rpen.exe??

sherm · 07-13-2005, 08:11 PM

Hey everyone.

I've been spyware free for a while now but just a few days ago I started getting all sorts of pop-ups. I ran just about every spyware scanner and got rid of most of the popups. However, I still get some every once in a while. The ones I get always seem to relate to what I'm looking at on the internet. For example, as I was searching for help on my spyware issue, I would get pop-ups about anti-spyware programs.

Anyways, the only supicious program running I see is rpen.exe. The file is located at C:\Windows\Program Files\etea\rpen.exe. I can't delete it as it always comes back and I can't end the process in the task manager as it's a System process.

Here's my Hijack This Analyzer log if it helps:

Code:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Spy Sweeper\SpySweeper.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:02:38 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\Program Files\etea\rpen.exe
C:\Program Files\Aim\Aim 2\aim.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = *
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOAc...allerProj1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\dmiman32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


End of KRC HijackThis Analyzer Log.
====================================================================

sUBs · 07-14-2005, 02:08 AM

Please do the following:

Download L2MFix - Save to Desktop

This is a self extracting file. By double clicking on it, it will automatically extract it's contents to a new folder on Desktop.

Double click L2mfix.exe
When prompted, answer Accept
Then click the Install button to extract the files to a newly created folder named - L2mfix
Open the L2mfix folder & double click L2mfix.bat
Select option #1 for Run Find Log by typing 1 and pressing Enter.

This will scan your computer and it may appear as if nothing is happening for a period of few minutes. When it has finished, you will be presented with a log. Copy the contents of that log and paste it into this thread.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Post a fresh HijackThis log that isn't analysed & DO NOT enclose in a code box

sherm · 07-14-2005, 06:20 AM

L2MFix:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dmiman32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FE533A60-BFF9-CAD5-378E-39CC0737999C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{6C125022-639D-43cc-9F3D-647E6CC69EF1}"="ContextBG"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{8D775404-DD7B-11D3-BC49-906B51C10000}"="TraybarCtxMenu"
"{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}"="ContextAware by Grigri"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{ABC70703-32AF-11d4-90C4-D483A70F4825}"="CMenuExtender"
"{4EFE464B-3D0B-4800-A5DE-2321283A3256}"="QCD IconHandler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B8566D48-E479-4643-9E9B-E7854A55F5A4}"=""
"{805A4A1E-2B56-475E-94D1-F86A91D4F486}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B8566D48-E479-4643-9E9B-E7854A55F5A4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8566D48-E479-4643-9E9B-E7854A55F5A4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8566D48-E479-4643-9E9B-E7854A55F5A4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8566D48-E479-4643-9E9B-E7854A55F5A4}\InprocServer32]
@="C:\\WINDOWS\\system32\\dksrslvr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Mon May 2 2005 4:52:34p A.... 1,019,904 996.00 K
cdfview.dll Mon May 2 2005 4:52:34p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
dksrslvr.dll Wed Jul 13 2005 9:58:28p ..S.R 417,792 408.00 K
dmiman32.dll Mon Jul 11 2005 5:38:22p ..S.R 417,792 408.00 K
gccoll~1.dll Fri Jun 24 2005 3:24:22p A.... 126,680 123.71 K
hashlib.dll Fri Jun 24 2005 3:24:22p A.... 117,976 115.21 K
hhsetup.dll Thu May 26 2005 10:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 9:46:00p A.... 254,976 249.00 K
iepeers.dll Mon May 2 2005 4:52:34p A.... 250,880 245.00 K
inseng.dll Mon May 2 2005 4:52:34p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 10:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 10:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
ivrtrmgr.dll Mon Jul 11 2005 12:04:38p ..S.R 417,792 408.00 K
krdnec.dll Mon Jul 11 2005 5:04:56p ..S.R 417,792 408.00 K
krdpl.dll Mon Jul 11 2005 5:04:52p ..S.R 417,792 408.00 K
mhutilse.dll Wed Jul 13 2005 6:39:26p ..S.R 417,792 408.00 K
mscms.dll Tue Jun 28 2005 9:46:00p A.... 74,240 72.50 K
mshtml.dll Mon May 2 2005 4:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 4:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 4:52:36p A.... 146,432 143.00 K
pngfilt.dll Mon May 2 2005 4:52:36p A.... 39,424 38.50 K
shdocvw.dll Mon May 2 2005 4:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 4:52:36p A.... 473,600 462.50 K
urlmon.dll Mon May 2 2005 4:52:36p A.... 607,744 593.50 K
vusns.dll Sun Jul 10 2005 1:00:40a A.... 0 0.00 K
wininet.dll Mon May 2 2005 4:52:36p A.... 657,920 642.50 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 8:25:36p ..... 15,360 15.00 K

37 items found: 37 files (6 H/S), 0 directories.
Total of file sizes: 17,345,616 bytes 16.54 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sun Jul 10 2005 12:42:26a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is C
Volume Serial Number is 30B9-9FF5

Directory of C:\WINDOWS\System32

07/13/2005 09:58 PM 417,792 dksrslvr.dll
07/13/2005 06:39 PM 417,792 mhutilse.dll
07/11/2005 05:38 PM 417,792 dmiman32.dll
07/11/2005 05:04 PM 417,792 krdnec.dll
07/11/2005 05:04 PM 417,792 krdpl.dll
07/11/2005 12:04 PM 417,792 ivrtrmgr.dll
07/10/2005 05:01 PM <DIR> dllcache
07/10/2005 12:42 AM 417,792 guard.tmp
01/11/2005 09:54 PM 6,144 Thumbs.db
09/05/2004 11:08 PM <DIR> Microsoft
05/30/2004 12:57 AM 204,800 archlib.dll
9 File(s) 3,135,488 bytes
2 Dir(s) 75,969,716,224 bytes free

New Hijack This report:

Logfile of HijackThis v1.99.1
Scan saved at 8:20:04 AM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\Program Files\Spy Sweeper\SpySweeper.exe
C:\Program Files\etea\rpen.exe
C:\Program Files\Aim\Aim 2\aim.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = *
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOAc...allerProj1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\dmiman32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

sUBs · 07-14-2005, 07:47 AM

Close all open programs

From the L2mfix folder on your desktop, double click L2mfix.bat

Select option #2 for Run Fix by typing 2 and then press enter
Press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log.

Please Do NOT run any other files in the l2mfix folder until you are told to

sUBs · 07-14-2005, 09:51 AM

Please visit this website - virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\Program Files\etea\rpen.exe

