Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ibm00001.exe Problems


  • This topic is locked This topic is locked
18 replies to this topic

#1 Glunn11

Glunn11

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 07 October 2006 - 04:26 PM

Hi. I ran HijackThis and got a log. I need help in removal of ibm00001.exe and its evil symptoms.
Logfile of HijackThis v1.99.1
Scan saved at 3:19:15 PM, on 10/7/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\TWAIN_32\FB7\SCANER32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dr-search4u.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=10001
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {6D8EA9B0-C306-B3D7-A614-090D11E71139} - C:\WINDOWS\SYSTEM\FWOSUUH.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [C] C:\WINDOWS\TEMP\C.EXE
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\TSA\tsl.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\Run: [MSXMIDI.EXE] C:\WINDOWS\MSXMIDI.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\Run: [zbpzrme.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\zbpzrme.dll,yrpjate
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Tsa2] C:\PROGRAM FILES\COMMON FILES\TSA\TSM2.EXE
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\SYSTEM\taskdir.exe
O4 - Startup: ImageReader Ultra Scanner Utilities.lnk = C:\WINDOWS\TWAIN_32\fb7\SCANER32.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: &RSDN Search - res://C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL/GoVM.dll.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0403F33E-59A9-4DEC-AB0F-2C206E187A89} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0403F33E-59A9-4DEC-AB0F-2C206E187A89} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.27.1/ttinst.cab
O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.sde.state.id.us/download/CfxIEAx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O21 - SSODL: XIuPzpNUzI - {051618EB-AFBC-B241-F504-46C64C210F47} - C:\WINDOWS\SYSTEM\hdn.dll (file missing)

HELP!

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:03:27 AM

Posted 08 October 2006 - 08:22 AM

Hi Glunn11 and welcome to Bleeping Computer :thumbsup:
You're really badly infected.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 Glunn11

Glunn11
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 08 October 2006 - 09:59 AM

Well my dad says he'd rather try to clean the dang thing out.

We did a few things and managed to supposedly get rid of a lot of files. Don't know if it helped at all. Here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:39:17 AM, on 10/8/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TWAIN_32\FB7\SCANER32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDASH.EXE
C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCMNHDLR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dr-search4u.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {6D8EA9B0-C306-B3D7-A614-090D11E71139} - C:\WINDOWS\SYSTEM\FWOSUUH.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [C] C:\WINDOWS\TEMP\C.EXE
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [MSXMIDI.EXE] C:\WINDOWS\MSXMIDI.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [zbpzrme.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\zbpzrme.dll,yrpjate
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\SYSTEM\taskdir.exe
O4 - Startup: ImageReader Ultra Scanner Utilities.lnk = C:\WINDOWS\TWAIN_32\fb7\SCANER32.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0403F33E-59A9-4DEC-AB0F-2C206E187A89} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0403F33E-59A9-4DEC-AB0F-2C206E187A89} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.27.1/ttinst.cab
O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.sde.state.id.us/download/CfxIEAx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: XIuPzpNUzI - {051618EB-AFBC-B241-F504-46C64C210F47} - C:\WINDOWS\SYSTEM\hdn.dll (file missing)

Also, we bought a McAfee Security Suite and we were wondering if McAfee Wireless Network Firewall works on a non-wireless DSL network.

Edited by Glunn11, 08 October 2006 - 11:19 AM.


#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:03:27 AM

Posted 08 October 2006 - 12:41 PM

I'll respect your decision to continue :thumbsup:

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Posted Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 Glunn11

Glunn11
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 08 October 2006 - 03:24 PM

Alright let's get this thing started :thumbsup:
Here's the uninstall list you requested:
1602 A.D.
Absolute Poker
Active Alert
Adaptec DirectCD
Adaptec Easy CD Creator 4
Adaptec UDF Reader
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
BackWeb
BJ Printer Driver
CardPlayer Poker
Corel WordPerfect Suite 8
EclipseCrossword
eHelp
HijackThis 1.99.1
HP_WildTangent_Games
J2SE Runtime Environment 5.0 Update 4
McAfee Clinic Html Dialog Object
McAfee SecurityCenter
McAfee VirusScan
MGI PhotoSuite III SE (Remove Only)
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Money 2001
Microsoft Outlook Express 6
Microsoft Works 6.0
Microsoft Works and Money 2001 Setup Launcher
MSN Messenger 7.0
MSXML4 Parser
MusicMatch Jukebox
One-touch Multimedia Keyboard
Panda ActiveScan
PrintMaster Gold 2.10
QuickLink III
Qwest QuickCare
RealPlayer Basic
Shockwave
Smart Link 56K Voice Modem
Spybot - Search & Destroy 1.2
Trellix Web
UltimateBet
UltimateBuddy
Windows Messaging Update 1
Yahoo! Toolbar

Thanks for being so helpful :flowers:

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:03:27 AM

Posted 09 October 2006 - 11:56 AM

Hi again, we'll begin the cleaning.

