Please, please help, HijackThis Log included

mphell0 · 02-22-2005, 09:17 PM

I have been having problems lately with my computer being bombarded with popups. The primary culprits have been the loadingwebsite.com website as well as pacific poker. It is impossible to do anything on my computer without being interupted several times by popups. I am running several adware programs but none seem to help. Any help at all would be greatly appreciated

Logfile of HijackThis v1.99.1
Scan saved at 11:03:15 PM, on 02/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\qa054ew7\qa054ew7.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system\gshjqlv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\sysmonnt.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnindex.exe
C:\Hijack\HijackThis.exe
C:\WINNT\system32\vga.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
O1 - Hosts: search
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - C:\WINNT\system32\mdcdrdyc.dll
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - C:\WINNT\system32\tuucjfvs.dll
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - C:\WINNT\system32\hkjpygsy.dll
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - C:\WINNT\system32\qjdzwxct.dll
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - C:\WINNT\system32\vjhlyqek.dll
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - C:\WINNT\system32\gjpnivik.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - C:\WINNT\system32\uqqljdfc.dll
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINNT\system32\ic2_win.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [qa054ew7] C:\Program Files\qa054ew7\qa054ew7.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\msxmidi.exe
O4 - HKCU\..\Run: [hornRgd3X] rapusl.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe
O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe
O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...terInstall.cab
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\t48ulel91hq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

CTSNKY · 02-23-2005, 06:53 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards.

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\qa054ew7\qa054ew7.exe
C:\WINNT\system\gshjqlv.exe
C:\WINNT\system32\sysmonnt.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Begin2Search

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe
O1 - Hosts: search
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - C:\WINNT\system32\mdcdrdyc.dll
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - C:\WINNT\system32\tuucjfvs.dll
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - C:\WINNT\system32\hkjpygsy.dll
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - C:\WINNT\system32\qjdzwxct.dll
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - C:\WINNT\system32\vjhlyqek.dll
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - C:\WINNT\system32\gjpnivik.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - C:\WINNT\system32\uqqljdfc.dll
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINNT\system32\ic2_win.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [qa054ew7] C:\Program Files\qa054ew7\qa054ew7.exe
O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\msxmidi.exe
O4 - HKCU\..\Run: [hornRgd3X] rapusl.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...tterInstall.cab
O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\t48ulel91hq.dll
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\qa054ew7\
C:\WINNT\system32\gjpnivik.dll
C:\WINNT\system32\hkjpygsy.dll
C:\WINNT\system32\ic2_win.dll
C:\WINNT\system32\mdcdrdyc.dll
C:\WINNT\system32\msxmidi.exe
C:\WINNT\system32\qjdzwxct.dll
C:\WINNT\system32\shqybxyj6.exe
C:\WINNT\system32\soft.exe
C:\WINNT\system32\sysmonnt
C:\WINNT\system32\t48ulel91hq.dll
C:\WINNT\system32\tjkhyoro6.exe
C:\WINNT\system32\tuucjfvs.dll
C:\WINNT\system32\uqqljdfc.dll
C:\WINNT\system32\vjhlyqek.dll

rapusl.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Now, for the removal of those O1's, we will need this done as well...........

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
PV http://www.greyknight17.com/spy/pv.zip
VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it.

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!).
a) Open that folder on your Desktop and double click on the runme.bat file.
b) Type in 3 and hit your Enter key. Save the log file.
c) Type in 5 and hit your Enter key. Save the log file.
d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below.

4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later.

5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.

mphell0 · 02-23-2005, 03:49 PM

Okay, here are the log files as requested. On PV, typing 3 did nothing but 5 worked and is posted below. Some of the files that you said to delete were not found on my computer. Thank you again for all your help

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:47:47 PM, on 02/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\WINNT\essspk.exe
C:\WINNT\system\gshjqlv.exe
C:\WINNT\system32\vga.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe
O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe
O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

End of KRC HijackThis Analyzer Log.
================================================================

================================================================
Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 192512 C:\WINNT\system32\winlogon.exe 5.00.2195.6970 Windows NT Logon Application
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL
ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL
USERENV.dll 7c0f0000 397312 C:\WINNT\system32\USERENV.dll 5.00.2195.6794 Userenv
NDdeApi.dll 769a0000 28672 C:\WINNT\system32\NDdeApi.dll 5.00.2195.6661 Network DDE Share Management APIs
sfc.dll 76980000 110592 C:\WINNT\system32\sfc.dll 5.00.2195.6673 Windows File Protection
sfcfiles.dll 68010000 983040 C:\WINNT\system32\sfcfiles.dll 5.00.2195.6894 Windows 2000 System File Checker
Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface
PROFMAP.dll 690f0000 45056 C:\WINNT\system32\PROFMAP.dll 5.00.2195.6610 Userenv
NETAPI32.dll 75170000 323584 C:\WINNT\system32\NETAPI32.dll 5.00.2195.6949 Net Win32 API DLL
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL
msgina.dll 76b90000 348160 C:\WINNT\system32\msgina.dll 5.00.2195.6928 Windows NT Logon Application
SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.7009 Windows Shell Common Dll
SHLWAPI.dll 70a70000 417792 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library
COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library
WINSTA.dll 65780000 53248 C:\WINNT\system32\WINSTA.dll 5.00.2195.6701 Winstation Library
WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL
serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
setupapi.dll 77880000 581632 C:\WINNT\system32\setupapi.dll 5.00.2195.6622 Windows Setup API
wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.7021 Microsoft OLE for Windows
mscat32.dll 76a00000 20480 C:\WINNT\system32\mscat32.dll 5.131.2134.1 MSCAT32 Forwarder DLL
rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
cscdll.dll 770c0000 143360 C:\WINNT\system32\cscdll.dll 5.00.2195.6713 Offline Network Agent
WlNotify.dll 76920000 65536 C:\WINNT\system32\WlNotify.dll 5.00.2195.6706 Common DLL to receive Winlogon notifications
CERTCLI.DLL 75570000 147456 C:\WINNT\system32\CERTCLI.DLL 5.00.2195.6619 Microsoft® Certificate Services Client
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
WINSCARD.DLL 76960000 94208 C:\WINNT\system32\WINSCARD.DLL 5.00.2195.6609 Microsoft Smart Card API
WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
IS3WLHandler.dll 10000000 24576 C:\WINNT\system32\IS3WLHandler.dll 3, 4, 0, 0 IS3WLHandler
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
wzcdlg.dll 18b0000 69632 C:\WINNT\system32\wzcdlg.dll 5.00.2195.6604 Wireless Zero Configuration Service UI
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
WZCSAPI.DLL 18d0000 40960 C:\WINNT\system32\WZCSAPI.DLL 5.00.2195.6604 Wireless Zero Configuration service API
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
msv1_0.dll 1f10000 135168 C:\WINNT\system32\msv1_0.dll 5.00.2195.6897 Microsoft Authentication Package v1.0
IPHLPAPI.DLL 77340000 77824 C:\WINNT\system32\IPHLPAPI.DLL 5.00.2195.6602 IP Helper API
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
================================================================================

================================================================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla]
"Asyncronous"=dword:00000001
"DllName"="IS3WLHandler.dll"
"Lock"="WLEventLock"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartStartShell"
"Startup"="WLEventStartStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
=======================================================================

=======================================================================
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINNT\system32\spOrder.dll

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---STOPzilla
Keys Under Notify---wzcnotif

Guardian Key--- is called:

User Agent String---
{9171EDA1-37B7-4138-9540-7178277C204A}
=========================================================================

=========================================================================
List of Files for C:\WINDOWS\Downloaded Program Files:
- Shockwave Flash Object (Macromedia Flash Player 7.0 r19)

List of Files for C:\Program Files\Internet Explorer:
- HMMAPI.dll was the only file that I wasn't sure whether or not it belonged

Thank You,
mphell0

CTSNKY · 02-23-2005, 04:09 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\system\gshjqlv.exe

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question.

2. Skip to Step 3.

3. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File.'
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
C:\WINDOWS\system32\guard.tmp
C:\WINNT\system32\spOrder.dll
C:\WINNT\system\gshjqlv.exe

4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

5. Run HijackThis and do a scan. Check and fix the following:

O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)

Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

After that's done (or if you need more help), give us a new set of updated logs (2 PV logs, 1 notify.txt log, 1 VX2Finder log and 1 HijackThis log).

mphell0 · 02-23-2005, 05:03 PM

Here are the updated logs. Once again typing 3 in PV generated no results

========================================================================
Logfile of HijackThis v1.99.1
Scan saved at 6:48:47 PM, on 02/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\vga.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe
O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe
O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
=========================================================================