sherm · 07-14-2005, 03:12 PM

New L2m log:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Chad\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Chad\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Chad\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1224 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2012 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\danput8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\danput8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dksrslvr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dksrslvr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmiman32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dmiman32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ivrtrmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ivrtrmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdnec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdnec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdpl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\krdpl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhutilse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\slell32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\slell32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uhrcntra.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uhrcntra.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\danput8.dll
Successfully Deleted: C:\WINDOWS\system32\danput8.dll
deleting: C:\WINDOWS\system32\danput8.dll
Successfully Deleted: C:\WINDOWS\system32\danput8.dll
deleting: C:\WINDOWS\system32\dksrslvr.dll
Successfully Deleted: C:\WINDOWS\system32\dksrslvr.dll
deleting: C:\WINDOWS\system32\dksrslvr.dll
Successfully Deleted: C:\WINDOWS\system32\dksrslvr.dll
deleting: C:\WINDOWS\system32\dmiman32.dll
Successfully Deleted: C:\WINDOWS\system32\dmiman32.dll
deleting: C:\WINDOWS\system32\dmiman32.dll
Successfully Deleted: C:\WINDOWS\system32\dmiman32.dll
deleting: C:\WINDOWS\system32\ivrtrmgr.dll
Successfully Deleted: C:\WINDOWS\system32\ivrtrmgr.dll
deleting: C:\WINDOWS\system32\ivrtrmgr.dll
Successfully Deleted: C:\WINDOWS\system32\ivrtrmgr.dll
deleting: C:\WINDOWS\system32\krdnec.dll
Successfully Deleted: C:\WINDOWS\system32\krdnec.dll
deleting: C:\WINDOWS\system32\krdnec.dll
Successfully Deleted: C:\WINDOWS\system32\krdnec.dll
deleting: C:\WINDOWS\system32\krdpl.dll
Successfully Deleted: C:\WINDOWS\system32\krdpl.dll
deleting: C:\WINDOWS\system32\krdpl.dll
Successfully Deleted: C:\WINDOWS\system32\krdpl.dll
deleting: C:\WINDOWS\system32\mhutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mhutilse.dll
deleting: C:\WINDOWS\system32\mhutilse.dll
Successfully Deleted: C:\WINDOWS\system32\mhutilse.dll
deleting: C:\WINDOWS\system32\slell32.dll
Successfully Deleted: C:\WINDOWS\system32\slell32.dll
deleting: C:\WINDOWS\system32\slell32.dll
Successfully Deleted: C:\WINDOWS\system32\slell32.dll
deleting: C:\WINDOWS\system32\uhrcntra.dll
Successfully Deleted: C:\WINDOWS\system32\uhrcntra.dll
deleting: C:\WINDOWS\system32\uhrcntra.dll
Successfully Deleted: C:\WINDOWS\system32\uhrcntra.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: danput8.dll (188 bytes security) (deflated 48%)
adding: dksrslvr.dll (188 bytes security) (deflated 48%)
adding: dmiman32.dll (188 bytes security) (deflated 48%)
adding: ivrtrmgr.dll (188 bytes security) (deflated 48%)
adding: krdnec.dll (188 bytes security) (deflated 48%)
adding: krdpl.dll (188 bytes security) (deflated 48%)
adding: mhutilse.dll (188 bytes security) (deflated 48%)
adding: slell32.dll (188 bytes security) (deflated 48%)
adding: uhrcntra.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 37%)
adding: echo.reg (188 bytes security) (deflated 8%)
adding: direct.txt (188 bytes security) (stored 0%)
adding: lo2.txt (188 bytes security) (deflated 84%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: report.txt (188 bytes security) (deflated 65%)
adding: test.txt (188 bytes security) (deflated 85%)
adding: test2.txt (188 bytes security) (deflated 17%)
adding: test3.txt (188 bytes security) (deflated 17%)
adding: test5.txt (188 bytes security) (deflated 17%)
adding: xfind.txt (188 bytes security) (deflated 82%)
adding: backregs/B8566D48-E479-4643-9E9B-E7854A55F5A4.reg (188 bytes security) (deflated 70%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: danput8.dll
deleting local copy: danput8.dll
deleting local copy: dksrslvr.dll
deleting local copy: dksrslvr.dll
deleting local copy: dmiman32.dll
deleting local copy: dmiman32.dll
deleting local copy: ivrtrmgr.dll
deleting local copy: ivrtrmgr.dll
deleting local copy: krdnec.dll
deleting local copy: krdnec.dll
deleting local copy: krdpl.dll
deleting local copy: krdpl.dll
deleting local copy: mhutilse.dll
deleting local copy: mhutilse.dll
deleting local copy: slell32.dll
deleting local copy: slell32.dll
deleting local copy: uhrcntra.dll
deleting local copy: uhrcntra.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\danput8.dll
C:\WINDOWS\system32\danput8.dll
C:\WINDOWS\system32\dksrslvr.dll
C:\WINDOWS\system32\dksrslvr.dll
C:\WINDOWS\system32\dmiman32.dll
C:\WINDOWS\system32\dmiman32.dll
C:\WINDOWS\system32\ivrtrmgr.dll
C:\WINDOWS\system32\ivrtrmgr.dll
C:\WINDOWS\system32\krdnec.dll
C:\WINDOWS\system32\krdnec.dll
C:\WINDOWS\system32\krdpl.dll
C:\WINDOWS\system32\krdpl.dll
C:\WINDOWS\system32\mhutilse.dll
C:\WINDOWS\system32\mhutilse.dll
C:\WINDOWS\system32\slell32.dll
C:\WINDOWS\system32\slell32.dll
C:\WINDOWS\system32\uhrcntra.dll
C:\WINDOWS\system32\uhrcntra.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B8566D48-E479-4643-9E9B-E7854A55F5A4}"=-
"{805A4A1E-2B56-475E-94D1-F86A91D4F486}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B8566D48-E479-4643-9E9B-E7854A55F5A4}]
[-HKEY_CLASSES_ROOT\CLSID\{805A4A1E-2B56-475E-94D1-F86A91D4F486}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:11:31 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\Program Files\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\etea\rpen.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = *
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOAc...allerProj1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I'll get back to you on the virus information you requested from the website.

sherm · 07-14-2005, 03:14 PM

Here's the virus scan information:

File: rpen.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 dd0b887c0394ea8723df1207f9c7dc8e
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Adware.MediaTickets application
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

sUBs · 07-14-2005, 03:25 PM

Until such time we've fully disinfected your machine, I suggest you stop using Interent Explorer.
Please download & use an alternative browser like Firefox.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.

It is also important you don't miss a step and perform everything in the right order!!.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

~~~~~~~~~~~~~~

Double click L2mfix.bat
Select option #4 - Merge Winlogon Notify Defaults - by typing 4
Type E to exit the program.
(You may delete the L2MFix folder after that)

~~~~~~~~~~~~~~

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs to Desktop.

rkfiles.zip - Unzip to a new folder on Desktop

remv3.zip (look for the attachment) - Unzip to a new folder on the root drive C

~~~~~~~~~~~~~~

Please disable Webroot SpySweeper & Ewido's real-time scanner, as they may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:

Go to the Options>Program Options
Uncheck Load at Windows Startup
Click Shields & uncheck all items there
Uncheck Home page shield.
Automaticly restore default without notifiction

To disable Ewido's real-time scanner:

Double click on the Ewido icon in system try
Click on the status button
Select Remove Guard

~~~~~~~~~~~~~~

Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present

CxtPls
Media Tickets

~~~~~~~~~~~~~~

Run a HiJackThis scan. Select the following entries & click Fix checked :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = *
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOA...tallerProj1.cab

~~~~~~~~~~~~~~

Reboot to SafeMode

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
[Windows Advanced Options] menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~

Enable the viewing of Hidden files

Double-click on the My Computer icon.
Select the View menu and then click Folder Options.
After the new window appears select the View tab.
Scroll down until you see the Show all files radio button and select it.
Press the Apply button and then the OK button and close the My Computer window.
Now your computer is configured to show all hidden files.

= = =

Locate and delete the following folder(s), if present:

C:\Program Files\etea\

~~~~~~~~~~~~~~

Run Cleanup! & configure the program up as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

~~~~~~~~~~~~~~

From the folder where you unzipped rkfiles to, double click rkfiles.bat
It will scan for awhile, so please be patient.
Wait until the DOS window closes.
Open the C:\log.txt it created and rename it log1.txt.

Now Open the folder were you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tools log before running the other as it will overwrite the file if you don’t.

~~~~~~~~~~~~~~

Reboot to Normal Mode

Do an online scan at Panda. Take note of files it fails to disinfect. (names and locations)
* Turn off the real time scanner of any existing antivirus program while performing the online scan