Sorry for the delay, I had a really busy day....

You should print these instructions or save these to a text file. Follow these instructions carefully.

Make your hidden files visible, instructions here

Please download MWav:
  • Unzip it to its predetermined directory (C:\Kaspersky)
  • Locate kavupd.exe in the new folder and double-click to Update.
  • If your firewall gives any messages about this program accessing to internet, allow it.
  • If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
  • When you see Updates Downloaded Successfully, hit Enter to continue.
Do not use yet.

Please download FixAbwiz.exe to your desktop.
Do not use yet.

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download CollectorA Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:

Active Alert
UltimateBet
UltimateBuddy

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dr-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6D8EA9B0-C306-B3D7-A614-090D11E71139} - C:\WINDOWS\SYSTEM\FWOSUUH.DLL (file missing)
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [C] C:\WINDOWS\TEMP\C.EXE
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [MSXMIDI.EXE] C:\WINDOWS\MSXMIDI.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [zbpzrme.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\zbpzrme.dll,yrpjate
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\SYSTEM\taskdir.exe
O9 - Extra button: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0403F33E-59A9-4DEC-AB0F-2C206E187A89} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0403F33E-59A9-4DEC-AB0F-2C206E187A89} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E363FC9-7A5E-4583-B181-4D1A06D3FDF3} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O21 - SSODL: XIuPzpNUzI - {051618EB-AFBC-B241-F504-46C64C210F47} - C:\WINDOWS\SYSTEM\hdn.dll (file missing)


Restart your computer to the safe mode:
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
3. When you have the menu on the screen. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode

Run the FixAbwiz.exe file. Follow the prompts. When it is ready, it will produce a logfile, save this logfile to your desktop.

Go to the My Computer and delete the following folders (if present):
C:\PROGRAM FILES\Active Alert
C:\PROGRAM FILES\UltimateBet
C:\PROGRAM FILES\UltimateBuddy
C:\PROGRAM FILES\SECURITY IGUARD

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\SYSUPD.EXE
C:\WINDOWS\winh.exe
C:\WINDOWS\TEMP\C.EXE
c:\temp\salm.exe
C:\WINDOWS\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\icsdclt.dll
C:\WINDOWS\SYSTEM\zbpzrme.dll
C:\Windows\xpupdate.exe
C:\WINDOWS\SYSTEM\WLDR.DLL
C:\WINDOWS\SYSTEM\hdn.dll

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select collectora.bfu]
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
=============

Then run a scan with Mwav
  • Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
Now lets do the settings:
  • Leave the Default Settings checked.
  • Add a check to Drives
  • This will light up All Drives
  • Add a check to Scan all Files
  • Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
  • Please be sure it has finished before proceeding.
  • Once the scan has finished, all entries identified as Infected, will be displayed in the lower panel.
  • Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
  • Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
Reboot into normal Windows and post the results here along with a fresh HijackThis log and the FixAbwiz.exe log.

Edited by Mr_JAk3, 09 October 2006 - 11:57 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 Glunn11

Glunn11
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 09 October 2006 - 04:28 PM

Alright, I finally got through all of those steps. Your life must be pretty hectic, I'm sure.

First thing's first: after booting up this computer in Safe Mode, and anytime I boot up this computer from now on, I get a new error message in addition to the ibm00001 one. It goes like this:

A required .DLL file, msvcp60.dll, was not found.

I don't know if that is a cause for concern or not, but I thought it would be best if I mentioned it. I just looked up the file in the Files Database, and I read that it is used for Microsoft C++.

Anyways, everything went smoothly.

