTEM\plugincpl131_09.cpl
Microsoft Corporation 10/30/2001 8:10:00 AM 442368 C:\WINDOWS\SYSTEM\JOY.CPL
Wacom Technology, Corp. 12/4/2003 4:02:48 PM 942080 C:\WINDOWS\SYSTEM\Wacom.cpl
NVIDIA Corporation 3/3/2004 10:29:00 AM 73728 C:\WINDOWS\SYSTEM\REINSTALLBACKUPS\PCI#VEN_10DE&DEV_0172&SUBSYS_00351545\nvtuicpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/3/2005 2:26:26 PM 576 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk

Checking files in %USERPROFILE%\Application Data folder...
7/30/2004 8:55:54 PM 0 C:\WINDOWS\Application Data\dm.ini
8/26/2005 12:42:14 AM 16466 C:\WINDOWS\Application Data\dw.log
6/28/2004 3:30:06 PM 75 C:\WINDOWS\Application Data\fusioncache.dat
8/23/2005 7:31:36 PM 43920 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
7/26/2005 6:09:32 PM 30 C:\WINDOWS\Application Data\Sskcwrd.dll
7/26/2005 1:23:10 PM 406730 C:\WINDOWS\Application Data\Sskknwrd.dll
7/26/2005 6:09:32 PM 39 C:\WINDOWS\Application Data\Sskuknwrd.dll

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
Related Page = C:\WINDOWS\SYSTEM\WINNB57.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
CControl Object = C:\Program Files\E2G\IeBHOs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} = Related Page : C:\WINDOWS\SYSTEM\WINNB57.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRAM FILES\AIM\AIM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} = Related Page : C:\WINDOWS\SYSTEM\WINNB57.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
snss Launcher "C:\Program Files\snss\snss.exe"
newexp C:\WINDOWS\SYSTEM\newexp

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SSDPSRV C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr C:\WINDOWS\System\Restore\StateMgr.exe
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE
Tablet C:\WINDOWS\SYSTEM\Tablet.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSVEG2 C:\WINDOWS\SYSTEM\MSVEG2.exe
services32 C:\Program Files\Common Files\Windows\mc-58-12-0000117.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
MSVEG2 C:\WINDOWS\SYSTEM\MSVEG2.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
LinkResolveIgnoreLinkInfo 0
NoCDBurning 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
MSVEG2 C:\WINDOWS\SYSTEM\MSVEG2.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook {BCBCD383-3E06-11D3-91A9-00C04F68105C} = C:\WINDOWS\SYSTEM\AUHOOK.DLL


Scan Complete
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/26/2005 10:54:11 PM

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:16 PM

Posted 27 August 2005 - 02:54 PM

Hi FiktionWeLiv. Ok, the L2m fix took out alot of that garbage. Now let's cleanup the rest. Please print these directions and then proceed with the following steps in order.

Step #1

Download the Pocket Killbox and unzip the contents of KillBox.zip to your desktop.

Download CCleaner and install it but do not run it yet.

Step #2
  • Open Notepad and copy/paste the text in the quotebox below into the new document. Save the document to your desktop as fixreg.reg and close Notepad.

REGEDIT4

[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MSVEG2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AUHook"=-


Step #3
  • Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\htloader.exe
      C:\installer.exe
      C:\MTE2NzY6ODoxNg.exe
      C:\WINDOWS\MTE2ODI6ODoxNg.exe
      C:\WINDOWS\ffsfsds.dll
      C:\WINDOWS\mrjrj.dll
      C:\WINDOWS\erjrj.dll
      C:\WINDOWS\SYSTEM\msdjgk.dll
      C:\WINDOWS\SYSTEM\msiaih.dll
      C:\WINDOWS\SYSTEM\70tovmto.ini
      C:\WINDOWS\SYSTEM\dpsl08.exe
      C:\WINDOWS\SYSTEM\stifxe.exe
      C:\WINDOWS\SYSTEM\stifxe.exe
      C:\WINDOWS\SYSTEM\mf3pms.exe
      C:\WINDOWS\SYSTEM\msimdb.exe
      C:\WINDOWS\Application Data\Sskcwrd.dll
      C:\WINDOWS\Application Data\Sskknwrd.dll
      C:\WINDOWS\Application Data\Sskuknwrd.dll
      C:\WINDOWS\SYSTEM\WINNB57.DLL
      C:\Program Files\E2G\IeBHOs.dll
      C:\Program Files\snss\snss.exe
      C:\WINDOWS\SYSTEM\newexp.exe
      C:\WINDOWS\SYSTEM\newexp.com
      C:\WINDOWS\SYSTEM\MSVEG2.exe
      C:\Program Files\Common Files\Windows\mc-58-12-0000117.exe
      C:\WINDOWS\SYSTEM\AUHOOK.DLL
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Step #4
  • After the system reboots, start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
    • O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\SYSTEM\WINNB57.DLL
      O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
      O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\SYSTEM\WINNB57.DLL
      O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
      O4 - HKLM\..\Run: [newexp] C:\WINDOWS\SYSTEM\newexp
      O4 - HKCU\..\Run: [MSVEG2] C:\WINDOWS\SYSTEM\MSVEG2.exe
      O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000117.exe
      O4 - HKCU\..\RunOnce: [MSVEG2] C:\WINDOWS\SYSTEM\MSVEG2.exe
      O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
      O15 - Trusted IP range: 64.127.104.144
      O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
  • Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\snss\ <--folder
Step #5

Locate the fixreg.reg file on your desktop and right-click on it. Choose Merge from the popup menu and answer Yes or Ok to any further prompts. You should get a message that the file was merged successfully.

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

Use the Add Reply button to post a new HijackThis log along with a new WinPFind log.

I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users