=========================================================================

Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 192512 C:\WINNT\system32\winlogon.exe 5.00.2195.6970 Windows NT Logon Application
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL
ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL
USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL
USERENV.dll 7c0f0000 397312 C:\WINNT\system32\USERENV.dll 5.00.2195.6794 Userenv
NDdeApi.dll 769a0000 28672 C:\WINNT\system32\NDdeApi.dll 5.00.2195.6661 Network DDE Share Management APIs
sfc.dll 76980000 110592 C:\WINNT\system32\sfc.dll 5.00.2195.6673 Windows File Protection
sfcfiles.dll 68010000 983040 C:\WINNT\system32\sfcfiles.dll 5.00.2195.6894 Windows 2000 System File Checker
Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface
PROFMAP.dll 690f0000 45056 C:\WINNT\system32\PROFMAP.dll 5.00.2195.6610 Userenv
NETAPI32.dll 75170000 323584 C:\WINNT\system32\NETAPI32.dll 5.00.2195.6949 Net Win32 API DLL
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL
msgina.dll 76b90000 348160 C:\WINNT\system32\msgina.dll 5.00.2195.6928 Windows NT Logon Application
SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.7009 Windows Shell Common Dll
SHLWAPI.dll 70a70000 417792 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library
COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library
WINSTA.dll 65780000 53248 C:\WINNT\system32\WINSTA.dll 5.00.2195.6701 Winstation Library
WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL
serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
setupapi.dll 77880000 581632 C:\WINNT\system32\setupapi.dll 5.00.2195.6622 Windows Setup API
wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.7021 Microsoft OLE for Windows
mscat32.dll 76a00000 20480 C:\WINNT\system32\mscat32.dll 5.131.2134.1 MSCAT32 Forwarder DLL
rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
cscdll.dll 770c0000 143360 C:\WINNT\system32\cscdll.dll 5.00.2195.6713 Offline Network Agent
WlNotify.dll 76920000 65536 C:\WINNT\system32\WlNotify.dll 5.00.2195.6706 Common DLL to receive Winlogon notifications
CERTCLI.DLL 75570000 147456 C:\WINNT\system32\CERTCLI.DLL 5.00.2195.6619 Microsoft® Certificate Services Client
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
WINSCARD.DLL 76960000 94208 C:\WINNT\system32\WINSCARD.DLL 5.00.2195.6609 Microsoft Smart Card API
WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
IS3WLHandler.dll 10000000 24576 C:\WINNT\system32\IS3WLHandler.dll 3, 4, 0, 0 IS3WLHandler
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
wzcdlg.dll 18b0000 69632 C:\WINNT\system32\wzcdlg.dll 5.00.2195.6604 Wireless Zero Configuration Service UI
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
WZCSAPI.DLL 18d0000 40960 C:\WINNT\system32\WZCSAPI.DLL 5.00.2195.6604 Wireless Zero Configuration service API
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
msv1_0.dll 1f10000 135168 C:\WINNT\system32\msv1_0.dll 5.00.2195.6897 Microsoft Authentication Package v1.0
IPHLPAPI.DLL 77340000 77824 C:\WINNT\system32\IPHLPAPI.DLL 5.00.2195.6602 IP Helper API
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
=========================================================================

=========================================================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla]
"Asyncronous"=dword:00000001
"DllName"="IS3WLHandler.dll"
"Lock"="WLEventLock"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartStartShell"
"Startup"="WLEventStartStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
================================================================

================================================================
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---STOPzilla
Keys Under Notify---wzcnotif

Guardian Key--- is called:

User Agent String---
{9171EDA1-37B7-4138-9540-7178277C204A}

greyknight17 · 02-23-2005, 05:45 PM

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question.

2. Go to Step 3.

3. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File.'
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
C:\WINDOWS\system32\guard.tmp
C:\WINNT\system32\vga.exe - unless you know if this is for your video card or something, delete it also
C:\WINNT\system32\tjkhyoro6.exe
C:\WINNT\system32\shqybxyj6.exe

4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

5. Run HijackThis and do a scan. Check and fix the following:

O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)

I can't find enough information for this file -> C:\WINNT\SYSTEM32\IS3WLHandler.dll
Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

Restart and just post a new HijackThis log.

Right click on this link and choose Save As. Save it somewhere. Now run that program and do a search for these (search and save them separately):

03A08522-1426-409B-7534-34DFE546E811
0FA37060-7A7A-2F4C-EE64-BF3652FFAD81
2718DD6D-E6FA-1188-2501-F0813784A5F3
8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1
8E5DA144-B0C4-4CBD-9309-2666F6D7AD77
B54DA59F-5766-DB0B-2F4A-4E40B009C7B0
F5A35E7E-A94F-C946-C01A-9E563E708D87

Save the file and post the contents in the forum.

mphell0 · 02-23-2005, 09:11 PM

I am having a few problems with this. I do not have a windows folder on my C drive, so I cannot use the path for some of the files that you have listed. I searched my computer and the file guard.tmp did not come up. All of the O2's and the O23's continue to show up on the HJT log. I ran RegSrch as suggested but each one returned no results. Also everytime that I boot up my computer (when I have been told to do so) the VX2 toolbar tries to install itself.

The only information I could find on IS3WLHandler.dll is that the company is ISSS Inc., File version 3.4.0.0.

Anyway here is my current HJT logfile, thank you for bearing with me through this.

Logfile of HijackThis v1.99.1
Scan saved at 10:50:02 PM, on 02/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\yrrvwk.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnindex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe
O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

greyknight17 · 02-23-2005, 09:44 PM

Sorry about that. Just replace Windows with WINNT instead since that's your folder.

Run HijackThis and then click on the Config button->Misc. Tools->Delete an NT service.... Type (or copy) in shqybxyj6.exe and hit ok. Then run a HijackThis scan and check and fix the following:

O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)

Delete this file if found -> C:\WINNT\system32\shqybxyj6.exe

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet.

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the Generate StartupList log button. Post that log in your next post.

Right click on this link and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on Silent Runners to run it. This will take a few minutes. It will create a file called Startup Programs followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download Find-qoologic. Unzip the files to your Desktop. Open the qoologic folder and run the qoologic.bat file. Wait a few minutes for it to finish. When the dos window disappears, go to your C: drive and open up the log.txt file. Copy and paste the whole log in your next post.

Download DllCompare and run it. Click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on Make a log of what was found. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

Download Find It and unzip it. Open up the folder and double click on the find.bat file. Let it run for a while. After it's finished, open up file. Copy and paste the contents to the forums.

Post all of the logs in your next post. We need them all to get a fix for this infection.

mphell0 · 02-24-2005, 09:01 AM

I am having problems with Find-qoologic. The program starts running but the window never closes. It says 0 files copied because it cannot find the specified file or path which is:
C:\Documents and Settings\Administrator\Desktop\qoologic>copy strings.exe
C:\docume~1\alluse~1\startm~1\programs\startup

It does create a log.txt file, however, but the only item it has listed is
C:\Documents and Settings\Administrator\Desktop\qoologic
which is where I downloaded the program

Is this normal or am I doing something wrong?

I am having a similar problem with Find It. It will run for several minutes and then says it cannot find the specified path, but it doesn't give any path. All of the other programs ran fine.

mphell0 · 02-24-2005, 10:58 AM

Here are the logs for the other programs

StartupList report, 02/24/2005, 9:51:02 AM
StartupList version: 1.52.2
Started from : C:\Hijack\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\yrrvwk.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnindex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
SAClient = "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
NeroFilterCheck =
Rfand =
appuq.exe =
3.tmp =
Web Service =
3.tmp.exe =
wF8h3mR =
kalvsys =
Dvx =
STOPzilla = C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
ffis =
kbmfudvu =
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
secure =
SpySpotter =
C:\WINNT\zfvgm.exe =
saie =
{12EE7A5E-0674-42f9-A76B-000000004D00} =
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB =
98D0CE0C16B1 =
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
EssSpkPhone = essspk.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
MicrosoftAntiSpywareCleaner = C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

CleanUp! = C:\Documents and Settings\Administrator\Desktop\HJT Programs\CleanUp!\Cleanup.exe /WindowsRestart

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[1ef5b2c3-29ea-4037-9222-dc7669d0059f] *
StubPath = C:\WINNT\system32\pwwlhq.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINNT\system32\setup\wmpocm.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{08B0E5C0-4FCB-11CF-AAA5-00401C608500}] *
StubPath = C:\WINNT\system32\soft.exe

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {03A08522-1426-409B-7534-34DFE546E811}
(no name) - (no file) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81}
(no name) - (no file) - {2718DD6D-E6FA-1188-2501-F0813784A5F3}
(no name) - (no file) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1}
(no name) - (no file) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77}
(no name) - (no file) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0}
(no name) - C:\Program Files\STOPzilla!\SZIEBHO.dll - {E3215F20-3212-11D6-9F8B-00D0B743919D}
(no name) - (no file) - {F5A35E7E-A94F-C946-C01A-9E563E708D87}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
QIC Autoupdate.job
QIC Messenger Bkup.job
QIC Messenger Periodic.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Game Port for Creative SB Live!: System32\DRIVERS\ctljystk.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
qpiwefxoivhk: C:\WINNT\system32\tjkhyoro6.exe (autostart)
Intel(R) PRO Network Connection Driver: System32\DRIVERS\e100bnt5.sys (manual start)
EDSP Port Driver: system32\DRIVERS\es56hpi.sys (manual start)
Creative SB Live! Basic (WDM): system32\drivers\emu10k1.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
geoqgdug: System32\drivers\geoqgdug.sys (manual start)
GhostStartService: C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE (autostart)
GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
ciyzyxbqmlmz: C:\WINNT\system32\shqybxyj6.exe (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
mesoifkr: System32\drivers\mesoifkr.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050223.007\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050223.007\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS (manual start)
Norton Unerase Protection: C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: C:\Program Files\Norton AntiVirus\SAVScan.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
symlcbrd: \??\C:\WINNT\system32\drivers\symlcbrd.sys (autostart)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
STOPzilla Service: C:\Program Files\Common Files\STOPzilla!\SZServer.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (autostart)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\winnt\system32\yrrvwk.exe

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

gshjqlv.exe = C:\WINNT\system\gshjqlv.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 30,753 bytes
Report generated in 0.391 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
============================================================================

============================================================================
"Silent Runners.vbs", revision 29, launched at: 09:53
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"gshjqlv.exe" = "C:\WINNT\system\gshjqlv.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"CleanUp!" = "C:\Documents and Settings\Administrator\Desktop\HJT Programs\CleanUp!\Cleanup.exe /WindowsRestart" ["Steven R. Gould"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SAClient" = ""C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck" ["AT&T"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"NeroFilterCheck" = (no data)
"Rfand" = (no data)
"appuq.exe" = (no data)
"3.tmp" = (no data)
"Web Service" = (no data)
"3.tmp.exe" = (no data)
"wF8h3mR" = (no data)
"kalvsys" = (no data)
"Dvx" = (no data)
"STOPzilla" = "C:\Program Files\STOPzilla!\Stopzilla.exe /autostart" ["International Software Systems Solutions"]
"ffis" = (no data)
"kbmfudvu" = (no data)
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"secure" = (no data)
"SpySpotter" = (no data)
"C:\WINNT\zfvgm.exe" = (no data)
"saie" = (no data)
"{12EE7A5E-0674-42f9-A76B-000000004D00}" = (no data)
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB" = (no data)
"98D0CE0C16B1" = (no data)
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"EssSpkPhone" = "essspk.exe" [empty string]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [null data]
"MicrosoftAntiSpywareCleaner" = "C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{E3215F20-3212-11D6-9F8B-00D0B743919D}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\STOPzilla!\SZIEBHO.dll" ["International Software Systems Solutions"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "MSN Desktop Search"
-> CLSID InProcServer32 resolves to: "C:\Program Files\MSN Toolbar Suite\EXT\02.00.0001.1203\en-us\msnlExt.dll" ["Microsoft Corporation."]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"
-> CLSID InProcServer32 resolves to: "C:\Program Files\MSN Toolbar Suite\DB\02.00.0001.1203\en-us\deskbar.dll" ["Microsoft Corporation."]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "STOPzilla\DLLName" = "IS3WLHandler.dll" ["ISSS Inc."]