Here's the mwav log

File C:\WINDOWS\1793630691.exe tagged as not-a-virus:AdWare.Win32.EliteBar.z. No Action Taken.
File C:\WINDOWS\TEMP\h91746.exe infected by "Trojan-Downloader.Win32.Agent.avm" Virus. Action Taken: File Deleted.
File C:\WINDOWS\1793630691.exe tagged as not-a-virus:AdWare.Win32.EliteBar.z. No Action Taken.
File C:\_RESTORE\ARCHIVE\FS2057.CAB infected by "Trojan-Downloader.Win32.Small.cwj" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\ARCHIVE\FS2061.CAB infected by "Trojan-Downloader.Win32.Small.cxx" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\ARCHIVE\FS2065.CAB infected by "Trojan-Clicker.Win32.Agent.dj" Virus. Action Taken: File to be deleted on reboot.
File C:\temp\package8029_CDT3.exe tagged as not-a-virus:AdWare.Win32.BargainBuddy.l. No Action Taken.


This is the HiJack this log

Logfile of HijackThis v1.99.1
Scan saved at 3:15:42 PM, on 10/9/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TWAIN_32\FB7\SCANER32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: ImageReader Ultra Scanner Utilities.lnk = C:\WINDOWS\TWAIN_32\fb7\SCANER32.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.27.1/ttinst.cab
O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.sde.state.id.us/download/CfxIEAx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab


And last but not least, the very short and sweet FixAbwiz.exe log

Symantec Trojan.Abwiz.F Removal Tool 1.0.0

Trojan.Abwiz.F has not been found on your computer.


Again, thanks for your time! You've been excellent help. :thumbsup:

Edited by Glunn11, 09 October 2006 - 07:46 PM.


#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:03:27 AM

Posted 10 October 2006 - 05:49 AM

Hi again :thumbsup:

Looks much better....

Delete the following files if found:
C:\WINDOWS\1793630691.exe
C:\WINDOWS\1793630691.exe
C:\temp\package8029_CDT3.exe

Fix this entry with HijackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Download DelDomains.inf to your desktop.
Locate the file DelDomains.inf right-click and select: Install

Please download WinPFind2.
  • Extract the files to a folder(eg: C:\WinPFind2).
  • Double click WinPFind2.exe to start the program.
  • Click the Select All button in the File Options box of the Configuration tab(this is the tab the program opens up to by default).
  • Click the Run all Scans button.
  • When its finished scanning you will see Scans Complete! at the bottom left of the program.
  • Click the Export to Text button.
  • Notepad will open with the results of the scan and the log will be saved to the folder that you extracted the program to(C:\WinPFind2\WinPFind2.txt)
  • Post the log in your next reply please. You may need to split the log over a couple posts so that it doesn't get cut off. If so please use the [Start Post #1] and [Start Post #2] deliminators in the log to split the log up.
Post a fresh HijackThis log too :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#9 Glunn11

Glunn11
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 10 October 2006 - 11:55 AM

Dang the first error! We were doing so well...

So everything went well until the WinPFind2 part. I hit the "Select All" button in the "File Options" box, then hit Run All Scans. Once I do that, I immediately get this lovely error message :thumbsup:

"Grid index out of range."

And the scan does not start.


Anyways, I got a Mozilla Firefox browser on this computer, as I read it is much safer than IE. In addition, we managed to find a firewall compatible with Windows ME (McAfee Personal Firewall Plus) and I downloaded the 90-day free trial.

Also, I downloaded SpywareBlaster and prevented MANY bad places (a lot of dialers in particular) from accessing this computer.

Well, get back to me on this issue when you can. Thanks again!

Edited by Glunn11, 10 October 2006 - 12:56 PM.


#10 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:03:27 AM

Posted 10 October 2006 - 01:29 PM

Ok but don't worry, we can use the earlier version of WinPFind ;)

Here is a good tutorial, please follow it carefully and post the log when ready :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#11 Glunn11

Glunn11
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 10 October 2006 - 02:12 PM

Alright, everything worked out well. First of all, here's the WinPFind log (it's a long read, but it managed to fit):

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 10/10/2006 12:30:57 PM
WinPFind v1.5.0 Folder = C:\WINPFIND\
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
FSG! 10/7/2006 10:37:42 AM 1721 C:\system.exe ()
UPX! 10/7/2006 3:23:02 PM 3289265 C:\sysclean.com ()
aspack 10/7/2006 3:23:02 PM 3289265 C:\sysclean.com ()
UPX! 10/18/2005 12:25:20 PM 176709 C:\tsc.exe (Trend Micro Inc.)
PECompact2 10/6/2006 3:26:40 PM 25814751 C:\lpt$vpn.825 ()
qoologic 10/6/2006 3:26:40 PM 25814751 C:\lpt$vpn.825 ()
SAHAgent 10/6/2006 3:26:40 PM 25814751 C:\lpt$vpn.825 ()
UPX! 10/7/2006 6:24:50 PM 1144839 C:\stng260.exe (McAfee Inc.)