~~~~~~~~~~~~~~

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts
Double-click SilentRunners.vbs to run it. This will take a few minutes.
When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

~~~~~~~~~~~~~~

In your next post, please include fresh copies of:

1. HiJackThis log
2. List of files that online scans failed to disinfect
3. rkfiles & remv3 logs
4. SilentRunner's log

Please provide details of any problems you encountered whilst performing the above steps.
Update us on how your computer behaves now

sherm · 07-14-2005, 05:35 PM

All done. Here are the logs:

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 7:33:56 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\Program Files\etea\rpen.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Files that Panda didn't disenfect:

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[danput8.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[dksrslvr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[dmiman32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[ivrtrmgr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[krdnec.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[krdpl.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[mhutilse.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[slell32.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[uhrcntra.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[guard.tmp]
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C801EE57-BF97-4019-B85F-E0409A\4140DF58-2EA6-4F3C-8E8D-F97C2B
Adware:Adware/BookedSpace No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D8390C4C-C05A-47A6-BD9E-E5CE8A\793BD69C-49D3-473C-B9A8-1F7CCA
Adware:Adware/Startpage.ACY No disinfected C:\Program Files\support.com\adelphia\scripts\IEconfig.vbs
Possible Virus. No disinfected C:\Program Files\System Mechanic\Search and Recover\streamserver.exe
Adware:Adware/Twain-Tech No disinfected C:\Program Files\System Mechanic\Undo\Manual\{9CA6026F-B1B3-4E3C-99F1-B6FF9135CD47}\{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf[{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf]
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.log
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\SplWbr.dll
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml

Rkfiles log:

C:\Documents and Settings\Chad\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\locate.com: WAUPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\oembios.bin: peC2"y)Q

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\ru.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Remv3 log:

The batch is run from -- C:\Documents and Settings\Chad\Desktop\remv

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C is C
Volume Serial Number is 30B9-9FF5

Directory of C:\WINDOWS\system32

msi.dll
Finished

Silent runner log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"ATIPTA" = "C:\WINDOWS\ATIPTAXX.EXE" ["ATI Technologies, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}" = "ContextAware by Grigri"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{4EFE464B-3D0B-4800-A5DE-2321283A3256}" = "QCD IconHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Quintessential Player\QCDIcons.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ContextAware\(Default) = "{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Scheduled Tasks:
------------------------

"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\Aim\Aim 2\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.emachines.com

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "bar" = "C:\Documents and Settings\Chad\My Documents\bar.html" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 14 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
---------- (total run time: 44 seconds)

sherm · 07-14-2005, 05:37 PM

As for how the computer is working now;

I haven't gotten any of the popups lately but I haven't done any internet browsing which is when most of them seem to occur.

sUBs · 07-14-2005, 11:56 PM

There's a folder I couldn't find enough info about - C:\Program Files\ContextAware
Can You tell me more about it? Is it a program you've installed? Does it have an entry in Add/Remove programs?

In the interest of safety, please visit this website - virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\Program Files\ContextAware\ContextAware.dll

Panda's online scan has detected malware in Microsoft Antispyware Qurantine folder. You may clear the quarantine cache by doing so..

Double click on the Microsoft Antispyware icon in system tray
Go to Tools>Spyware Scan>Manage Spyware Quarantine
Select all items listed under "Quarantine Threats" & Click "Permanently remove all checked threats"

= = = = = = = = = = =

Please download these additional files/programs. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. Do not run them unless instructed to do so.

KillBox v2.0.0.175

Unplug your computer from the Internet when you have finished downloading

= = = = = = = = = = =

Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present

AutoUpdate

= = = = = = = = = = =

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\system32\stlb2.xml
C:\Program Files\support.com\adelphia\scripts\IEconfig.vbs
C:\Program Files\System Mechanic\Undo\Manual\{9CA6026F-B1B3-4E3C-99F1-B6FF9135CD47}\{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf[{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf]
C:\WINDOWS\ru.exe
C:\WINDOWS\system\UpdInst.exe
C:\WINDOWS\system32\auto_update_uninstall.exe
C:\WINDOWS\system32\auto_update_uninstall.log
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\SplWbr.dll
C:\WINDOWS\system32\stlb2.xm
C:\Program Files\AutoUpdate\AutoUpdate.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = =

Reboot & delete these folders -

C:\Program Files\AutoUpdate
C:\Program Files\etea\

Post a fresh HJT log after that

sherm · 07-15-2005, 08:37 PM

I'll get to work on that...

As for ContextAware, it is a program I installed. It adds a menu item to the desktop right click menu. I put some shortcuts to my various harddrives and often-used folders. It's quite handy.

sherm · 07-15-2005, 08:46 PM

New Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:54 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\WINDOWS\system32\rpen.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

sUBs · 07-15-2005, 09:12 PM

Did you see that?

We burnt it's house down & it shifted to the system32 directory.

Download & launch APT.
Locate the process - C:\WINDOWS\system32\rpen.exe
Select Kill 3

===================

Then, start KillBox & paste the following locations into KillBox:

C:\WINDOWS\system32\rpen.exe

Checkmark the following boxes :

Replace on Reboot
End Explorer Shell While Killing File
Use Dummy

Click the RED X button and
Answer YES when asked to confirm file deletion
Answer YES when prompted to reboot now

===================

Upon reboot, download this file & unzip it to a folder on Desktop.
Within that folder, double click on activesetup.vbs.

When it has finished running, it will pop up a 'Finish" message. A log will be created within that folder.
Post the contents of that log in your next reply along with fresh copies of HJT log & a new SilentRunner log.

sherm · 07-15-2005, 09:28 PM

Activesetup log:

"Find activesetup", version1, launched at: 23:23
Operating System: Windows XP SP2

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:55 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\Program Files\etea\rpen.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

SilentRunners log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"ATIPTA" = "C:\WINDOWS\ATIPTAXX.EXE" ["ATI Technologies, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}" = "ContextAware by Grigri"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{4EFE464B-3D0B-4800-A5DE-2321283A3256}" = "QCD IconHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Quintessential Player\QCDIcons.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ContextAware\(Default) = "{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Scheduled Tasks:
------------------------

"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\Aim\Aim 2\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.emachines.com

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "bar" = "C:\Documents and Settings\Chad\My Documents\bar.html" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 155 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 192 seconds)

sUBs · 07-15-2005, 10:00 PM

Let's take an even deeper look

Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)
Post that log file here.

Please visit this website - virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\Program Files\Aim\Aim 2\aim.exe

sherm · 07-16-2005, 10:07 AM

StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-07-16 @ 12:05:39 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Chad at CHAD

»Registry
»Run Keys
»Current User
»Run
+AutorunsDisabled
*LogitechSoftwareUpdate="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
»RunOnce
+Setup
»Default User
»Run
*Usrr=C:\Program Files\etea\rpen.exe
»RunOnce
»Local Machine
»Run
*nwiz=nwiz.exe /install
*ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
*McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
*ATIPTA=C:\WINDOWS\ATIPTAXX.EXE
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot\blindman.exe" %1
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Default_Search_URL=http://search.msn.com
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Bar=http://www.google.com/ie
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.google.com/
+SearchUrl
*provider=
+g