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"SoftStuff Wallpaper Changer" -> shortcut to: "D:\Program Files\SoftStuff\softstrt.exe" ["Softstuff Corporation"]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
"MSN Desktop Search" -> shortcut to: "C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe /startup" ["Microsoft Corporation."]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"QIC Autoupdate" -> launches: "C:\Program Files\Insight\BBClient\Programs\AutoUpdate.exe" ["AT&T"]
"QIC Messenger Bkup" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /NotCron" ["AT&T"]
"QIC Messenger Periodic" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /AutoRun" ["AT&T"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE" ["Symantec Corporation"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
STOPzilla Service, szserver, "C:\Program Files\Common Files\STOPzilla!\SZServer.exe" [empty string]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
=========================================================================

=========================================================================
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\dn2q01~1.dll Mon Feb 7 2005 7:22:40p ..S.R 230,158 224.76 K
C:\WINNT\SYSTEM32\gppql3~1.dll Mon Feb 21 2005 11:02:54p ..S.R 231,894 226.46 K
C:\WINNT\SYSTEM32\h80qli~1.dll Mon Feb 21 2005 3:30:42p ..S.R 228,954 223.59 K
C:\WINNT\SYSTEM32\hr6m05~1.dll Wed Feb 23 2005 3:47:08p ..S.R 231,894 226.46 K
C:\WINNT\SYSTEM32\i006la~1.dll Thu Feb 3 2005 4:49:10p ..S.R 230,484 225.08 K
C:\WINNT\SYSTEM32\j02q0a~1.dll Mon Feb 21 2005 10:46:46p ..S.R 231,894 226.46 K
C:\WINNT\SYSTEM32\j8j60i~1.dll Mon Feb 21 2005 10:52:00p ..S.R 231,894 226.46 K
C:\WINNT\SYSTEM32\l42sle~1.dll Mon Feb 7 2005 9:19:46p ..S.R 231,756 226.32 K
C:\WINNT\SYSTEM32\lv0409~1.dll Thu Feb 10 2005 9:54:38p ..S.R 232,165 226.72 K
C:\WINNT\SYSTEM32\mkhtml.dll Wed Feb 23 2005 4:16:36p ..S.R 231,894 226.46 K
C:\WINNT\SYSTEM32\mv02l9~1.dll Thu Feb 3 2005 10:25:06p ..S.R 231,367 225.94 K
C:\WINNT\SYSTEM32\mvp6l9~1.dll Thu Feb 17 2005 10:56:54p ..S.R 229,039 223.67 K
C:\WINNT\SYSTEM32\mvr4l9~1.dll Tue Feb 22 2005 9:04:40p ..S.R 231,894 226.46 K
C:\WINNT\SYSTEM32\rfocurs.dll Mon Feb 21 2005 3:30:44p ..S.R 231,894 226.46 K
________________________________________________

1,022 items found: 1,022 files (14 H/S), 0 directories.
Total of file sizes: 176,125,357 bytes 167.96 M

Administrator Account = True

--------------------End log---------------------

CTSNKY · 02-24-2005, 01:41 PM

You're doing just fine. Qoologic basically had nothing to report, which is a good thing. Now, stay on the path here and you'll get cleaned up.

===========

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Don't run it yet.

Go to My Computer->Tools/View->Folder Options->View tab and uncheck 'Hide protected operating system files'.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\system32\yrrvwk.exe

Using Notepad, open this file for editing:

C:\WINNT\Wininit.ini

Delete all of the lines in the file. Save it and close Notepad.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

A) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

and delete each of the following keys:
appuq.exe =
3.tmp =
Web Service =
3.tmp.exe =
wF8h3mR =
kalvsys =
Dvx =
ffis =
kbmfudvu =
secure =
SpySpotter =
C:\WINNT\zfvgm.exe =
saie =
{12EE7A5E-0674-42f9-A76B-000000004D00} =
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB =
98D0CE0C16B1 =

B) HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\

and delete each of the folowing keys:
[1ef5b2c3-29ea-4037-9222-dc7669d0059f]
[{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]

C) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
and delete the "gshjqlv.exe" key.

Close the Registry Editor now.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\zfvgm.exe
C:\WINNT\system\gshjqlv.exe
C:\WINNT\SYSTEM32\dn2q01~1.dll
C:\WINNT\SYSTEM32\gppql3~1.dll
C:\WINNT\SYSTEM32\h80qli~1.dll
C:\WINNT\SYSTEM32\hr6m05~1.dll
C:\WINNT\SYSTEM32\i006la~1.dll
C:\WINNT\SYSTEM32\j02q0a~1.dll
C:\WINNT\SYSTEM32\j8j60i~1.dll
C:\WINNT\SYSTEM32\l42sle~1.dll
C:\WINNT\SYSTEM32\lv0409~1.dll
C:\WINNT\SYSTEM32\mkhtml.dll
C:\WINNT\SYSTEM32\mv02l9~1.dll
C:\WINNT\SYSTEM32\mvp6l9~1.dll
C:\WINNT\SYSTEM32\mvr4l9~1.dll
C:\WINNT\system32\pwwlhq.exe
C:\WINNT\SYSTEM32\rfocurs.dll
C:\WINNT\system32\soft.exe
c:\winnt\system32\yrrvwk.exe

If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder.

Run the CleanUp program now and choose Yes when it asks if you want to log off.

Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here.

mphell0 · 02-24-2005, 04:17 PM

Here they are:

Would you prefer that I give each log its own post from now on? It might be easier to read.

HJT scan log
=========================================================================
Logfile of HijackThis v1.99.1
Scan saved at 5:37:05 PM, on 02/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe
O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
=========================================================================

StartupList
=========================================================================
StartupList report, 02/24/2005, 5:36:17 PM
StartupList version: 1.52.2
Started from : C:\Hijack\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe
C:\Hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
SAClient = "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
NeroFilterCheck =
Rfand =
STOPzilla = C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
EssSpkPhone = essspk.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
MicrosoftAntiSpywareCleaner = C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[1ef5b2c3-29ea-4037-9222-dc7669d0059f]
StubPath = C:\WINNT\system32\pwwlhq.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINNT\system32\setup\wmpocm.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {03A08522-1426-409B-7534-34DFE546E811}
(no name) - (no file) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81}
(no name) - (no file) - {2718DD6D-E6FA-1188-2501-F0813784A5F3}
(no name) - (no file) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1}
(no name) - (no file) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77}
(no name) - (no file) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0}
(no name) - C:\Program Files\STOPzilla!\SZIEBHO.dll - {E3215F20-3212-11D6-9F8B-00D0B743919D}
(no name) - (no file) - {F5A35E7E-A94F-C946-C01A-9E563E708D87}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
QIC Autoupdate.job
QIC Messenger Bkup.job
QIC Messenger Periodic.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Game Port for Creative SB Live!: System32\DRIVERS\ctljystk.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
qpiwefxoivhk: C:\WINNT\system32\tjkhyoro6.exe (autostart)
Intel(R) PRO Network Connection Driver: System32\DRIVERS\e100bnt5.sys (manual start)
EDSP Port Driver: system32\DRIVERS\es56hpi.sys (manual start)
Creative SB Live! Basic (WDM): system32\drivers\emu10k1.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
geoqgdug: System32\drivers\geoqgdug.sys (manual start)
GhostStartService: C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE (autostart)
GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
ciyzyxbqmlmz: C:\WINNT\system32\shqybxyj6.exe (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
mesoifkr: System32\drivers\mesoifkr.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050223.007\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050223.007\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS (manual start)
Norton Unerase Protection: C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: C:\Program Files\Norton AntiVirus\SAVScan.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
symlcbrd: \??\C:\WINNT\system32\drivers\symlcbrd.sys (autostart)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
STOPzilla Service: C:\Program Files\Common Files\STOPzilla!\SZServer.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (autostart)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 30,284 bytes
Report generated in 0.260 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
=========================================================================

Silent Runners
=========================================================================
"Silent Runners.vbs", revision 29, launched at: 17:38
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SAClient" = ""C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck" ["AT&T"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"NeroFilterCheck" = (no data)
"Rfand" = (no data)
"STOPzilla" = "C:\Program Files\STOPzilla!\Stopzilla.exe /autostart" ["International Software Systems Solutions"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"EssSpkPhone" = "essspk.exe" [empty string]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [null data]
"MicrosoftAntiSpywareCleaner" = "C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"1ef5b2c3-29ea-4037-9222-dc7669d0059f\(Default)" = (no title provided)
\StubPath = "C:\WINNT\system32\pwwlhq.exe" [null data]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{E3215F20-3212-11D6-9F8B-00D0B743919D}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\STOPzilla!\SZIEBHO.dll" ["International Software Systems Solutions"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "MSN Desktop Search"
-> CLSID InProcServer32 resolves to: "C:\Program Files\MSN Toolbar Suite\EXT\02.00.0001.1203\en-us\msnlExt.dll" ["Microsoft Corporation."]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"
-> CLSID InProcServer32 resolves to: "C:\Program Files\MSN Toolbar Suite\DB\02.00.0001.1203\en-us\deskbar.dll" ["Microsoft Corporation."]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "STOPzilla\DLLName" = "IS3WLHandler.dll" ["ISSS Inc."]