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
buddy.exe 10/10/2006 12:31:52 PM RH 5087264 C:\WINDOWS\CLASSES.DAT ()
WSUD 3/19/2005 8:00:22 AM 7423 C:\WINDOWS\lcktm.log ()

Checking %System% folder...
UPX! 10/14/2003 5:36:36 AM H 50588 C:\WINDOWS\SYSTEM\o78kdov0.tmp ()
WinShutDown 2/3/1998 8:00:00 AM 72192 C:\WINDOWS\SYSTEM\WPAUTO8.DLL (Corel Corporation Limited)
WinShutDown 2/3/1998 8:00:00 AM 64000 C:\WINDOWS\SYSTEM\PFAUTO8.DLL (Corel Corporation Limited)
WinShutDown 2/3/1998 8:00:00 AM 68096 C:\WINDOWS\SYSTEM\QPAUTO8.DLL (Corel Corporation Limited)
WSUD 8/2/2003 11:42:46 AM 95744 C:\WINDOWS\SYSTEM\CJstlst.FTS ()

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/10/2006 12:31:52 PM RH 5087264 C:\WINDOWS\CLASSES.DAT ()
10/10/2006 12:42:38 PM RH 3194912 C:\WINDOWS\SYSTEM.DAT ()
10/10/2006 12:31:52 PM RH 1462304 C:\WINDOWS\USER.DAT ()
10/9/2006 4:45:44 PM H 26574 C:\WINDOWS\TTFCACHE ()
10/10/2006 11:44:12 AM H 731540 C:\WINDOWS\ShellIconCache ()
10/10/2006 11:45:28 AM H 6 C:\WINDOWS\TASKS\SA.DAT ()
10/7/2006 10:45:18 AM HS 13946 C:\WINDOWS\TEMP\win76FF.TMP ()
10/7/2006 10:45:28 AM HS 13946 C:\WINDOWS\TEMP\winC997.TMP ()
10/7/2006 12:42:08 PM HS 12208 C:\WINDOWS\TEMP\$_2341233.TMP ()
10/7/2006 10:54:46 AM HS 0 C:\WINDOWS\TEMP\$b17a2e8.tmp ()
10/7/2006 12:35:46 PM HS 8 C:\WINDOWS\TEMP\$_2341235.TMP ()
9/29/2006 7:09:14 PM HS 118 C:\WINDOWS\Recent\Desktop.ini ()
9/14/2006 7:19:40 PM H 10820 C:\WINDOWS\HELP\nocontnt.GID ()
10/7/2006 3:36:24 PM H 80892 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream ()
10/10/2006 12:23:54 PM HS 2552 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt ()
10/3/2006 8:49:36 PM H 340 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\2731494125\sqmdata00.sqm ()
10/9/2006 7:41:22 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini ()
10/9/2006 12:24:56 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\98GBTPCT\desktop.ini ()
10/9/2006 12:25:08 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\83DNUYRT\desktop.ini ()
10/9/2006 12:26:02 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\W5E34LMB\desktop.ini ()
10/9/2006 12:40:26 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\81QFOX2N\desktop.ini ()
10/9/2006 3:28:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\1FR7L9SE\desktop.ini ()
10/9/2006 3:30:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ODKPI3GD\desktop.ini ()
10/9/2006 3:31:32 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\0RV7MWXX\desktop.ini ()
10/9/2006 3:37:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\BY0RF98P\desktop.ini ()
10/10/2006 9:40:32 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\324RJTK5\desktop.ini ()
10/10/2006 9:41:20 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\SX4T2NO9\desktop.ini ()
10/10/2006 10:58:28 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ST238XER\desktop.ini ()
10/10/2006 10:59:36 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ITGJUH65\desktop.ini ()
10/10/2006 11:24:00 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\49IZ41EN\desktop.ini ()
10/10/2006 11:24:14 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\EP709W7Y\desktop.ini ()
10/10/2006 11:33:38 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GLUV09QR\desktop.ini ()