*=http://www.google.com/search?hl=en&lr=&q=%s
* =+
*+=%2B
*%=%25
*&=%26
*#=%23
»Default User
*Default_Search_URL=http://home.microsoft.com/search/lobby/search.asp
*Search Bar=http://home.microsoft.com/search/lobby/search.asp
*Start Page=http://www.emachines.com
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»Local Machine
*Default_Page_URL=http://www.emachines.com
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Bar=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.google.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*0aMCPClient={F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}
`InprocServer32=
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
*UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1}
`InprocServer32=C:\WINDOWS\system32\upnpui.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=explorer.exe
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Chad\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Chad\Start Menu\Programs\Startup\AutorunsDisabled\TClock2.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL = C:\DOCUME~1\Chad\LOCALS~1\Temp\topmins1.exe
*C:\WINDOWS\system32\drivers\etc\hosts
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\system32\Ntrights.exe
*C:\Program Files\Windows Resource Kits\Tools\ntrights.exe
+C:\WINDOWS\system32\regini.exe
*C:\Program Files\Windows Resource Kits\Tools\regini.exe
+C:\WINDOWS\system32\slrundll.exe
*C:\WINDOWS\slrundll.exe
*C:\WINDOWS\slrundll.exe
+C:\WINDOWS\system32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\system32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\_default.pif
*C:\WINDOWS\_default.pif
+C:\WINDOWS\alcrmv.exe
*C:\WINDOWS\alcrmv.exe
+C:\WINDOWS\alcupd.exe
*C:\WINDOWS\alcupd.exe
+C:\WINDOWS\AolCInUn.exe
*C:\WINDOWS\AolCInUn.exe
+C:\WINDOWS\atiadaxx.exe
*C:\WINDOWS\atiadaxx.exe
+C:\WINDOWS\atiiprxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiiprxx.exe
*C:\WINDOWS\atiiprxx.exe
+C:\WINDOWS\atiphexx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiphexx.exe
*C:\WINDOWS\atiphexx.exe
+C:\WINDOWS\atiprbxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiprbxx.exe
*C:\WINDOWS\atiprbxx.exe
+C:\WINDOWS\atiptaxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*C:\WINDOWS\atiptaxx.exe
+C:\WINDOWS\explorer.exe
*C:\WINDOWS\explorer.exe
+C:\WINDOWS\explorer_original.exe
*C:\WINDOWS\explorer_original.exe
+C:\WINDOWS\hh.exe
*C:\WINDOWS\hh.exe
+C:\WINDOWS\ieuninst.exe
*C:\WINDOWS\ieuninst.exe
+C:\WINDOWS\InstIt.exe
*C:\WINDOWS\InstIt.exe
+C:\WINDOWS\IsUninst.exe
*C:\WINDOWS\IsUninst.exe
+C:\WINDOWS\mattie54.exe
*C:\WINDOWS\mattie54.exe
+C:\WINDOWS\mHotkey.exe
*C:\WINDOWS\mHotkey.exe
+C:\WINDOWS\MSDEVRC.exe
*C:\WINDOWS\MSDEVRC.exe
+C:\WINDOWS\muninst.exe
*C:\WINDOWS\muninst.exe
+C:\WINDOWS\nzmlymw.exe
*C:\WINDOWS\nzmlymw.exe
+C:\WINDOWS\oeuninst.exe
*C:\WINDOWS\oeuninst.exe
+C:\WINDOWS\PATCH.EXE
*C:\WINDOWS\PATCH.EXE
+C:\WINDOWS\regedit.exe
*C:\WINDOWS\regedit.exe
+C:\WINDOWS\ru.exe
*C:\WINDOWS\ru.exe
+C:\WINDOWS\runtsckl.exe
*C:\WINDOWS\runtsckl.exe
+C:\WINDOWS\setdebug.exe
*C:\WINDOWS\setdebug.exe
+C:\WINDOWS\SOUNDMAN.EXE
*C:\WINDOWS\SOUNDMAN.EXE
+C:\WINDOWS\tsc.exe
*C:\WINDOWS\tsc.exe
+C:\WINDOWS\twunk_16.exe
*C:\WINDOWS\twunk_16.exe
+C:\WINDOWS\twunk_32.exe
*C:\WINDOWS\twunk_32.exe
+C:\WINDOWS\UnGins.exe
*C:\WINDOWS\UnGins.exe
+C:\WINDOWS\UniFish3.exe
*C:\WINDOWS\UniFish3.exe
+C:\WINDOWS\uninst.exe
*C:\WINDOWS\uninst.exe
+C:\WINDOWS\UninstallFirefox.exe
*C:\WINDOWS\UninstallFirefox.exe
+C:\WINDOWS\UnInstallX.exe
*C:\WINDOWS\UnInstallX.exe
+C:\WINDOWS\unvise32qt.exe
*C:\WINDOWS\unvise32qt.exe
+C:\WINDOWS\winhelp.exe
*C:\WINDOWS\winhelp.exe
+C:\WINDOWS\wmback.exe
*C:\WINDOWS\wmback.exe
+C:\WINDOWS\NewFolder.vbs
*C:\WINDOWS\NewFolder.vbs
+C:\Program Files\Windows Resource Kits\Tools\tcmon.exe
*C:\Program Files\Windows Resource Kits\Tools\tcmon.bat
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+380=\SystemRoot\System32\smss.exe
+664=\??\C:\WINDOWS\system32\csrss.exe
+688=\??\C:\WINDOWS\system32\winlogon.exe
+732=C:\WINDOWS\system32\services.exe
+744=C:\WINDOWS\system32\lsass.exe
+888=C:\WINDOWS\system32\svchost.exe
+944=C:\WINDOWS\system32\svchost.exe
+980=C:\WINDOWS\System32\svchost.exe
+1028=C:\WINDOWS\System32\svchost.exe
+1344=C:\WINDOWS\system32\spoolsv.exe
+1416=C:\Program Files\ewido\security suite\ewidoctrl.exe
+1440=C:\Program Files\Network Associates\VirusScan\mcshield.exe
+1472=C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
+1624=C:\WINDOWS\System32\svchost.exe
+1684=C:\WINDOWS\system32\wdfmgr.exe
+1916=C:\WINDOWS\System32\alg.exe
+1408=C:\WINDOWS\Explorer.EXE
+1964=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
+1976=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
+1996=C:\WINDOWS\ATIPTAXX.EXE
+708=C:\Program Files\etea\rpen.exe
+2844=C:\Program Files\Aim\Aim 2\aim.exe
+3324=C:\Program Files\Winamp\winamp.exe
+2412=C:\Program Files\Soulseek\slsk.exe
+2540=C:\Program Files\Mozilla Firefox\firefox.exe
+528=C:\Documents and Settings\Chad\Desktop\startdreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

As for the AIM 2 program, it is actually just AIM. I have two different versions installed and I put the second in the AIM 2 folder.

sUBs · 07-16-2005, 01:10 PM

I have attached a file to this post.
Download - rpen.txt - & rename it "rpen.bat" (inclusive of quotes)

Reboot to Safe Mode

Double click on rpen.bat.
When it has finished, you will received a message "ALL DONE"

Reboot to Normal Mode

Post a fresh HJT log along with a fresh StartDreck log

sherm · 07-16-2005, 10:19 PM

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:17:22 AM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Aim\Aim 2\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Startdreck:

StartDreck (build 2.1.7 public stable) - 2005-07-17 @ 00:18:55 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Chad at CHAD

»Registry
»Run Keys
»Current User
»Run
+AutorunsDisabled
*LogitechSoftwareUpdate="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
»RunOnce
+Setup
»Default User
»Run
»RunOnce
»Local Machine
»Run
*nwiz=nwiz.exe /install
*ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
*McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
*ATIPTA=C:\WINDOWS\ATIPTAXX.EXE
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot\blindman.exe" %1
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Default_Search_URL=http://search.msn.com
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Bar=http://www.google.com/ie
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.google.com/
+SearchUrl
*provider=
+g
*=http://www.google.com/search?hl=en&lr=&q=%s
* =+
*+=%2B
*%=%25
*&=%26
*#=%23
»Default User
*Default_Search_URL=http://home.microsoft.com/search/lobby/search.asp
*Search Bar=http://home.microsoft.com/search/lobby/search.asp
*Start Page=http://www.emachines.com
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»Local Machine
*Default_Page_URL=http://www.emachines.com
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Bar=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.google.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*0aMCPClient={F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}
`InprocServer32=
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
*UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1}
`InprocServer32=C:\WINDOWS\system32\upnpui.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=explorer.exe
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Chad\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Chad\Start Menu\Programs\Startup\AutorunsDisabled\TClock2.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL = C:\DOCUME~1\Chad\LOCALS~1\Temp\topmins1.exe
*C:\WINDOWS\system32\drivers\etc\hosts
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\system32\Ntrights.exe
*C:\Program Files\Windows Resource Kits\Tools\ntrights.exe
+C:\WINDOWS\system32\regini.exe
*C:\Program Files\Windows Resource Kits\Tools\regini.exe
+C:\WINDOWS\system32\slrundll.exe
*C:\WINDOWS\slrundll.exe
*C:\WINDOWS\slrundll.exe
+C:\WINDOWS\system32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\system32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\_default.pif
*C:\WINDOWS\_default.pif
+C:\WINDOWS\alcrmv.exe
*C:\WINDOWS\alcrmv.exe
+C:\WINDOWS\alcupd.exe
*C:\WINDOWS\alcupd.exe
+C:\WINDOWS\AolCInUn.exe
*C:\WINDOWS\AolCInUn.exe
+C:\WINDOWS\atiadaxx.exe
*C:\WINDOWS\atiadaxx.exe
+C:\WINDOWS\atiiprxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiiprxx.exe
*C:\WINDOWS\atiiprxx.exe
+C:\WINDOWS\atiphexx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiphexx.exe
*C:\WINDOWS\atiphexx.exe
+C:\WINDOWS\atiprbxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiprbxx.exe
*C:\WINDOWS\atiprbxx.exe
+C:\WINDOWS\atiptaxx.exe
*C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*C:\WINDOWS\atiptaxx.exe
+C:\WINDOWS\explorer.exe
*C:\WINDOWS\explorer.exe
+C:\WINDOWS\explorer_original.exe
*C:\WINDOWS\explorer_original.exe
+C:\WINDOWS\hh.exe
*C:\WINDOWS\hh.exe
+C:\WINDOWS\ieuninst.exe
*C:\WINDOWS\ieuninst.exe
+C:\WINDOWS\InstIt.exe
*C:\WINDOWS\InstIt.exe
+C:\WINDOWS\IsUninst.exe
*C:\WINDOWS\IsUninst.exe
+C:\WINDOWS\mHotkey.exe
*C:\WINDOWS\mHotkey.exe
+C:\WINDOWS\MSDEVRC.exe
*C:\WINDOWS\MSDEVRC.exe
+C:\WINDOWS\muninst.exe
*C:\WINDOWS\muninst.exe
+C:\WINDOWS\oeuninst.exe
*C:\WINDOWS\oeuninst.exe
+C:\WINDOWS\PATCH.EXE
*C:\WINDOWS\PATCH.EXE
+C:\WINDOWS\regedit.exe
*C:\WINDOWS\regedit.exe
+C:\WINDOWS\setdebug.exe
*C:\WINDOWS\setdebug.exe
+C:\WINDOWS\SOUNDMAN.EXE
*C:\WINDOWS\SOUNDMAN.EXE
+C:\WINDOWS\tsc.exe
*C:\WINDOWS\tsc.exe
+C:\WINDOWS\twunk_16.exe
*C:\WINDOWS\twunk_16.exe
+C:\WINDOWS\twunk_32.exe
*C:\WINDOWS\twunk_32.exe
+C:\WINDOWS\uninst.exe
*C:\WINDOWS\uninst.exe