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"SoftStuff Wallpaper Changer" -> shortcut to: "D:\Program Files\SoftStuff\softstrt.exe" ["Softstuff Corporation"]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
"MSN Desktop Search" -> shortcut to: "C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe /startup" ["Microsoft Corporation."]
"yttkhn.exe" [file not found]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"QIC Autoupdate" -> launches: "C:\Program Files\Insight\BBClient\Programs\AutoUpdate.exe" ["AT&T"]
"QIC Messenger Bkup" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /NotCron" ["AT&T"]
"QIC Messenger Periodic" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /AutoRun" ["AT&T"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE" ["Symantec Corporation"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
STOPzilla Service, szserver, "C:\Program Files\Common Files\STOPzilla!\SZServer.exe" [empty string]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
=========================================================================

Find-qoologic
=========================================================================
C:\Documents and Settings\Administrator\Desktop\HJT Programs\qoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\goolcp.dll: updates.qoologic.com
C:\WINNT\system32\pwwlhq.exe: updates.qoologic.com
C:\WINNT\system32\zbbiea.dll: updates.qoologic.com
C:\WINNT\system32\qbbwpv.dat: .aspack
C:\WINNT\system32\yrrvwk.exe: .aspack

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe: .aspack[/color]
=========================================================================

DllCompare
=========================================================================
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,007 items found: 1,007 files, 0 directories.
Total of file sizes: 172,683,376 bytes 164.68 M

Administrator Account = True

--------------------End log---------------------
=========================================================================

Find-It
=========================================================================
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop\HJT Programs\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/22/2005 12:00p <DIR> dllcache
02/03/2005 10:21p 32 {272A38F9-84C9-4998-A2E6-DD5F6A9674EF}.dat
02/03/2005 06:03p 32 {0FFB2E85-55A8-42F7-8EDD-BABFC68ABB78}.dat
02/03/2005 06:01p 32 {3E45FD8A-51B8-4547-80EE-C92D86539A7E}.dat
02/03/2005 06:01p 32 {4E7027B1-4D79-46D7-B715-6188CA4A803C}.dat
02/03/2005 06:01p 32 {54381AD4-D2C3-40A0-8C03-9F9A4670C515}.dat
12/16/2004 10:54p 3,547 sosgb.dat
12/02/2004 10:03a 7,305 hvztz.dat
7 File(s) 11,012 bytes
1 Dir(s) 16,593,711,104 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/22/2005 12:00p <DIR> dllcache
02/21/2005 04:35p <DIR> vmss
02/03/2005 10:21p 32 {272A38F9-84C9-4998-A2E6-DD5F6A9674EF}.dat
02/03/2005 06:03p 32 {0FFB2E85-55A8-42F7-8EDD-BABFC68ABB78}.dat
02/03/2005 06:01p 32 {3E45FD8A-51B8-4547-80EE-C92D86539A7E}.dat
02/03/2005 06:01p 32 {4E7027B1-4D79-46D7-B715-6188CA4A803C}.dat
02/03/2005 06:01p 32 {54381AD4-D2C3-40A0-8C03-9F9A4670C515}.dat
01/14/2005 10:59a <DIR> GroupPolicy
01/14/2005 10:34a 21,692 folder.htt
01/14/2005 10:34a 271 desktop.ini
12/16/2004 10:54p 3,547 sosgb.dat
12/02/2004 10:03a 7,305 hvztz.dat
9 File(s) 32,975 bytes
3 Dir(s) 16,593,707,008 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/24/2005 05:18p 231,824 guard.tmp
1 File(s) 231,824 bytes
0 Dir(s) 16,593,707,008 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/24/2005 05:18p 231,824 guard.tmp
03/31/2003 06:00a 44,032 ~GLH0019.TMP
07/01/2002 10:23p 115,920 ~GLH0015.TMP
03/13/2001 02:50p 2,494 ~GLH000e.TMP
03/13/2001 02:49p 140,288 ~GLH0010.TMP
12/07/1999 07:00a 2,577 CONFIG.TMP
6 File(s) 537,135 bytes
0 Dir(s) 16,593,707,008 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9171EDA1-37B7-4138-9540-7178277C204A}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla]
"Asyncronous"=dword:00000001
"DllName"="IS3WLHandler.dll"
"Lock"="WLEventLock"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartStartShell"
"Startup"="WLEventStartStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
desktop.ini Fri Jan 14 2005 10:34:54a ...H. 271 0.26 K
folder.htt Fri Jan 14 2005 10:34:54a ...H. 21,692 21.18 K
hvztz.dat Thu Dec 2 2004 10:03:40a A.SH. 7,305 7.13 K
sosgb.dat Thu Dec 16 2004 10:54:28p A.SH. 3,547 3.46 K
{0ffb2~1.dat Thu Feb 3 2005 6:03:30p A.SH. 32 0.03 K
{272a3~1.dat Thu Feb 3 2005 10:21:32p A.SH. 32 0.03 K
{3e45f~1.dat Thu Feb 3 2005 6:01:22p A.SH. 32 0.03 K
{4e702~1.dat Thu Feb 3 2005 6:01:22p A.SH. 32 0.03 K
{54381~1.dat Thu Feb 3 2005 6:01:22p A.SH. 32 0.03 K

9 items found: 9 files, 0 directories.
Total of file sizes: 32,975 bytes 32.20 K

-------- Strings.exe Qoologic Results --------

C:\WINNT\system32\goolcp.dll: updates.qoologic.com
C:\WINNT\system32\pwwlhq.exe: updates.qoologic.com
C:\WINNT\system32\zbbiea.dll: updates.qoologic.com
C:\WINNT\system32\goolcp.dll: updates.qoologic.com
C:\WINNT\system32\pwwlhq.exe: updates.qoologic.com
C:\WINNT\system32\zbbiea.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINNT\system32\qbbwpv.dat: .aspack
C:\WINNT\system32\yrrvwk.exe: .aspack
C:\WINNT\system32\qbbwpv.dat: .aspack
C:\WINNT\system32\yrrvwk.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"SAClient"="\"C:\\Program Files\\Insight\\BBClient\\Programs\\RegCon.exe\" /admincheck"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"NeroFilterCheck"=""
"Rfand"=""
"STOPzilla"="C:\\Program Files\\STOPzilla!\\Stopzilla.exe /autostart"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"EssSpkPhone"="essspk.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

CTSNKY · 02-25-2005, 07:22 AM

No, this is fine.....we're used to reading them this way. Thx....

============

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):[b]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
and delete the [1ef5b2c3-29ea-4037-9222-dc7669d0059f] key.

Close the Registry Editor now.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe
C:\WINNT\system32\goolcp.dll
C:\WINNT\system32\pwwlhq.exe
C:\WINNT\system32\zbbiea.dll
C:\WINNT\system32\qbbwpv.dat
C:\WINNT\system32\yrrvwk.exe
C:\WINNT\System32\{272A38F9-84C9-4998-A2E6-DD5F6A9674EF}.dat
C:\WINNT\System32\{0FFB2E85-55A8-42F7-8EDD-BABFC68ABB78}.dat
C:\WINNT\System32\{3E45FD8A-51B8-4547-80EE-C92D86539A7E}.dat
C:\WINNT\System32\{4E7027B1-4D79-46D7-B715-6188CA4A803C}.dat
C:\WINNT\System32\{54381AD4-D2C3-40A0-8C03-9F9A4670C515}.dat
C:\WINNT\System32\sosgb.dat
C:\WINNT\System32\hvztz.dat
C:\WINNT\System32\vmss\
C:\WINNT\System32\guard.tmp

If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder.

Run the CleanUp program now and choose Yes when it asks if you want to log off.

Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here.

mphell0 · 02-25-2005, 02:52 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:07:36 PM, on 02/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe
O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
=========================================================================

=========================================================================
StartupList report, 02/25/2005, 4:08:36 PM
StartupList version: 1.52.2
Started from : C:\Hijack\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
SAClient = "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
NeroFilterCheck =
Rfand =
STOPzilla = C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
EssSpkPhone = essspk.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[1ef5b2c3-29ea-4037-9222-dc7669d0059f] *
StubPath = C:\WINNT\system32\pwwlhq.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINNT\system32\setup\wmpocm.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {03A08522-1426-409B-7534-34DFE546E811}
(no name) - (no file) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81}
(no name) - (no file) - {2718DD6D-E6FA-1188-2501-F0813784A5F3}
(no name) - (no file) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1}
(no name) - (no file) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77}
(no name) - (no file) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0}
(no name) - C:\Program Files\STOPzilla!\SZIEBHO.dll - {E3215F20-3212-11D6-9F8B-00D0B743919D}
(no name) - (no file) - {F5A35E7E-A94F-C946-C01A-9E563E708D87}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
QIC Autoupdate.job
QIC Messenger Bkup.job
QIC Messenger Periodic.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Game Port for Creative SB Live!: System32\DRIVERS\ctljystk.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
qpiwefxoivhk: C:\WINNT\system32\tjkhyoro6.exe (autostart)
Intel(R) PRO Network Connection Driver: System32\DRIVERS\e100bnt5.sys (manual start)
EDSP Port Driver: system32\DRIVERS\es56hpi.sys (manual start)
Creative SB Live! Basic (WDM): system32\drivers\emu10k1.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
geoqgdug: System32\drivers\geoqgdug.sys (manual start)
GhostStartService: C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE (autostart)
GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
ciyzyxbqmlmz: C:\WINNT\system32\shqybxyj6.exe (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
mesoifkr: System32\drivers\mesoifkr.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050223.007\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050223.007\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS (manual start)
Norton Unerase Protection: C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: C:\Program Files\Norton AntiVirus\SAVScan.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
symlcbrd: \??\C:\WINNT\system32\drivers\symlcbrd.sys (autostart)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
STOPzilla Service: C:\Program Files\Common Files\STOPzilla!\SZServer.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (autostart)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 30,088 bytes
Report generated in 0.340 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
=========================================================================

=========================================================================
"Silent Runners.vbs", revision RED (R28) (Echo output), launched at: 16:11
Operating System: Windows 2000

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SAClient" = ""C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck" ["AT&T"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"NeroFilterCheck" = "" [(file not found)]
"Rfand" = "" [(file not found)]
"STOPzilla" = "C:\Program Files\STOPzilla!\Stopzilla.exe /autostart" ["International Software Systems Solutions"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"EssSpkPhone" = "essspk.exe" [empty string]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{03A08522-1426-409B-7534-34DFE546E811}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{0FA37060-7A7A-2F4C-EE64-BF3652FFAD81}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{2718DD6D-E6FA-1188-2501-F0813784A5F3}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{8E5DA144-B0C4-4CBD-9309-2666F6D7AD77}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{B54DA59F-5766-DB0B-2F4A-4E40B009C7B0}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{E3215F20-3212-11D6-9F8B-00D0B743919D}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\STOPzilla!\SZIEBHO.dll" ["International Software Systems Solutions"]
{F5A35E7E-A94F-C946-C01A-9E563E708D87}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "STOPzilla\DLLName" = "IS3WLHandler.dll" ["ISSS Inc."]