Checking for CPL files...
8/29/2002 7:07:38 AM 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 62464 C:\WINDOWS\SYSTEM\INTL.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 104368 C:\WINDOWS\SYSTEM\MODEM.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 15152 C:\WINDOWS\SYSTEM\WUAUCPL.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 111616 C:\WINDOWS\SYSTEM\MAIN.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 389872 C:\WINDOWS\SYSTEM\SYSDM.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL (Microsoft Corporation)
6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\THEMES.CPL (Microsoft Corporation)
8/8/2000 3:09:26 PM 84480 C:\WINDOWS\SYSTEM\igfxcpl.cpl (Intel Corporation)
8/19/1997 22528 C:\WINDOWS\SYSTEM\FINDFAST.CPL ()
5/23/1996 45968 C:\WINDOWS\SYSTEM\MLCFG32.CPL (Microsoft Corporation)
5/26/2001 11:37:44 AM 24576 C:\WINDOWS\SYSTEM\prefscpl.cpl (RealNetworks, Inc.)
7/10/2002 9:01:38 PM 295936 C:\WINDOWS\SYSTEM\QuickTime.cpl (Apple Computer, Inc.)
10/30/2001 8:10:00 AM 442368 C:\WINDOWS\SYSTEM\JOY.CPL (Microsoft Corporation)
10/29/2003 12:30:18 PM 434176 C:\WINDOWS\SYSTEM\slcpappl.cpl (,)
6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM\jpicpl32.cpl (Sun Microsystems, Inc.)

Checking for Downloaded Program Files...
{00000075-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...ector/swdir.cab
{21F49842-BFA9-11D2-A89C-00104B62BDDA} - ChartFX Internet Control - CodeBase = http://www.sde.state.id.us/download/CfxIEAx.cab
{32564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv8ax.cab
{32564D57-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
{33564D57-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - McAfee.com Operating System Class - CodeBase = http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
{76D90D08-EAB7-46D8-BF99-87445BF59E72} - SystemInfo Class - CodeBase = http://directv.direcway.com/dwayready/dpcsysinfo.cab
{869F3BBC-A812-4D13-A93B-7B3FC816DCD5} - McAfee.com Updater - CodeBase = http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - - CodeBase = http://fpdownload.macromedia.com/get/shock...h/ultrashim.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - Update Class - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/...8017.4167013889
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn.com/download/MsnMesse...pDownloader.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
{BC01A402-4730-11D2-B36C-0000E8DF722B} - Illuminatus 4.5 IE Plugin - CodeBase = http://www.digitalworkshop.co.uk/ilm450.cab
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - DwnldGroupMgr Class - CodeBase = http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
{C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - Toontown Installer ActiveX Control - CodeBase = http://download.toontown.com/sv1.0.9.27.1/ttinst.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\SYSTEM\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/2/2006 10:16:02 AM 472 C:\WINDOWS\Start Menu\Programs\StartUp\ImageReader Ultra Scanner Utilities.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
10/7/2006 10:40:02 AM 14152 C:\WINDOWS\Application Data\dw.log ()
10/7/2006 10:44:40 AM 1516213 C:\WINDOWS\Application Data\Install.dat ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.msn.com
\\Search Bar -
\\Default_Page_URL - http://hp.my.yahoo.com
\\Local Page - C:\WINDOWS\SYSTEM\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.cnn.com/
\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
\\Local Page - C:\WINDOWS\SYSTEM\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\SYSTEM\SHDOCVW.DLL (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo! Companion BHO = C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL (Yahoo! Inc.)
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL ()

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL (Microsoft Corporation)
\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\SYSTEM\Shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL (Microsoft Corporation)
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{BA52B914-B692-46c4-B683-905236F6F655} - McAfee VirusScan = C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL (McAfee, Inc.)
\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINDOWS\SYSTEM\MSDXM.OCX (Microsoft Corporation)
\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion = C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion = C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL (Yahoo! Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8198
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 =
\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8194 =
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8195 = Sun Java Console
\\{EFFF8D47-D060-4108-B761-E8EC86622E56} - 8196 = Absolute Poker
\\{94148DB5-B42D-4915-95DA-2CBB4F7095BF} - 8197 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - ButtonText: Real.com =
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll (Sun Microsystems, Inc.)
\{EFFF8D47-D060-4108-B761-E8EC86622E56} - ButtonText: Absolute Poker = C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk ()