+C:\WINDOWS\UninstallFirefox.exe
*C:\WINDOWS\UninstallFirefox.exe
+C:\WINDOWS\UnInstallX.exe
*C:\WINDOWS\UnInstallX.exe
+C:\WINDOWS\winhelp.exe
*C:\WINDOWS\winhelp.exe
+C:\WINDOWS\wmback.exe
*C:\WINDOWS\wmback.exe
+C:\WINDOWS\NewFolder.vbs
*C:\WINDOWS\NewFolder.vbs
+C:\Program Files\Windows Resource Kits\Tools\tcmon.exe
*C:\Program Files\Windows Resource Kits\Tools\tcmon.bat
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+384=\SystemRoot\System32\smss.exe
+668=\??\C:\WINDOWS\system32\csrss.exe
+692=\??\C:\WINDOWS\system32\winlogon.exe
+736=C:\WINDOWS\system32\services.exe
+748=C:\WINDOWS\system32\lsass.exe
+888=C:\WINDOWS\system32\svchost.exe
+948=C:\WINDOWS\system32\svchost.exe
+984=C:\WINDOWS\System32\svchost.exe
+1036=C:\WINDOWS\System32\svchost.exe
+1348=C:\WINDOWS\system32\spoolsv.exe
+1424=C:\Program Files\ewido\security suite\ewidoctrl.exe
+1448=C:\Program Files\Network Associates\VirusScan\mcshield.exe
+1476=C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
+1644=C:\WINDOWS\System32\svchost.exe
+1728=C:\WINDOWS\system32\wdfmgr.exe
+1916=C:\WINDOWS\System32\alg.exe
+560=C:\WINDOWS\Explorer.EXE
+840=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
+844=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
+784=C:\WINDOWS\ATIPTAXX.EXE
+1012=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
+516=C:\Program Files\Mozilla Firefox\firefox.exe
+1196=C:\Program Files\Aim\Aim 2\aim.exe
+1248=C:\WINDOWS\system32\wuauclt.exe
+2220=C:\Program Files\Winamp\winamp.exe
+3516=C:\Documents and Settings\Chad\Desktop\startdreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

sUBs · 07-16-2005, 10:42 PM

I dont see rpen.exe anymore. Do you??

Your log is clean. Well done

Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Clear Java Cache

Click Start >Settings>Control Panel
Click the Java Plugin Icon
Click the Cache tab
Click the Clear button and click OK to confirm

Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun Java's cache.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

07-14-2005, 02:08 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	Please do the following: Download L2MFix - Save to Desktop This is a self extracting file. By double clicking on it, it will automatically extract it's contents to a new folder on Desktop. Double click L2mfix.exe When prompted, answer Accept Then click the Install button to extract the files to a newly created folder named - L2mfix Open the L2mfix folder & double click L2mfix.bat Select option #1 for Run Find Log by typing 1 and pressing Enter. This will scan your computer and it may appear as if nothing is happening for a period of few minutes. When it has finished, you will be presented with a log. Copy the contents of that log and paste it into this thread. If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Post a fresh HijackThis log that isn't analysed & DO NOT enclose in a code box __________________ Question - what have you done for the community today?

07-14-2005, 07:47 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	Close all open programs From the L2mfix folder on your desktop, double click L2mfix.bat Select option #2 for Run Fix by typing 2 and then press enter Press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log. Please Do NOT run any other files in the l2mfix folder until you are told to __________________ Question - what have you done for the community today?

07-14-2005, 09:51 AM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	Please visit this website - virusscan.jotti.org Submit these file(s) for a comprehensive scan & then post the results back here. C:\Program Files\etea\rpen.exe __________________ Question - what have you done for the community today?

07-14-2005, 03:25 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	Until such time we've fully disinfected your machine, I suggest you stop using Interent Explorer. Please download & use an alternative browser like Firefox. It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. It is also important you don't miss a step and perform everything in the right order!!. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. ~~~~~~~~~~~~~~ Double click L2mfix.bat Select option #4 - Merge Winlogon Notify Defaults - by typing 4 Type E to exit the program. (You may delete the L2MFix folder after that) ~~~~~~~~~~~~~~ Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading CleanUp! - Install SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs to Desktop. rkfiles.zip - Unzip to a new folder on Desktop remv3.zip (look for the attachment) - Unzip to a new folder on the root drive C ~~~~~~~~~~~~~~ Please disable Webroot SpySweeper & Ewido's real-time scanner, as they may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Go to the Options>Program Options Uncheck Load at Windows Startup Click Shields & uncheck all items there Uncheck Home page shield. Automaticly restore default without notifiction To disable Ewido's real-time scanner: Double click on the Ewido icon in system try Click on the status button Select Remove Guard ~~~~~~~~~~~~~~ Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present CxtPls Media Tickets ~~~~~~~~~~~~~~ Run a HiJackThis scan. Select the following entries & click Fix checked : R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = * O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOA...tallerProj1.cab ~~~~~~~~~~~~~~ Reboot to SafeMode Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the [Windows Advanced Options] menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. ~~~~~~~~~~~~~~ Enable the viewing of Hidden files Double-click on the My Computer icon. Select the View menu and then click Folder Options. After the new window appears select the View tab. Scroll down until you see the Show all files radio button and select it. Press the Apply button and then the OK button and close the My Computer window. Now your computer is configured to show all hidden files. = = = Locate and delete the following folder(s), if present: C:\Program Files\etea\ ~~~~~~~~~~~~~~ Run Cleanup! & configure the program up as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup ~~~~~~~~~~~~~~ From the folder where you unzipped rkfiles to, double click rkfiles.bat It will scan for awhile, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. Now Open the folder were you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt Note Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tools log before running the other as it will overwrite the file if you don’t. ~~~~~~~~~~~~~~ Reboot to Normal Mode Do an online scan at Panda. Take note of files it fails to disinfect. (names and locations) * Turn off the real time scanner of any existing antivirus program while performing the online scan ~~~~~~~~~~~~~~ Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Double-click SilentRunners.vbs to run it. This will take a few minutes. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. ~~~~~~~~~~~~~~ In your next post, please include fresh copies of: 1. HiJackThis log 2. List of files that online scans failed to disinfect 3. rkfiles & remv3 logs 4. SilentRunner's log Please provide details of any problems you encountered whilst performing the above steps. Update us on how your computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 07-14-2005 at 03:26 PM.

07-14-2005, 11:56 PM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	There's a folder I couldn't find enough info about - C:\Program Files\ContextAware Can You tell me more about it? Is it a program you've installed? Does it have an entry in Add/Remove programs? In the interest of safety, please visit this website - virusscan.jotti.org Submit these file(s) for a comprehensive scan & then post the results back here. C:\Program Files\ContextAware\ContextAware.dll Panda's online scan has detected malware in Microsoft Antispyware Qurantine folder. You may clear the quarantine cache by doing so.. Double click on the Microsoft Antispyware icon in system tray Go to Tools>Spyware Scan>Manage Spyware Quarantine Select all items listed under "Quarantine Threats" & Click "Permanently remove all checked threats" = = = = = = = = = = = Please download these additional files/programs. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. Do not run them unless instructed to do so. KillBox v2.0.0.175 Unplug your computer from the Internet when you have finished downloading = = = = = = = = = = = Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present AutoUpdate = = = = = = = = = = = Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\system32\stlb2.xml C:\Program Files\support.com\adelphia\scripts\IEconfig.vbs C:\Program Files\System Mechanic\Undo\Manual\{9CA6026F-B1B3-4E3C-99F1-B6FF9135CD47}\{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf[{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf] C:\WINDOWS\ru.exe C:\WINDOWS\system\UpdInst.exe C:\WINDOWS\system32\auto_update_uninstall.exe C:\WINDOWS\system32\auto_update_uninstall.log C:\WINDOWS\system32\Shex.exe C:\WINDOWS\system32\SplWbr.dll C:\WINDOWS\system32\stlb2.xm C:\Program Files\AutoUpdate\AutoUpdate.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: * Replace on Reboot * Use Dummy * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" * if it's not grayed out Click the RED X button. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the 'Pending Operations' prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = = Reboot & delete these folders - C:\Program Files\AutoUpdate C:\Program Files\etea\ Post a fresh HJT log after that __________________ Question - what have you done for the community today?