Startup items in "Administrator" & "All Users" startup folders:
----------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"SoftStuff Wallpaper Changer" -> shortcut to: "D:\Program Files\SoftStuff\softstrt.exe" ["Softstuff Corporation"]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
"MSN Desktop Search" -> shortcut to: "C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe /startup" ["Microsoft Corporation."]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"QIC Autoupdate" -> launches: "C:\Program Files\Insight\BBClient\Programs\AutoUpdate.exe" ["AT&T"]
"QIC Messenger Bkup" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /NotCron" ["AT&T"]
"QIC Messenger Periodic" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /AutoRun" ["AT&T"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic Updates, wuauserv, "C:\WINNT\system32\svchost.exe -k wugroup" {"C:\WINNT\System32\wuauserv.dll" [MS]}
Background Intelligent Transfer Service, BITS, "C:\WINNT\System32\svchost.exe -k BITSgroup" {"C:\WINNT\System32\qmgr.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINNT\System32\services.exe" [MS]
DHCP Client, Dhcp, "C:\WINNT\System32\services.exe" [MS]
Distributed Link Tracking Client, TrkWks, "C:\WINNT\system32\services.exe" [MS]
DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]
Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]
GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE" ["Symantec Corporation"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
IPSEC Policy Agent, PolicyAgent, "C:\WINNT\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINNT\System32\services.exe" [MS]
Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\netman.dll" [MS]}
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss" {"C:\WINNT\system32\rpcss.dll" [MS]}
Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\NtmsSvc.dll" [MS]}
RunAs Service, seclogon, "C:\WINNT\system32\services.exe" [MS]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]
STOPzilla Service, szserver, "C:\Program Files\Common Files\STOPzilla!\SZServer.exe" [empty string]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINNT\system32\MSTask.exe" [MS]
TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINNT\System32\services.exe" [MS]
Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\tapisrv.dll" [MS]}
Windows Management Instrumentation, WinMgmt, "C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]
Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINNT\system32\Services.exe" [MS]
Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]
=========================================================================

=========================================================================
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,005 items found: 1,005 files, 0 directories.
Total of file sizes: 172,653,168 bytes 164.65 M

Administrator Account = True

--------------------End log---------------------
=========================================================================

=========================================================================
C:\Documents and Settings\Administrator\Desktop\HJT Programs\qoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
=========================================================================

=========================================================================
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop\HJT Programs\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/22/2005 12:00p <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 16,611,418,112 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/22/2005 12:00p <DIR> dllcache
01/14/2005 10:59a <DIR> GroupPolicy
01/14/2005 10:34a 21,692 folder.htt
01/14/2005 10:34a 271 desktop.ini
2 File(s) 21,963 bytes
2 Dir(s) 16,611,418,112 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

03/31/2003 06:00a 44,032 ~GLH0019.TMP
07/01/2002 10:23p 115,920 ~GLH0015.TMP
03/13/2001 02:50p 2,494 ~GLH000e.TMP
03/13/2001 02:49p 140,288 ~GLH0010.TMP
12/07/1999 07:00a 2,577 CONFIG.TMP
5 File(s) 305,311 bytes
0 Dir(s) 16,611,418,112 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9171EDA1-37B7-4138-9540-7178277C204A}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla]
"Asyncronous"=dword:00000001
"DllName"="IS3WLHandler.dll"
"Lock"="WLEventLock"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartStartShell"
"Startup"="WLEventStartStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
desktop.ini Fri Jan 14 2005 10:34:54a ...H. 271 0.26 K
folder.htt Fri Jan 14 2005 10:34:54a ...H. 21,692 21.18 K

2 items found: 2 files, 0 directories.
Total of file sizes: 21,963 bytes 21.45 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"SAClient"="\"C:\\Program Files\\Insight\\BBClient\\Programs\\RegCon.exe\" /admincheck"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"NeroFilterCheck"=""
"Rfand"=""
"STOPzilla"="C:\\Program Files\\STOPzilla!\\Stopzilla.exe /autostart"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"EssSpkPhone"="essspk.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

CTSNKY · 02-25-2005, 10:03 PM

Wow, this is a "rugged" SOB.......we'll try another round before contemplating a course change. You're doing very well, hang in there.

=========

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Right click on My Computer and go to Manage. Then click on the Services entry to expand it. Click on it again to get the list of Services running. Look for these:

qpiwefxoivhk
geoqgdug
ciyzyxbqmlmz

Once found, click on them once and click on the Stop service link on the upper left. Then double click on it to open it up. On the drop down box, choose the disable option. Close Services when done with each.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
and delete the "Rfand" key.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
and delete the [1ef5b2c3-29ea-4037-9222-dc7669d0059f] key.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
and delete each of these:
{03A08522-1426-409B-7534-34DFE546E811}
{0FA37060-7A7A-2F4C-EE64-BF3652FFAD81}
{2718DD6D-E6FA-1188-2501-F0813784A5F3}
{8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1}
{8E5DA144-B0C4-4CBD-9309-2666F6D7AD77}
{B54DA59F-5766-DB0B-2F4A-4E40B009C7B0}
{F5A35E7E-A94F-C946-C01A-9E563E708D87}

Close the Registry Editor now.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\system32\tjkhyoro6.exe
C:\WINNT\System32\drivers\geoqgdug.sys
C:\WINNT\system32\shqybxyj6.exe
C:\WINNT\System32\folder.htt
C:\WINNT\System32\desktop.ini

If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder.

Run the CleanUp program now and choose Yes when it asks if you want to log off.

Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here.

mphell0 · 02-27-2005, 02:02 PM

I am having trouble deleting the BHOs from my registry. Each time I try to delete one it says it could not be deleted because of an error while deleting. Should I try doing it in safe mode?

CTSNKY · 02-27-2005, 04:15 PM

Yes, please do attempt it in Safe mode, if Normal mode is causing issues.

Thx for checking...........

mphell0 · 02-27-2005, 06:03 PM

It still wouldn't let me delete the BHO keys, even in safe mode.

Here are the logs after doing everything but deleting the registry keys

Logfile of HijackThis v1.99.1
Scan saved at 7:23:00 PM, on 02/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js)
O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe
O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
=========================================================================

=========================================================================
StartupList report, 02/27/2005, 7:23:32 PM
StartupList version: 1.52.2
Started from : C:\Hijack\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\essspk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
SAClient = "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
NeroFilterCheck =
STOPzilla = C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
EssSpkPhone = essspk.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINNT\system32\setup\wmpocm.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {03A08522-1426-409B-7534-34DFE546E811}
(no name) - (no file) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81}
(no name) - (no file) - {2718DD6D-E6FA-1188-2501-F0813784A5F3}
(no name) - (no file) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1}
(no name) - (no file) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77}
(no name) - (no file) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0}
(no name) - C:\Program Files\STOPzilla!\SZIEBHO.dll - {E3215F20-3212-11D6-9F8B-00D0B743919D}
(no name) - (no file) - {F5A35E7E-A94F-C946-C01A-9E563E708D87}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
QIC Autoupdate.job
QIC Messenger Bkup.job
QIC Messenger Periodic.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Game Port for Creative SB Live!: System32\DRIVERS\ctljystk.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
qpiwefxoivhk: C:\WINNT\system32\tjkhyoro6.exe (disabled)
Intel(R) PRO Network Connection Driver: System32\DRIVERS\e100bnt5.sys (manual start)
EDSP Port Driver: system32\DRIVERS\es56hpi.sys (manual start)
Creative SB Live! Basic (WDM): system32\drivers\emu10k1.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
geoqgdug: System32\drivers\geoqgdug.sys (manual start)
GhostStartService: C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE (autostart)
GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
ciyzyxbqmlmz: C:\WINNT\system32\shqybxyj6.exe (disabled)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
mesoifkr: System32\drivers\mesoifkr.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050227.007\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050227.007\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS (manual start)
Norton Unerase Protection: C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: C:\Program Files\Norton AntiVirus\SAVScan.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
symlcbrd: \??\C:\WINNT\system32\drivers\symlcbrd.sys (autostart)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
STOPzilla Service: C:\Program Files\Common Files\STOPzilla!\SZServer.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (autostart)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 30,021 bytes
Report generated in 0.171 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
=========================================================================

=========================================================================
"Silent Runners.vbs", revision 29, launched at: 19:24
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SAClient" = ""C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck" ["AT&T"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"NeroFilterCheck" = (no data)
"STOPzilla" = "C:\Program Files\STOPzilla!\Stopzilla.exe /autostart" ["International Software Systems Solutions"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"]
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"EssSpkPhone" = "essspk.exe" [empty string]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{E3215F20-3212-11D6-9F8B-00D0B743919D}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\STOPzilla!\SZIEBHO.dll" ["International Software Systems Solutions"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "MSN Desktop Search"
-> CLSID InProcServer32 resolves to: "C:\Program Files\MSN Toolbar Suite\EXT\02.00.0001.1203\en-us\msnlExt.dll" ["Microsoft Corporation."]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"
-> CLSID InProcServer32 resolves to: "C:\Program Files\MSN Toolbar Suite\DB\02.00.0001.1203\en-us\deskbar.dll" ["Microsoft Corporation."]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "STOPzilla\DLLName" = "IS3WLHandler.dll" ["ISSS Inc."]