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL ()
\\{5E44E225-A408-11CF-B581-008029601108} - Adaptec Directcd Shell Extension = C:\Program Files\Adaptec\DirectCD\shellex.dll (Adaptec)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\{CFC7205E-2792-4378-9591-3879CC6C9022} - = C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL (McAfee, Inc.)
\{B95057E0-44DB-11CE-A5D1-00608C83BD3F} - = shellwp.dll (Corel Corporation Limited)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\QuickFinderMenu - {C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = C:\COREL\SUITE8\PROGRAMS\PFSE80.DLL (Novell, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\SYSTEM\igfxpph.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\{CFC7205E-2792-4378-9591-3879CC6C9022} - = C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL (McAfee, Inc.)
\QuickFinderMenu - {C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = C:\COREL\SUITE8\PROGRAMS\PFSE80.DLL (Novell, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry - C:\WINDOWS\scanregw.exe (Microsoft Corporation)
TaskMonitor - C:\WINDOWS\taskmon.exe (Microsoft Corporation)
PCHealth - C:\WINDOWS\PCHealth\Support\PCHSchd.exe (Microsoft Corporation)
SystemTray - C:\WINDOWS\SYSTEM\SysTray.Exe (Microsoft Corporation)
LoadPowerProfile - C:\WINDOWS\Rundll32.exe (Microsoft Corporation)
Keyboard Manager - C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe (Netropa Corp.)
hpsysdrv - c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
MotiveMonitor - C:\Program Files\Motive\motmon.exe (Motive Communications, Inc.)
WorksFUD - C:\Program Files\Microsoft Works\wkfud.exe (Microsoft® Corporation)
Microsoft Works Portfolio - C:\Program Files\Microsoft Works\WksSb.exe (Microsoft® Corporation)
DJRegFix - regedit /s c:\hp\djregfix.reg ()
HPLogiFinder - C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE ()
Adaptec DirectCD - C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE (Adaptec)
MCUpdateExe - C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe (McAfee, Inc)
VSOCheckTask - C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE (McAfee, Inc.)
MCAgentExe - C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe (McAfee, Inc)
LoadQM - C:\WINDOWS\loadqm.exe (Microsoft Corporation)
MCTskShd - C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe (McAfee, Inc)
tgcmd - C:\Program Files\Support.com\bin\tgcmd.exe (Qwest)
MPFExe - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE (McAfee Security)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
*StateMgr - C:\WINDOWS\System\Restore\StateMgr.exe (Microsoft Corporation)
LoadPowerProfile - C:\WINDOWS\Rundll32.exe (Microsoft Corporation)
SchedulingAgent - C:\WINDOWS\SYSTEM\mstask.exe (Microsoft Corporation)
SSDPSRV - C:\WINDOWS\SYSTEM\ssdpsrv.exe (Microsoft Corporation)
McShld9x - C:\Program Files\McAfee.com\VSO\mcshld9x.exe (McAfee, Inc.)
KB918547 - C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE (Microsoft Corporation)
KB891711 - C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Taskbar Display Controls - RunDLL deskcp16.dll ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\WINDOWS\Start Menu\Programs\StartUp\ImageReader Ultra Scanner Utilities.lnk - C:\WINDOWS\TWAIN_32\fb7\SCANER32.EXE ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL (Microsoft Corporation)
\\UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\SYSTEM\UPNPUI.DLL (Microsoft Corporation)
\\AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} = C:\WINDOWS\SYSTEM\AUHOOK.DLL (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = C:\WINDOWS\SYSTEM\BROWSEUI.DLL (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit =
\\Shell = explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

>>> DNS Name Servers <<<
Adapters:
Dial-Up Adapter
Actiontec Gateway
Linksys LNE100TX(v5) Fast Ethernet Adapter
Linksys LNE100TX(v5) Fast Ethernet Adapter
Name Server:

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\mswsosp.dll ()
\000000000002\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\msafd.dll ()
\000000000003\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\msafd.dll ()
\000000000004\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\msafd.dll ()
\000000000005\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\rsvpsp.dll ()
\000000000006\\PackedCatalogItem - CC:\WINDOWS\SYSTEM\rsvpsp.dll ()
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - C:\WINDOWS\SYSTEM\rnr20.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


And the new HiJackThis Log...
Logfile of HijackThis v1.99.1
Scan saved at 1:05:39 PM, on 10/10/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\TWAIN_32\FB7\SCANER32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: ImageReader Ultra Scanner Utilities.lnk = C:\WINDOWS\TWAIN_32\fb7\SCANER32.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.27.1/ttinst.cab
O16 - DPF: {BC01A402-4730-11D2-B36C-0000E8DF722B} (Illuminatus 4.5 IE Plugin) - http://www.digitalworkshop.co.uk/ilm450.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.sde.state.id.us/download/CfxIEAx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab



Thanks again! :thumbsup:

Edited by Glunn11, 10 October 2006 - 02:12 PM.