07-14-2005, 03:12 PM	#6 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	New L2m log: L2Mfix 1.03a Running From: C:\Documents and Settings\Chad\Desktop\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C(CI) access for predefined group "Administrators" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- BUILTIN\Administrators (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\Chad\Desktop\l2mfix System Rebooted! Running From: C:\Documents and Settings\Chad\Desktop\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1224 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 2012 'rundll32.exe' Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\danput8.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\danput8.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\dksrslvr.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\dksrslvr.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\dmiman32.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\dmiman32.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\ivrtrmgr.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\ivrtrmgr.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\krdnec.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\krdnec.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\krdpl.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\krdpl.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mhutilse.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mhutilse.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\slell32.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\slell32.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\uhrcntra.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\uhrcntra.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied. Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied. deleting: C:\WINDOWS\system32\danput8.dll Successfully Deleted: C:\WINDOWS\system32\danput8.dll deleting: C:\WINDOWS\system32\danput8.dll Successfully Deleted: C:\WINDOWS\system32\danput8.dll deleting: C:\WINDOWS\system32\dksrslvr.dll Successfully Deleted: C:\WINDOWS\system32\dksrslvr.dll deleting: C:\WINDOWS\system32\dksrslvr.dll Successfully Deleted: C:\WINDOWS\system32\dksrslvr.dll deleting: C:\WINDOWS\system32\dmiman32.dll Successfully Deleted: C:\WINDOWS\system32\dmiman32.dll deleting: C:\WINDOWS\system32\dmiman32.dll Successfully Deleted: C:\WINDOWS\system32\dmiman32.dll deleting: C:\WINDOWS\system32\ivrtrmgr.dll Successfully Deleted: C:\WINDOWS\system32\ivrtrmgr.dll deleting: C:\WINDOWS\system32\ivrtrmgr.dll Successfully Deleted: C:\WINDOWS\system32\ivrtrmgr.dll deleting: C:\WINDOWS\system32\krdnec.dll Successfully Deleted: C:\WINDOWS\system32\krdnec.dll deleting: C:\WINDOWS\system32\krdnec.dll Successfully Deleted: C:\WINDOWS\system32\krdnec.dll deleting: C:\WINDOWS\system32\krdpl.dll Successfully Deleted: C:\WINDOWS\system32\krdpl.dll deleting: C:\WINDOWS\system32\krdpl.dll Successfully Deleted: C:\WINDOWS\system32\krdpl.dll deleting: C:\WINDOWS\system32\mhutilse.dll Successfully Deleted: C:\WINDOWS\system32\mhutilse.dll deleting: C:\WINDOWS\system32\mhutilse.dll Successfully Deleted: C:\WINDOWS\system32\mhutilse.dll deleting: C:\WINDOWS\system32\slell32.dll Successfully Deleted: C:\WINDOWS\system32\slell32.dll deleting: C:\WINDOWS\system32\slell32.dll Successfully Deleted: C:\WINDOWS\system32\slell32.dll deleting: C:\WINDOWS\system32\uhrcntra.dll Successfully Deleted: C:\WINDOWS\system32\uhrcntra.dll deleting: C:\WINDOWS\system32\uhrcntra.dll Successfully Deleted: C:\WINDOWS\system32\uhrcntra.dll deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp Zipping up files for submission: adding: danput8.dll (188 bytes security) (deflated 48%) adding: dksrslvr.dll (188 bytes security) (deflated 48%) adding: dmiman32.dll (188 bytes security) (deflated 48%) adding: ivrtrmgr.dll (188 bytes security) (deflated 48%) adding: krdnec.dll (188 bytes security) (deflated 48%) adding: krdpl.dll (188 bytes security) (deflated 48%) adding: mhutilse.dll (188 bytes security) (deflated 48%) adding: slell32.dll (188 bytes security) (deflated 48%) adding: uhrcntra.dll (188 bytes security) (deflated 48%) adding: guard.tmp (188 bytes security) (deflated 48%) adding: clear.reg (188 bytes security) (deflated 37%) adding: echo.reg (188 bytes security) (deflated 8%) adding: direct.txt (188 bytes security) (stored 0%) adding: lo2.txt (188 bytes security) (deflated 84%) adding: readme.txt (188 bytes security) (deflated 49%) adding: report.txt (188 bytes security) (deflated 65%) adding: test.txt (188 bytes security) (deflated 85%) adding: test2.txt (188 bytes security) (deflated 17%) adding: test3.txt (188 bytes security) (deflated 17%) adding: test5.txt (188 bytes security) (deflated 17%) adding: xfind.txt (188 bytes security) (deflated 82%) adding: backregs/B8566D48-E479-4643-9E9B-E7854A55F5A4.reg (188 bytes security) (deflated 70%) adding: backregs/shell.reg (188 bytes security) (deflated 73%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: danput8.dll deleting local copy: danput8.dll deleting local copy: dksrslvr.dll deleting local copy: dksrslvr.dll deleting local copy: dmiman32.dll deleting local copy: dmiman32.dll deleting local copy: ivrtrmgr.dll deleting local copy: ivrtrmgr.dll deleting local copy: krdnec.dll deleting local copy: krdnec.dll deleting local copy: krdpl.dll deleting local copy: krdpl.dll deleting local copy: mhutilse.dll deleting local copy: mhutilse.dll deleting local copy: slell32.dll deleting local copy: slell32.dll deleting local copy: uhrcntra.dll deleting local copy: uhrcntra.dll deleting local copy: guard.tmp deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: ************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: ************************************************************************ C:\WINDOWS\system32\danput8.dll C:\WINDOWS\system32\danput8.dll C:\WINDOWS\system32\dksrslvr.dll C:\WINDOWS\system32\dksrslvr.dll C:\WINDOWS\system32\dmiman32.dll C:\WINDOWS\system32\dmiman32.dll C:\WINDOWS\system32\ivrtrmgr.dll C:\WINDOWS\system32\ivrtrmgr.dll C:\WINDOWS\system32\krdnec.dll C:\WINDOWS\system32\krdnec.dll C:\WINDOWS\system32\krdpl.dll C:\WINDOWS\system32\krdpl.dll C:\WINDOWS\system32\mhutilse.dll C:\WINDOWS\system32\mhutilse.dll C:\WINDOWS\system32\slell32.dll C:\WINDOWS\system32\slell32.dll C:\WINDOWS\system32\uhrcntra.dll C:\WINDOWS\system32\uhrcntra.dll C:\WINDOWS\system32\guard.tmp C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ************************************************************************ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{B8566D48-E479-4643-9E9B-E7854A55F5A4}"=- "{805A4A1E-2B56-475E-94D1-F86A91D4F486}"=- [-HKEY_CLASSES_ROOT\CLSID\{B8566D48-E479-4643-9E9B-E7854A55F5A4}] [-HKEY_CLASSES_ROOT\CLSID\{805A4A1E-2B56-475E-94D1-F86A91D4F486}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ************************************************************************ Desktop.ini Contents: ************************************************************************ ************************************************************************** New HJT log: Logfile of HijackThis v1.99.1 Scan saved at 5:11:31 PM, on 7/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\WINDOWS\ATIPTAXX.EXE C:\Program Files\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\etea\rpen.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Aprps\CxtPls.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = * R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOAc...allerProj1.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe I'll get back to you on the virus information you requested from the website.

07-14-2005, 03:14 PM	#7 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	Here's the virus scan information: File: rpen.exe Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 dd0b887c0394ea8723df1207f9c7dc8e Packers detected: UPX Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found a variant of Win32/Adware.MediaTickets application Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing

07-14-2005, 05:35 PM	#9 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	All done. Here are the logs: Hijack This: Logfile of HijackThis v1.99.1 Scan saved at 7:33:56 PM, on 7/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\WINDOWS\ATIPTAXX.EXE C:\Program Files\etea\rpen.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Files that Panda didn't disenfect: Incident Status Location Adware:Adware/SaveNow No disinfected Windows Registry Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[danput8.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[dksrslvr.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[dmiman32.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[ivrtrmgr.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[krdnec.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[krdpl.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[mhutilse.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[slell32.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[uhrcntra.dll] Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Chad\Desktop\l2mfix\backup.zip[guard.tmp] Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C801EE57-BF97-4019-B85F-E0409A\4140DF58-2EA6-4F3C-8E8D-F97C2B Adware:Adware/BookedSpace No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D8390C4C-C05A-47A6-BD9E-E5CE8A\793BD69C-49D3-473C-B9A8-1F7CCA Adware:Adware/Startpage.ACY No disinfected C:\Program Files\support.com\adelphia\scripts\IEconfig.vbs Possible Virus. No disinfected C:\Program Files\System Mechanic\Search and Recover\streamserver.exe Adware:Adware/Twain-Tech No disinfected C:\Program Files\System Mechanic\Undo\Manual\{9CA6026F-B1B3-4E3C-99F1-B6FF9135CD47}\{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf[{B10BAA8D-6BEE-49E3-A7A3-8203BFFE43D0}.inf] Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInst.exe Adware:Adware/Envolo No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.log Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe Adware:Adware/nCase No disinfected C:\WINDOWS\system32\SplWbr.dll Adware:Adware/PowerSearch No disinfected C:\WINDOWS\system32\stlb2.xml Rkfiles log: C:\Documents and Settings\Chad\Desktop\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\locate.com: WAUPX! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\oembios.bin: peC2"y)Q Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\RMAgentOutput.dll: UPX! C:\WINDOWS\ru.exe: UPX! C:\WINDOWS\tsc.exe: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye Remv3 log: The batch is run from -- C:\Documents and Settings\Chad\Desktop\remv Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C is C Volume Serial Number is 30B9-9FF5 Directory of C:\WINDOWS\system32 msi.dll Finished Silent runner log: "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."] "McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."] "ATIPTA" = "C:\WINDOWS\ATIPTAXX.EXE" ["ATI Technologies, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}" = "ContextAware by Grigri" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{4EFE464B-3D0B-4800-A5DE-2321283A3256}" = "QCD IconHandler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Quintessential Player\QCDIcons.dll" [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ContextAware\(Default) = "{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Scheduled Tasks: ------------------------ "RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\Program Files\Aim\Aim 2\aim.exe" ["America Online, Inc."] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.emachines.com Missing lines (compared with English-language version): [Strings]: 1 line HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "bar" = "C:\Documents and Settings\Chad\My Documents\bar.html" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."] Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 14 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 15 seconds. ---------- (total run time: 44 seconds)

07-14-2005, 05:37 PM	#10 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	As for how the computer is working now; I haven't gotten any of the popups lately but I haven't done any internet browsing which is when most of them seem to occur.

07-15-2005, 08:37 PM	#12 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	I'll get to work on that... As for ContextAware, it is a program I installed. It adds a menu item to the desktop right click menu. I put some shortcuts to my various harddrives and often-used folders. It's quite handy.

07-15-2005, 08:46 PM	#13 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	New Hijack This log: Logfile of HijackThis v1.99.1 Scan saved at 10:44:54 PM, on 7/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\WINDOWS\ATIPTAXX.EXE C:\WINDOWS\system32\rpen.exe C:\Program Files\Hijackthis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

07-15-2005, 09:12 PM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	Did you see that? We burnt it's house down & it shifted to the system32 directory. Download & launch APT. Locate the process - C:\WINDOWS\system32\rpen.exe Select Kill 3 =================== Then, start KillBox & paste the following locations into KillBox: C:\WINDOWS\system32\rpen.exe Checkmark the following boxes : Replace on Reboot End Explorer Shell While Killing File Use Dummy Click the RED X button and Answer YES when asked to confirm file deletion Answer YES when prompted to reboot now =================== Upon reboot, download this file & unzip it to a folder on Desktop. Within that folder, double click on activesetup.vbs. When it has finished running, it will pop up a 'Finish" message. A log will be created within that folder. Post the contents of that log in your next reply along with fresh copies of HJT log & a new SilentRunner log. __________________ Question - what have you done for the community today?

07-15-2005, 09:28 PM	#15 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	Activesetup log: "Find activesetup", version1, launched at: 23:23 Operating System: Windows XP SP2 HKLM\Software\Microsoft\Active Setup\Installed Components\ ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player" \StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS] HJT log: Logfile of HijackThis v1.99.1 Scan saved at 11:24:55 PM, on 7/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\WINDOWS\ATIPTAXX.EXE C:\Program Files\etea\rpen.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe SilentRunners log: "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."] "McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."] "ATIPTA" = "C:\WINDOWS\ATIPTAXX.EXE" ["ATI Technologies, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}" = "ContextAware by Grigri" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{4EFE464B-3D0B-4800-A5DE-2321283A3256}" = "QCD IconHandler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Quintessential Player\QCDIcons.dll" [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ContextAware\(Default) = "{CBB82399-B33F-4C4F-9EBD-FF6E858AD4AE}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ContextAware\ContextAware.dll" ["Disorganized Inc."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Scheduled Tasks: ------------------------ "RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\Program Files\Aim\Aim 2\aim.exe" ["America Online, Inc."] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.emachines.com Missing lines (compared with English-language version): [Strings]: 1 line HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "bar" = "C:\Documents and Settings\Chad\My Documents\bar.html" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."] Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 155 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 17 seconds. ---------- (total run time: 192 seconds)

07-15-2005, 10:00 PM	#16 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	Let's take an even deeper look Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post that log file here. Please visit this website - virusscan.jotti.org Submit these file(s) for a comprehensive scan & then post the results back here. C:\Program Files\Aim\Aim 2\aim.exe __________________ Question - what have you done for the community today?

07-16-2005, 10:07 AM	#17 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	StartDreck log: StartDreck (build 2.1.7 public stable) - 2005-07-16 @ 12:05:39 (GMT -04:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as Chad at CHAD »Registry »Run Keys »Current User »Run +AutorunsDisabled LogitechSoftwareUpdate="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot »RunOnce +Setup »Default User »Run Usrr=C:\Program Files\etea\rpen.exe »RunOnce »Local Machine »Run nwiz=nwiz.exe /install ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey ATIPTA=C:\WINDOWS\ATIPTAXX.EXE +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" %* +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot\blindman.exe" %1 +.exe exefile="%1" %* +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.html FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.js JSFile=%SystemRoot%\System32\WScript.exe "%1" % +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) »Internet Explorer »Current User Default_Search_URL=http://search.msn.com Local Page=C:\WINDOWS\SYSTEM32\blank.htm Search Bar=http://www.google.com/ie Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.google.com/ +SearchUrl provider= +g =http://www.google.com/search?hl=en&lr=&q=%s =+ +=%2B %=%25 &=%26 #=%23 »Default User Default_Search_URL=http://home.microsoft.com/search/lobby/search.asp Search Bar=http://home.microsoft.com/search/lobby/search.asp Start Page=http://www.emachines.com SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »Local Machine Default_Page_URL=http://www.emachines.com Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Bar=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.google.com CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) 0aMCPClient={F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} `InprocServer32= PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32= WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1} `InprocServer32=C:\WINDOWS\system32\upnpui.