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"SoftStuff Wallpaper Changer" -> shortcut to: "D:\Program Files\SoftStuff\softstrt.exe" ["Softstuff Corporation"]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
"MSN Desktop Search" -> shortcut to: "C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe /startup" ["Microsoft Corporation."]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"QIC Autoupdate" -> launches: "C:\Program Files\Insight\BBClient\Programs\AutoUpdate.exe" ["AT&T"]
"QIC Messenger Bkup" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /NotCron" ["AT&T"]
"QIC Messenger Periodic" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /AutoRun" ["AT&T"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE" ["Symantec Corporation"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
STOPzilla Service, szserver, "C:\Program Files\Common Files\STOPzilla!\SZServer.exe" [empty string]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
=========================================================================

=========================================================================
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,005 items found: 1,005 files, 0 directories.
Total of file sizes: 172,653,168 bytes 164.65 M

Administrator Account = True

--------------------End log---------------------
=========================================================================

=========================================================================
C:\Documents and Settings\Administrator\Desktop\HJT Programs\qoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
=========================================================================

=========================================================================
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop\HJT Programs\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/22/2005 12:00p <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 16,506,605,568 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

02/22/2005 12:00p <DIR> dllcache
01/14/2005 10:59a <DIR> GroupPolicy
0 File(s) 0 bytes
2 Dir(s) 16,506,605,568 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 982D-E741

Directory of C:\WINNT\System32

03/31/2003 06:00a 44,032 ~GLH0019.TMP
07/01/2002 10:23p 115,920 ~GLH0015.TMP
03/13/2001 02:50p 2,494 ~GLH000e.TMP
03/13/2001 02:49p 140,288 ~GLH0010.TMP
12/07/1999 07:00a 2,577 CONFIG.TMP
5 File(s) 305,311 bytes
0 Dir(s) 16,506,605,568 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9171EDA1-37B7-4138-9540-7178277C204A}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla]
"Asyncronous"=dword:00000001
"DllName"="IS3WLHandler.dll"
"Lock"="WLEventLock"
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartStartShell"
"Startup"="WLEventStartStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"SAClient"="\"C:\\Program Files\\Insight\\BBClient\\Programs\\RegCon.exe\" /admincheck"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"NeroFilterCheck"=""
"STOPzilla"="C:\\Program Files\\STOPzilla!\\Stopzilla.exe /autostart"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\Symtray.exe SetReg"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"EssSpkPhone"="essspk.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
===================================================================================

greyknight17 · 02-27-2005, 07:58 PM

Right click on this link and choose Save As. Save it somewhere. Now run that program and do a search for these (search and save them separately):

03A08522-1426-409B-7534-34DFE546E811
0FA37060-7A7A-2F4C-EE64-BF3652FFAD81
2718DD6D-E6FA-1188-2501-F0813784A5F3
8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1
8E5DA144-B0C4-4CBD-9309-2666F6D7AD77
B54DA59F-5766-DB0B-2F4A-4E40B009C7B0
F5A35E7E-A94F-C946-C01A-9E563E708D87

Save the file and post the contents in the forum.

mphell0 · 02-27-2005, 08:13 PM

RegSrch found no instances of any of these strings.

02-22-2005, 09:17 PM	#1 (permalink)
mphell0 Registered User Join Date: Feb 2005 Posts: 17 OS: Win2000	Please, please help, HijackThis Log included I have been having problems lately with my computer being bombarded with popups. The primary culprits have been the loadingwebsite.com website as well as pacific poker. It is impossible to do anything on my computer without being interupted several times by popups. I am running several adware programs but none seem to help. Any help at all would be greatly appreciated Logfile of HijackThis v1.99.1 Scan saved at 11:03:15 PM, on 02/22/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Common Files\STOPzilla!\SZServer.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\qa054ew7\qa054ew7.exe C:\WINNT\essspk.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINNT\system\gshjqlv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\system32\sysmonnt.exe C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe C:\WINNT\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnindex.exe C:\Hijack\HijackThis.exe C:\WINNT\system32\vga.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) O1 - Hosts: search O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - C:\WINNT\system32\mdcdrdyc.dll O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - C:\WINNT\system32\tuucjfvs.dll O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - C:\WINNT\system32\hkjpygsy.dll O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - C:\WINNT\system32\qjdzwxct.dll O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - C:\WINNT\system32\vjhlyqek.dll O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - C:\WINNT\system32\gjpnivik.dll O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - C:\WINNT\system32\uqqljdfc.dll O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINNT\system32\ic2_win.dll O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [qa054ew7] C:\Program Files\qa054ew7\qa054ew7.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\msxmidi.exe O4 - HKCU\..\Run: [hornRgd3X] rapusl.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O15 - Trusted Zone: .admin2cash.biz O15 - Trusted Zone: .finefind.nettraffic2cash.biz O15 - Trusted Zone: .private-dialer.biz O15 - Trusted Zone: .private-iframe.biz O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...terInstall.cab O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\t48ulel91hq.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

02-23-2005, 06:53 AM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards. Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\qa054ew7\qa054ew7.exe C:\WINNT\system\gshjqlv.exe C:\WINNT\system32\sysmonnt.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Begin2Search Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe O1 - Hosts: search O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - C:\WINNT\system32\mdcdrdyc.dll O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - C:\WINNT\system32\tuucjfvs.dll O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - C:\WINNT\system32\hkjpygsy.dll O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - C:\WINNT\system32\qjdzwxct.dll O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - C:\WINNT\system32\vjhlyqek.dll O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - C:\WINNT\system32\gjpnivik.dll O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - C:\WINNT\system32\uqqljdfc.dll O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINNT\system32\ic2_win.dll O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file) O4 - HKLM\..\Run: [qa054ew7] C:\Program Files\qa054ew7\qa054ew7.exe O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\msxmidi.exe O4 - HKCU\..\Run: [hornRgd3X] rapusl.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt O15 - Trusted Zone: .admin2cash.biz O15 - Trusted Zone: .finefind.nettraffic2cash.biz O15 - Trusted Zone: .private-dialer.biz O15 - Trusted Zone: .private-iframe.biz O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...tterInstall.cab O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\t48ulel91hq.dll O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\qa054ew7\ C:\WINNT\system32\gjpnivik.dll C:\WINNT\system32\hkjpygsy.dll C:\WINNT\system32\ic2_win.dll C:\WINNT\system32\mdcdrdyc.dll C:\WINNT\system32\msxmidi.exe C:\WINNT\system32\qjdzwxct.dll C:\WINNT\system32\shqybxyj6.exe C:\WINNT\system32\soft.exe C:\WINNT\system32\sysmonnt C:\WINNT\system32\t48ulel91hq.dll C:\WINNT\system32\tjkhyoro6.exe C:\WINNT\system32\tuucjfvs.dll C:\WINNT\system32\uqqljdfc.dll C:\WINNT\system32\vjhlyqek.dll rapusl.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Now, for the removal of those O1's, we will need this done as well........... Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe PV http://www.greyknight17.com/spy/pv.zip VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it. Please follow the steps below: 1. Download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip 2. Run Kill2Me. 3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!). a) Open that folder on your Desktop and double click on the runme.bat file. b) Type in 3 and hit your Enter key. Save the log file. c) Type in 5 and hit your Enter key. Save the log file. d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below. 4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later. 5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. Post all of the logs in your next post. We need them all to get a fix for this infection. __________________ GO BIG BLUE!!

02-23-2005, 04:09 PM	#4 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINNT\system\gshjqlv.exe This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so). 1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question. 2. Skip to Step 3. 3. Run KillBox now. a) Click on the 'Delete on Reboot' button. b) Check 'End Explorer Shell While Killing File.' c) Check 'Unregister .dll Before Deleting' for each file (if it's available). Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them): c:\recycler\desktop.ini C:\WINDOWS\system32\guard.tmp C:\WINNT\system32\spOrder.dll C:\WINNT\system\gshjqlv.exe 4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode. 5. Run HijackThis and do a scan. Check and fix the following: O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file) O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file) O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file) O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file) O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file) O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file) O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file) O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing) O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing) Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK. Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff. 6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs. -- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again). After that's done (or if you need more help), give us a new set of updated logs (2 PV logs, 1 notify.txt log, 1 VX2Finder log and 1 HijackThis log). __________________ GO BIG BLUE!!