#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:03:27 AM

Posted 11 October 2006 - 12:33 AM

Hi again, so the messages still pop up when the computer starts ?

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Go to virustotal.com
Click on the Browse button
Browse to the following file: C:\system.exe
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

So when you're ready, post the Kaspersky results and the virustotal results to here :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 Glunn11

Glunn11
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 11 October 2006 - 02:34 PM

Hey again! The mscvp60.dll (or whatever it's called) error message no longer shows up, but yes, "Windows cannot find ibm00001.exe" still pops up everytime I start up Windows. :thumbsup:
Anyways, here's the Kaspersky results:


KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 11, 2006 1:03:18 PM
Operating System: Microsoft Windows Millennium Edition
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/10/2006
Kaspersky Anti-Virus database records: 230703
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
a:\
c:\
m:\
Scan Statistics
Total number of scanned objects 48878
Number of viruses found 10
Number of infected objects 21 / 0
Number of suspicious objects 0
Duration of the scan process 01:37:53

Infected Object Name Virus Name Last Action
c:\WINDOWS\TEMP\metasploit.exe Infected: Trojan-Downloader.Win32.Tibs.if skipped
c:\WINDOWS\TEMP\6.dlb Infected: Trojan-Downloader.Win32.Tibs.gc skipped
c:\WINDOWS\TEMP\win76FF.TMP Infected: Trojan-Proxy.Win32.Xorpix.ao skipped
c:\WINDOWS\TEMP\winC997.TMP Infected: Trojan-Proxy.Win32.Xorpix.ao skipped
c:\WINDOWS\Sti_Trace.log Object is locked skipped
c:\WINDOWS\wiaservc.log Object is locked skipped
c:\WINDOWS\Cookies\index.dat Object is locked skipped
c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbk Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbd Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbd Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbk Object is locked skipped
c:\WINDOWS\WIN386.SWP Object is locked skipped
c:\WINDOWS\SchedLog.Txt Object is locked skipped
c:\WINDOWS\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\cert8.db Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\key3.db Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\history.dat Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\Cache\_CACHE_MAP_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\Cache\_CACHE_001_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\Cache\_CACHE_002_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\Cache\_CACHE_003_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\omnnlqnl.default\parent.lock Object is locked skipped
c:\WINDOWS\Application Data\Support.com\profiles\SYSTEM\triggers.log Object is locked skipped
c:\WINDOWS\Sti_Event.log Object is locked skipped
c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
c:\_RESTORE\TEMP\A0001778.CPY Infected: not-a-virus:AdWare.Win32.EliteBar.z skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0005 Infected: Trojan-Clicker.Win32.VB.ex skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0006/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0006/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0007/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0007/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0007/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0007/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0007/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
c:\_RESTORE\TEMP\A0001779.CPY NSIS: infected - 14 skipped
c:\_RESTORE\LOGS\vxdsfp.log Object is locked skipped
c:\_RESTORE\LOGS\vxdalt1.log Object is locked skipped
c:\Program Files\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
c:\Program Files\McAfee.com\Agent\Data\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
c:\system.exe Infected: Trojan-Downloader.Win32.Small.dul skipped
Scan process completed.


And here's the virustotal.com scan:
Antivirus Version Update Result
AntiVir 7.2.0.25 10.11.2006 TR/Dldr.Small.dul.3
Authentium 4.93.8 10.11.2006 W32/Downloader.AHKC
Avast 4.7.892.0 10.11.2006 Win32:Trojano-P
AVG 386 10.11.2006 Downloader.Generic2.QIZ
BitDefender 7.2 10.11.2006 DeepScan:Generic.Malware.dld!!.A6E43220
CAT-QuickHeal 8.00 10.11.2006 TrojanDownloader.Small.dul
ClamAV devel-20060426 10.11.2006 Trojan.Downloader.Small-2782
eTrust-InoculateIT 23.73.19 10.11.2006 no virus found
eTrust-Vet 30.3.3127 10.11.2006 Win32/DlAnserin!generic
DrWeb 4.33 10.11.2006 Trojan.DownLoader.13019
Ewido 4.0 10.11.2006 Downloader.Small.dul
Fortinet 2.82.0.0 10.11.2006 W32/Small.DUL!tr.dldr
F-Prot 3.16f 10.11.2006 security risk named W32/Downloader.AHKC
F-Prot4 4.2.1.29 10.11.2006 W32/Downloader.AHKC
Ikarus 0.2.65.0 10.11.2006 no virus found
Kaspersky 4.0.2.24 10.11.2006 Trojan-Downloader.Win32.Small.dul
McAfee 4871 10.11.2006 no virus found
Microsoft 1.1603 10.11.2006 no virus found
NOD32v2 1.1797 10.10.2006 no virus found
Norman 5.80.02 10.11.2006 W32/DLoader.AYBX
Panda 9.0.0.4 10.11.2006 Suspicious file