02-23-2005, 05:45 PM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please print out the instructions here (or save it in Notepad) so that you can follow along more easily. This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so). 1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question. 2. Go to Step 3. 3. Run KillBox now. a) Click on the 'Delete on Reboot' button. b) Check 'End Explorer Shell While Killing File.' c) Check 'Unregister .dll Before Deleting' for each file (if it's available). Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them): c:\recycler\desktop.ini C:\WINDOWS\system32\guard.tmp C:\WINNT\system32\vga.exe - unless you know if this is for your video card or something, delete it also C:\WINNT\system32\tjkhyoro6.exe C:\WINNT\system32\shqybxyj6.exe 4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode. 5. Run HijackThis and do a scan. Check and fix the following: O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file) O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file) O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file) O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file) O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file) O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file) O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file) O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing) O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing) I can't find enough information for this file -> C:\WINNT\SYSTEM32\IS3WLHandler.dll Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here. Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK. Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff. 6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs. -- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again). Restart and just post a new HijackThis log. Right click on this link and choose Save As. Save it somewhere. Now run that program and do a search for these (search and save them separately): 03A08522-1426-409B-7534-34DFE546E811 0FA37060-7A7A-2F4C-EE64-BF3652FFAD81 2718DD6D-E6FA-1188-2501-F0813784A5F3 8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1 8E5DA144-B0C4-4CBD-9309-2666F6D7AD77 B54DA59F-5766-DB0B-2F4A-4E40B009C7B0 F5A35E7E-A94F-C946-C01A-9E563E708D87 Save the file and post the contents in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

02-23-2005, 09:44 PM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Sorry about that. Just replace Windows with WINNT instead since that's your folder. Run HijackThis and then click on the Config button->Misc. Tools->Delete an NT service.... Type (or copy) in shqybxyj6.exe and hit ok. Then run a HijackThis scan and check and fix the following: O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing) Delete this file if found -> C:\WINNT\system32\shqybxyj6.exe The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet. Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the Generate StartupList log button. Post that log in your next post. Right click on this link and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on Silent Runners to run it. This will take a few minutes. It will create a file called Startup Programs followed by your computer name and current date. Open up that file and post all the contents here in your next post. Download Find-qoologic. Unzip the files to your Desktop. Open the qoologic folder and run the qoologic.bat file. Wait a few minutes for it to finish. When the dos window disappears, go to your C: drive and open up the log.txt file. Copy and paste the whole log in your next post. Download DllCompare and run it. Click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on Make a log of what was found. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare. Download Find It and unzip it. Open up the folder and double click on the find.bat file. Let it run for a while. After it's finished, open up file. Copy and paste the contents to the forums. Post all of the logs in your next post. We need them all to get a fix for this infection. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

02-23-2005, 03:49 PM	#3 (permalink)
mphell0 Registered User Join Date: Feb 2005 Posts: 17 OS: Win2000	Okay, here are the log files as requested. On PV, typing 3 did nothing but 5 worked and is posted below. Some of the files that you said to delete were not found on my computer. Thank you again for all your help ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 4:47:47 PM, on 02/23/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Common Files\STOPzilla!\SZServer.exe C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE C:\WINNT\essspk.exe C:\WINNT\system\gshjqlv.exe C:\WINNT\system32\vga.exe C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe C:\Hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file) O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file) O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file) O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file) O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file) O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file) O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file) O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing) O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe End of KRC HijackThis Analyzer Log. ================================================================ ================================================================ Module information for 'winlogon.exe' MODULE BASE SIZE PATH winlogon.exe 1000000 192512 C:\WINNT\system32\winlogon.exe 5.00.2195.6970 Windows NT Logon Application ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL USERENV.dll 7c0f0000 397312 C:\WINNT\system32\USERENV.dll 5.00.2195.6794 Userenv NDdeApi.dll 769a0000 28672 C:\WINNT\system32\NDdeApi.dll 5.00.2195.6661 Network DDE Share Management APIs sfc.dll 76980000 110592 C:\WINNT\system32\sfc.dll 5.00.2195.6673 Windows File Protection sfcfiles.dll 68010000 983040 C:\WINNT\system32\sfcfiles.dll 5.00.2195.6894 Windows 2000 System File Checker Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface PROFMAP.dll 690f0000 45056 C:\WINNT\system32\PROFMAP.dll 5.00.2195.6610 Userenv NETAPI32.dll 75170000 323584 C:\WINNT\system32\NETAPI32.dll 5.00.2195.6949 Net Win32 API DLL NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL msgina.dll 76b90000 348160 C:\WINNT\system32\msgina.dll 5.00.2195.6928 Windows NT Logon Application SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.7009 Windows Shell Common Dll SHLWAPI.dll 70a70000 417792 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library WINSTA.dll 65780000 53248 C:\WINNT\system32\WINSTA.dll 5.00.2195.6701 Winstation Library WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module setupapi.dll 77880000 581632 C:\WINNT\system32\setupapi.dll 5.00.2195.6622 Windows Setup API wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32 MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.7021 Microsoft OLE for Windows mscat32.dll 76a00000 20480 C:\WINNT\system32\mscat32.dll 5.131.2134.1 MSCAT32 Forwarder DLL rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export) cscdll.dll 770c0000 143360 C:\WINNT\system32\cscdll.dll 5.00.2195.6713 Offline Network Agent WlNotify.dll 76920000 65536 C:\WINNT\system32\WlNotify.dll 5.00.2195.6706 Common DLL to receive Winlogon notifications CERTCLI.DLL 75570000 147456 C:\WINNT\system32\CERTCLI.DLL 5.00.2195.6619 Microsoft® Certificate Services Client ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode) WINSCARD.DLL 76960000 94208 C:\WINNT\system32\WINSCARD.DLL 5.00.2195.6609 Microsoft Smart Card API WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL IS3WLHandler.dll 10000000 24576 C:\WINNT\system32\IS3WLHandler.dll 3, 4, 0, 0 IS3WLHandler wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI wzcdlg.dll 18b0000 69632 C:\WINNT\system32\wzcdlg.dll 5.00.2195.6604 Wireless Zero Configuration Service UI OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522 WZCSAPI.DLL 18d0000 40960 C:\WINNT\system32\WZCSAPI.DLL 5.00.2195.6604 Wireless Zero Configuration service API CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter msv1_0.dll 1f10000 135168 C:\WINNT\system32\msv1_0.dll 5.00.2195.6897 Microsoft Authentication Package v1.0 IPHLPAPI.DLL 77340000 77824 C:\WINNT\system32\IPHLPAPI.DLL 5.00.2195.6602 IP Helper API ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL ================================================================================ ================================================================================ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla] "Asyncronous"=dword:00000001 "DllName"="IS3WLHandler.dll" "Lock"="WLEventLock" "Logon"="WLEventLogon" "Logoff"="WLEventLogoff" "Shutdown"="WLEventShutdown" "StartScreenSaver"="WLEventStartScreenSaver" "StartShell"="WLEventStartStartShell" "Startup"="WLEventStartStartup" "StopScreenSaver"="WLEventStopScreenSaver" "Unlock"="WLEventUnlock" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ======================================================================= ======================================================================= Log for VX2.BetterInternet File Finder (msg126) Files Found--- Additional Files--- C:\WINNT\system32\spOrder.dll Keys Under Notify---crypt32chain Keys Under Notify---cryptnet Keys Under Notify---cscdll Keys Under Notify---sclgntfy Keys Under Notify---SensLogn Keys Under Notify---STOPzilla Keys Under Notify---wzcnotif Guardian Key--- is called: User Agent String--- {9171EDA1-37B7-4138-9540-7178277C204A} ========================================================================= ========================================================================= List of Files for C:\WINDOWS\Downloaded Program Files: - Shockwave Flash Object (Macromedia Flash Player 7.0 r19) List of Files for C:\Program Files\Internet Explorer: - HMMAPI.dll was the only file that I wasn't sure whether or not it belonged Thank You, mphell0

02-23-2005, 05:03 PM	#5 (permalink)
mphell0 Registered User Join Date: Feb 2005 Posts: 17 OS: Win2000	Here are the updated logs. Once again typing 3 in PV generated no results ======================================================================== Logfile of HijackThis v1.99.1 Scan saved at 6:48:47 PM, on 02/23/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Common Files\STOPzilla!\SZServer.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\WINNT\essspk.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINNT\system32\vga.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe C:\Hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file) O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file) O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file) O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file) O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file) O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file) O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing) O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe ========================================================================= ========================================================================= Module information for 'winlogon.exe' MODULE BASE SIZE PATH winlogon.exe 1000000 192512 C:\WINNT\system32\winlogon.exe 5.00.2195.6970 Windows NT Logon Application ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL MSVCRT.dll 78000000 282624 C:\WINNT\system32\MSVCRT.dll 6.10.9844.0 Microsoft (R) C Runtime Library KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime GDI32.dll 77f40000 241664 C:\WINNT\system32\GDI32.dll 5.00.2195.6945 GDI Client DLL USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.7017 Windows 2000 USER API Client DLL USERENV.dll 7c0f0000 397312 C:\WINNT\system32\USERENV.dll 5.00.2195.6794 Userenv NDdeApi.dll 769a0000 28672 C:\WINNT\system32\NDdeApi.dll 5.00.2195.6661 Network DDE Share Management APIs sfc.dll 76980000 110592 C:\WINNT\system32\sfc.dll 5.00.2195.6673 Windows File Protection sfcfiles.dll 68010000 983040 C:\WINNT\system32\sfcfiles.dll 5.00.2195.6894 Windows 2000 System File Checker Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface PROFMAP.dll 690f0000 45056 C:\WINNT\system32\PROFMAP.dll 5.00.2195.6610 Userenv NETAPI32.dll 75170000 323584 C:\WINNT\system32\NETAPI32.dll 5.00.2195.6949 Net Win32 API DLL NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL msgina.dll 76b90000 348160 C:\WINNT\system32\msgina.dll 5.00.2195.6928 Windows NT Logon Application SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.7009 Windows Shell Common Dll SHLWAPI.dll 70a70000 417792 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1612 (xpsp2.041207-1145) Shell Light-weight Utility Library COMCTL32.dll 71710000 540672 C:\WINNT\system32\COMCTL32.dll 5.81 Common Controls Library WINSTA.dll 65780000 53248 C:\WINNT\system32\WINSTA.dll 5.00.2195.6701 Winstation Library WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module setupapi.dll 77880000 581632 C:\WINNT\system32\setupapi.dll 5.00.2195.6622 Windows Setup API wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32 MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.7021 Microsoft OLE for Windows mscat32.dll 76a00000 20480 C:\WINNT\system32\mscat32.dll 5.131.2134.1 MSCAT32 Forwarder DLL rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export) cscdll.dll 770c0000 143360 C:\WINNT\system32\cscdll.dll 5.00.2195.6713 Offline Network Agent WlNotify.dll 76920000 65536 C:\WINNT\system32\WlNotify.dll 5.00.2195.6706 Common DLL to receive Winlogon notifications CERTCLI.DLL 75570000 147456 C:\WINNT\system32\CERTCLI.DLL 5.00.2195.6619 Microsoft® Certificate Services Client ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode) WINSCARD.DLL 76960000 94208 C:\WINNT\system32\WINSCARD.DLL 5.00.2195.6609 Microsoft Smart Card API WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL IS3WLHandler.dll 10000000 24576 C:\WINNT\system32\IS3WLHandler.dll 3, 4, 0, 0 IS3WLHandler wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI wzcdlg.dll 18b0000 69632 C:\WINNT\system32\wzcdlg.dll 5.00.2195.6604 Wireless Zero Configuration Service UI OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522 WZCSAPI.DLL 18d0000 40960 C:\WINNT\system32\WZCSAPI.DLL 5.00.2195.6604 Wireless Zero Configuration service API CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0 msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter msv1_0.dll 1f10000 135168 C:\WINNT\system32\msv1_0.dll 5.00.2195.6897 Microsoft Authentication Package v1.0 IPHLPAPI.DLL 77340000 77824 C:\WINNT\system32\IPHLPAPI.DLL 5.00.2195.6602 IP Helper API ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL ========================================================================= ========================================================================= Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\STOPzilla] "Asyncronous"=dword:00000001 "DllName"="IS3WLHandler.dll" "Lock"="WLEventLock" "Logon"="WLEventLogon" "Logoff"="WLEventLogoff" "Shutdown"="WLEventShutdown" "StartScreenSaver"="WLEventStartScreenSaver" "StartShell"="WLEventStartStartShell" "Startup"="WLEventStartStartup" "StopScreenSaver"="WLEventStopScreenSaver" "Unlock"="WLEventUnlock" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ================================================================ ================================================================ Log for VX2.BetterInternet File Finder (msg126) Files Found--- Additional Files--- Keys Under Notify---crypt32chain Keys Under Notify---cryptnet Keys Under Notify---cscdll Keys Under Notify---sclgntfy Keys Under Notify---SensLogn Keys Under Notify---STOPzilla Keys Under Notify---wzcnotif Guardian Key--- is called: User Agent String--- {9171EDA1-37B7-4138-9540-7178277C204A}

02-23-2005, 09:11 PM	#7 (permalink)
mphell0 Registered User Join Date: Feb 2005 Posts: 17 OS: Win2000	I am having a few problems with this. I do not have a windows folder on my C drive, so I cannot use the path for some of the files that you have listed. I searched my computer and the file guard.tmp did not come up. All of the O2's and the O23's continue to show up on the HJT log. I ran RegSrch as suggested but each one returned no results. Also everytime that I boot up my computer (when I have been told to do so) the VX2 toolbar tries to install itself. The only information I could find on IS3WLHandler.dll is that the company is ISSS Inc., File version 3.4.0.0. Anyway here is my current HJT logfile, thank you for bearing with me through this. Logfile of HijackThis v1.99.1 Scan saved at 10:50:02 PM, on 02/23/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Common Files\STOPzilla!\SZServer.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\WINNT\essspk.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\explorer.exe C:\WINNT\system32\yrrvwk.exe C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnindex.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\oyh6e3o3.slt\prefs.js) O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file) O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file) O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file) O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file) O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file) O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file) O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: SoftStuff Wallpaper Changer.lnk = D:\Program Files\SoftStuff\softstrt.exe O4 - Global Startup: MSN Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.00.0001.1203\en-us\bin\msnlAdmin.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing) O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

02-24-2005, 09:01 AM	#9 (permalink)
mphell0 Registered User Join Date: Feb 2005 Posts: 17 OS: Win2000	I am having problems with Find-qoologic. The program starts running but the window never closes. It says 0 files copied because it cannot find the specified file or path which is: C:\Documents and Settings\Administrator\Desktop\qoologic>copy strings.exe C:\docume~1\alluse~1\startm~1\programs\startup It does create a log.txt file, however, but the only item it has listed is C:\Documents and Settings\Administrator\Desktop\qoologic which is where I downloaded the program Is this normal or am I doing something wrong? I am having a similar problem with Find It. It will run for several minutes and then says it cannot find the specified path, but it doesn't give any path. All of the other programs ran fine.

02-24-2005, 01:41 PM	#11 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	You're doing just fine. Qoologic basically had nothing to report, which is a good thing. Now, stay on the path here and you'll get cleaned up. =========== Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Don't run it yet. Go to My Computer->Tools/View->Folder Options->View tab and uncheck 'Hide protected operating system files'. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINNT\system32\yrrvwk.exe Using Notepad, open this file for editing: C:\WINNT\Wininit.ini Delete all of the lines in the file. Save it and close Notepad. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: A) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ and delete each of the following keys: appuq.exe = 3.tmp = Web Service = 3.tmp.exe = wF8h3mR = kalvsys = Dvx = ffis = kbmfudvu = secure = SpySpotter = C:\WINNT\zfvgm.exe = saie = {12EE7A5E-0674-42f9-A76B-000000004D00} = A70F6A1D-0195-42a2-934C-D8AC0F7C08EB = 98D0CE0C16B1 = B) HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\ and delete each of the folowing keys: [1ef5b2c3-29ea-4037-9222-dc7669d0059f] [{08B0E5C0-4FCB-11CF-AAA5-00401C608500}] C) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ and delete the "gshjqlv.exe" key. Close the Registry Editor now. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINNT\zfvgm.exe C:\WINNT\system\gshjqlv.exe C:\WINNT\SYSTEM32\dn2q01~1.dll C:\WINNT\SYSTEM32\gppql3~1.dll C:\WINNT\SYSTEM32\h80qli~1.dll C:\WINNT\SYSTEM32\hr6m05~1.dll C:\WINNT\SYSTEM32\i006la~1.dll C:\WINNT\SYSTEM32\j02q0a~1.dll C:\WINNT\SYSTEM32\j8j60i~1.dll C:\WINNT\SYSTEM32\l42sle~1.dll C:\WINNT\SYSTEM32\lv0409~1.dll C:\WINNT\SYSTEM32\mkhtml.dll C:\WINNT\SYSTEM32\mv02l9~1.dll C:\WINNT\SYSTEM32\mvp6l9~1.dll C:\WINNT\SYSTEM32\mvr4l9~1.dll C:\WINNT\system32\pwwlhq.exe C:\WINNT\SYSTEM32\rfocurs.dll C:\WINNT\system32\soft.exe c:\winnt\system32\yrrvwk.exe If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run the CleanUp program now and choose Yes when it asks if you want to log off. Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here. __________________ GO BIG BLUE!!

02-25-2005, 07:22 AM	#13 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	No, this is fine.....we're used to reading them this way. Thx.... ============ Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):[b] C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file) O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file) O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file) O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file) O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file) O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file) O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file) O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing) Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\ and delete the [1ef5b2c3-29ea-4037-9222-dc7669d0059f] key. Close the Registry Editor now. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\yttkhn.exe C:\WINNT\system32\goolcp.dll C:\WINNT\system32\pwwlhq.exe C:\WINNT\system32\zbbiea.dll C:\WINNT\system32\qbbwpv.dat C:\WINNT\system32\yrrvwk.exe C:\WINNT\System32\{272A38F9-84C9-4998-A2E6-DD5F6A9674EF}.dat C:\WINNT\System32\{0FFB2E85-55A8-42F7-8EDD-BABFC68ABB78}.dat C:\WINNT\System32\{3E45FD8A-51B8-4547-80EE-C92D86539A7E}.dat C:\WINNT\System32\{4E7027B1-4D79-46D7-B715-6188CA4A803C}.dat C:\WINNT\System32\{54381AD4-D2C3-40A0-8C03-9F9A4670C515}.dat C:\WINNT\System32\sosgb.dat C:\WINNT\System32\hvztz.dat C:\WINNT\System32\vmss\ C:\WINNT\System32\guard.tmp If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run the CleanUp program now and choose Yes when it asks if you want to log off. Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here. __________________ GO BIG BLUE!!

02-25-2005, 10:03 PM	#15 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Wow, this is a "rugged" SOB.......we'll try another round before contemplating a course change. You're doing very well, hang in there. ========= Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Right click on My Computer and go to Manage. Then click on the Services entry to expand it. Click on it again to get the list of Services running. Look for these: qpiwefxoivhk geoqgdug ciyzyxbqmlmz Once found, click on them once and click on the Stop service link on the upper left. Then double click on it to open it up. On the drop down box, choose the disable option. Close Services when done with each. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ and delete the "Rfand" key. HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\ and delete the [1ef5b2c3-29ea-4037-9222-dc7669d0059f] key. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ and delete each of these: {03A08522-1426-409B-7534-34DFE546E811} {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} {2718DD6D-E6FA-1188-2501-F0813784A5F3} {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} {F5A35E7E-A94F-C946-C01A-9E563E708D87} Close the Registry Editor now. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINNT\system32\tjkhyoro6.exe C:\WINNT\System32\drivers\geoqgdug.sys C:\WINNT\system32\shqybxyj6.exe C:\WINNT\System32\folder.htt C:\WINNT\System32\desktop.ini If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run the CleanUp program now and choose Yes when it asks if you want to log off. Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here. __________________ GO BIG BLUE!!

02-27-2005, 02:02 PM	#16 (permalink)
mphell0 Registered User Join Date: Feb 2005 Posts: 17 OS: Win2000	I am having trouble deleting the BHOs from my registry. Each time I try to delete one it says it could not be deleted because of an error while deleting. Should I try doing it in safe mode?

02-27-2005, 04:15 PM	#17 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Yes, please do attempt it in Safe mode, if Normal mode is causing issues. Thx for checking........... __________________ GO BIG BLUE!!

02-27-2005, 07:58 PM	#19 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Right click on this link and choose Save As. Save it somewhere. Now run that program and do a search for these (search and save them separately): 03A08522-1426-409B-7534-34DFE546E811 0FA37060-7A7A-2F4C-EE64-BF3652FFAD81 2718DD6D-E6FA-1188-2501-F0813784A5F3 8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1 8E5DA144-B0C4-4CBD-9309-2666F6D7AD77 B54DA59F-5766-DB0B-2F4A-4E40B009C7B0 F5A35E7E-A94F-C946-C01A-9E563E708D87 Save the file and post the contents in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

02-27-2005, 08:13 PM	#20 (permalink)
mphell0 Registered User Join Date: Feb 2005 Posts: 17 OS: Win2000	RegSrch found no instances of any of these strings.