Aditional Information
File size: 1721 bytes
MD5: 70a85ce5b9931533a77fd174ce60e12d
SHA1: b4eb657a19ccb03ff47541ad18aca431342ff1c9

We're getting closer and closer... :flowers:

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:03:27 AM

Posted 12 October 2006 - 04:30 AM

Yes we're getting closer :thumbsup:

Please delete the following file:
c:\system.exe

Then we'll clean the temporary directories from malware remainings:
Download & Install CCleaner
Run the program. Select "Cleaner" and then "Windows". Make sure that everything is checked under "System"
Finally, click on Run Cleaner. Wait for the cleaning to end and close the program.
Do NOT use the 'Issues' tab unless you are an expert user.

Then, open HijackThis.
  • Open the Misc Tools section
  • Next to Generate Startuplist, check List empty sections (complete)
  • Click on Generate Startuplist
  • A logfile will pop up.
  • Please copy & paste the contents of this log to here.

Edited by Mr_JAk3, 12 October 2006 - 04:34 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#15 Glunn11

Glunn11
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Idaho
  • Local time:07:27 PM

Posted 12 October 2006 - 10:16 AM

OK here's the HiJack log:

StartupList report, 10/12/2006, 9:09:31 AM
StartupList version: 1.52.2
Started from : C:\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\TWAIN_32\FB7\SCANER32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
ImageReader Ultra Scanner Utilities.lnk = C:\WINDOWS\TWAIN_32\fb7\SCANER32.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
MotiveMonitor = C:\Program Files\Motive\motmon.exe
WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
DJRegFix = regedit /s c:\hp\djregfix.reg
HPLogiFinder = \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
Adaptec DirectCD = C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
MCUpdateExe = C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
VSOCheckTask = "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
MCAgentExe = C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
LoadQM = loadqm.exe
MCTskShd = C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
tgcmd = "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
MPFExe = C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
McShld9x = C:\Program Files\McAfee.com\VSO\mcshld9x.exe
KB918547 = C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe ibm00001.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\SPACE.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 12/10/2006, 9:5:46)

[Rename]
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
NUL=C:\WINDOWS\COOKIES\INDEX.DAT

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:

*File not found*

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

PCHealth Scheduler for Data Collection.job
Maintenance-ScanDisk.job
Maintenance-Defragment programs.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[McAfee.com Updater]
InProcServer32 = C:\WINDOWS\MCBIN\MGAVEXP.DLL
CODEBASE = http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\SYSTEM\MCINSCTL.DLL
CODEBASE = http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\SYSTEM\MCGDMGR.DLL
CODEBASE = http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwa...ector/swdir.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8ax.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

[{32564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv8dmo.cab

[SystemInfo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DPCSYSINFO.DLL
CODEBASE = http://directv.direcway.com/dwayready/dpcsysinfo.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH9.OCX
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8017.4167013889

[{00000075-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/voxacm.CAB

[Toontown Installer ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TTINST.DLL
CODEBASE = http://download.toontown.com/sv1.0.9.27.1/ttinst.cab

[Illuminatus 4.5 IE Plugin]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ILM450.OCX
CODEBASE = http://www.digitalworkshop.co.uk/ilm450.cab

[ChartFX Internet Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CFXIEAX.OCX
CODEBASE = http://www.sde.state.id.us/download/CfxIEAx.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNMESSENGERSETUPDOWNLOADER.OCX
CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZINTRO.OCX
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/shock...h/ultrashim.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\SYSTEM\KASPERSKY LAB\KASPERSKY ONLINE SCANNER\KAVWEBSCAN.DLL
CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...ebscan_ansi.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 16,495 bytes
Report generated in 0.606 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users