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL=explorer.exe »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User C:\Documents and Settings\Chad\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\Chad\Start Menu\Programs\Startup\AutorunsDisabled\TClock2.lnk »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\msdos.sys C:\config.sys C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 C:\WINDOWS\wininit.ini `[Rename] `NUL = C:\DOCUME~1\Chad\LOCALS~1\Temp\topmins1.exe C:\WINDOWS\system32\drivers\etc\hosts »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\system32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\system32\notepad.exe C:\WINDOWS\notepad.exe C:\WINDOWS\notepad.exe +C:\WINDOWS\system32\Ntrights.exe C:\Program Files\Windows Resource Kits\Tools\ntrights.exe +C:\WINDOWS\system32\regini.exe C:\Program Files\Windows Resource Kits\Tools\regini.exe +C:\WINDOWS\system32\slrundll.exe C:\WINDOWS\slrundll.exe C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\taskman.exe C:\WINDOWS\TASKMAN.EXE C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\winhlp32.exe C:\WINDOWS\winhlp32.exe C:\WINDOWS\winhlp32.exe +C:\WINDOWS\_default.pif C:\WINDOWS\_default.pif +C:\WINDOWS\alcrmv.exe C:\WINDOWS\alcrmv.exe +C:\WINDOWS\alcupd.exe C:\WINDOWS\alcupd.exe +C:\WINDOWS\AolCInUn.exe C:\WINDOWS\AolCInUn.exe +C:\WINDOWS\atiadaxx.exe C:\WINDOWS\atiadaxx.exe +C:\WINDOWS\atiiprxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiiprxx.exe C:\WINDOWS\atiiprxx.exe +C:\WINDOWS\atiphexx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiphexx.exe C:\WINDOWS\atiphexx.exe +C:\WINDOWS\atiprbxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiprbxx.exe C:\WINDOWS\atiprbxx.exe +C:\WINDOWS\atiptaxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\atiptaxx.exe +C:\WINDOWS\explorer.exe C:\WINDOWS\explorer.exe +C:\WINDOWS\explorer_original.exe C:\WINDOWS\explorer_original.exe +C:\WINDOWS\hh.exe C:\WINDOWS\hh.exe +C:\WINDOWS\ieuninst.exe C:\WINDOWS\ieuninst.exe +C:\WINDOWS\InstIt.exe C:\WINDOWS\InstIt.exe +C:\WINDOWS\IsUninst.exe C:\WINDOWS\IsUninst.exe +C:\WINDOWS\mattie54.exe C:\WINDOWS\mattie54.exe +C:\WINDOWS\mHotkey.exe C:\WINDOWS\mHotkey.exe +C:\WINDOWS\MSDEVRC.exe C:\WINDOWS\MSDEVRC.exe +C:\WINDOWS\muninst.exe C:\WINDOWS\muninst.exe +C:\WINDOWS\nzmlymw.exe C:\WINDOWS\nzmlymw.exe +C:\WINDOWS\oeuninst.exe C:\WINDOWS\oeuninst.exe +C:\WINDOWS\PATCH.EXE C:\WINDOWS\PATCH.EXE +C:\WINDOWS\regedit.exe C:\WINDOWS\regedit.exe +C:\WINDOWS\ru.exe C:\WINDOWS\ru.exe +C:\WINDOWS\runtsckl.exe C:\WINDOWS\runtsckl.exe +C:\WINDOWS\setdebug.exe C:\WINDOWS\setdebug.exe +C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\SOUNDMAN.EXE +C:\WINDOWS\tsc.exe C:\WINDOWS\tsc.exe +C:\WINDOWS\twunk_16.exe C:\WINDOWS\twunk_16.exe +C:\WINDOWS\twunk_32.exe C:\WINDOWS\twunk_32.exe +C:\WINDOWS\UnGins.exe C:\WINDOWS\UnGins.exe +C:\WINDOWS\UniFish3.exe C:\WINDOWS\UniFish3.exe +C:\WINDOWS\uninst.exe C:\WINDOWS\uninst.exe +C:\WINDOWS\UninstallFirefox.exe C:\WINDOWS\UninstallFirefox.exe +C:\WINDOWS\UnInstallX.exe C:\WINDOWS\UnInstallX.exe +C:\WINDOWS\unvise32qt.exe C:\WINDOWS\unvise32qt.exe +C:\WINDOWS\winhelp.exe C:\WINDOWS\winhelp.exe +C:\WINDOWS\wmback.exe C:\WINDOWS\wmback.exe +C:\WINDOWS\NewFolder.vbs C:\WINDOWS\NewFolder.vbs +C:\Program Files\Windows Resource Kits\Tools\tcmon.exe *C:\Program Files\Windows Resource Kits\Tools\tcmon.bat »System/Drivers »Running Processes +0=<idle> +4=<system> +380=\SystemRoot\System32\smss.exe +664=\??\C:\WINDOWS\system32\csrss.exe +688=\??\C:\WINDOWS\system32\winlogon.exe +732=C:\WINDOWS\system32\services.exe +744=C:\WINDOWS\system32\lsass.exe +888=C:\WINDOWS\system32\svchost.exe +944=C:\WINDOWS\system32\svchost.exe +980=C:\WINDOWS\System32\svchost.exe +1028=C:\WINDOWS\System32\svchost.exe +1344=C:\WINDOWS\system32\spoolsv.exe +1416=C:\Program Files\ewido\security suite\ewidoctrl.exe +1440=C:\Program Files\Network Associates\VirusScan\mcshield.exe +1472=C:\Program Files\Network Associates\VirusScan\vstskmgr.exe +1624=C:\WINDOWS\System32\svchost.exe +1684=C:\WINDOWS\system32\wdfmgr.exe +1916=C:\WINDOWS\System32\alg.exe +1408=C:\WINDOWS\Explorer.EXE +1964=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE +1976=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe +1996=C:\WINDOWS\ATIPTAXX.EXE +708=C:\Program Files\etea\rpen.exe +2844=C:\Program Files\Aim\Aim 2\aim.exe +3324=C:\Program Files\Winamp\winamp.exe +2412=C:\Program Files\Soulseek\slsk.exe +2540=C:\Program Files\Mozilla Firefox\firefox.exe +528=C:\Documents and Settings\Chad\Desktop\startdreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User As for the AIM 2 program, it is actually just AIM. I have two different versions installed and I put the second in the AIM 2 folder.

07-16-2005, 01:10 PM	#18 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	I have attached a file to this post. Download - rpen.txt - & rename it "rpen.bat" (inclusive of quotes) Reboot to Safe Mode Double click on rpen.bat. When it has finished, you will received a message "ALL DONE" Reboot to Normal Mode Post a fresh HJT log along with a fresh StartDreck log __________________ Question - what have you done for the community today?

07-16-2005, 10:19 PM	#19 (permalink)
sherm Registered User Join Date: Jul 2005 Posts: 11 OS: XP	HJT: Logfile of HijackThis v1.99.1 Scan saved at 12:17:22 AM, on 7/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\WINDOWS\ATIPTAXX.EXE C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Aim\Aim 2\aim.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4 O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Startdreck: StartDreck (build 2.1.7 public stable) - 2005-07-17 @ 00:18:55 (GMT -04:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as Chad at CHAD »Registry »Run Keys »Current User »Run +AutorunsDisabled LogitechSoftwareUpdate="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot »RunOnce +Setup »Default User »Run »RunOnce »Local Machine »Run nwiz=nwiz.exe /install ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey ATIPTA=C:\WINDOWS\ATIPTAXX.EXE SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" %* +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot\blindman.exe" %1 +.exe exefile="%1" %* +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.html FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.js JSFile=%SystemRoot%\System32\WScript.exe "%1" % +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) »Internet Explorer »Current User Default_Search_URL=http://search.msn.com Local Page=C:\WINDOWS\SYSTEM32\blank.htm Search Bar=http://www.google.com/ie Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.google.com/ +SearchUrl provider= +g =http://www.google.com/search?hl=en&lr=&q=%s =+ +=%2B %=%25 &=%26 #=%23 »Default User Default_Search_URL=http://home.microsoft.com/search/lobby/search.asp Search Bar=http://home.microsoft.com/search/lobby/search.asp Start Page=http://www.emachines.com SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »Local Machine Default_Page_URL=http://www.emachines.com Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Bar=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.google.com CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) 0aMCPClient={F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} `InprocServer32= PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32= WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1} `InprocServer32=C:\WINDOWS\system32\upnpui.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL=explorer.exe »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User C:\Documents and Settings\Chad\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\Chad\Start Menu\Programs\Startup\AutorunsDisabled\TClock2.lnk »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\msdos.sys C:\config.sys C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 C:\WINDOWS\wininit.ini `[Rename] `NUL = C:\DOCUME~1\Chad\LOCALS~1\Temp\topmins1.exe C:\WINDOWS\system32\drivers\etc\hosts »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\system32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\system32\notepad.exe C:\WINDOWS\notepad.exe C:\WINDOWS\notepad.exe +C:\WINDOWS\system32\Ntrights.exe C:\Program Files\Windows Resource Kits\Tools\ntrights.exe +C:\WINDOWS\system32\regini.exe C:\Program Files\Windows Resource Kits\Tools\regini.exe +C:\WINDOWS\system32\slrundll.exe C:\WINDOWS\slrundll.exe C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\taskman.exe C:\WINDOWS\TASKMAN.EXE C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\winhlp32.exe C:\WINDOWS\winhlp32.exe C:\WINDOWS\winhlp32.exe +C:\WINDOWS\_default.pif C:\WINDOWS\_default.pif +C:\WINDOWS\alcrmv.exe C:\WINDOWS\alcrmv.exe +C:\WINDOWS\alcupd.exe C:\WINDOWS\alcupd.exe +C:\WINDOWS\AolCInUn.exe C:\WINDOWS\AolCInUn.exe +C:\WINDOWS\atiadaxx.exe C:\WINDOWS\atiadaxx.exe +C:\WINDOWS\atiiprxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiiprxx.exe C:\WINDOWS\atiiprxx.exe +C:\WINDOWS\atiphexx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiphexx.exe C:\WINDOWS\atiphexx.exe +C:\WINDOWS\atiprbxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiprbxx.exe C:\WINDOWS\atiprbxx.exe +C:\WINDOWS\atiptaxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\atiptaxx.exe +C:\WINDOWS\explorer.exe C:\WINDOWS\explorer.exe +C:\WINDOWS\explorer_original.exe C:\WINDOWS\explorer_original.exe +C:\WINDOWS\hh.exe C:\WINDOWS\hh.exe +C:\WINDOWS\ieuninst.exe C:\WINDOWS\ieuninst.exe +C:\WINDOWS\InstIt.exe C:\WINDOWS\InstIt.exe +C:\WINDOWS\IsUninst.exe C:\WINDOWS\IsUninst.exe +C:\WINDOWS\mHotkey.exe C:\WINDOWS\mHotkey.exe +C:\WINDOWS\MSDEVRC.exe C:\WINDOWS\MSDEVRC.exe +C:\WINDOWS\muninst.exe C:\WINDOWS\muninst.exe +C:\WINDOWS\oeuninst.exe C:\WINDOWS\oeuninst.exe +C:\WINDOWS\PATCH.EXE C:\WINDOWS\PATCH.EXE +C:\WINDOWS\regedit.exe C:\WINDOWS\regedit.exe +C:\WINDOWS\setdebug.exe C:\WINDOWS\setdebug.exe +C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\SOUNDMAN.EXE +C:\WINDOWS\tsc.exe C:\WINDOWS\tsc.exe +C:\WINDOWS\twunk_16.exe C:\WINDOWS\twunk_16.exe +C:\WINDOWS\twunk_32.exe C:\WINDOWS\twunk_32.exe +C:\WINDOWS\uninst.exe C:\WINDOWS\uninst.exe +C:\WINDOWS\UninstallFirefox.exe C:\WINDOWS\UninstallFirefox.exe +C:\WINDOWS\UnInstallX.exe C:\WINDOWS\UnInstallX.exe +C:\WINDOWS\winhelp.exe C:\WINDOWS\winhelp.exe +C:\WINDOWS\wmback.exe C:\WINDOWS\wmback.exe +C:\WINDOWS\NewFolder.vbs C:\WINDOWS\NewFolder.vbs +C:\Program Files\Windows Resource Kits\Tools\tcmon.exe C:\Program Files\Windows Resource Kits\Tools\tcmon.bat »System/Drivers »Running Processes +0=<idle> +4=<system> +384=\SystemRoot\System32\smss.exe +668=\??\C:\WINDOWS\system32\csrss.exe +692=\??\C:\WINDOWS\system32\winlogon.exe +736=C:\WINDOWS\system32\services.exe +748=C:\WINDOWS\system32\lsass.exe +888=C:\WINDOWS\system32\svchost.exe +948=C:\WINDOWS\system32\svchost.exe +984=C:\WINDOWS\System32\svchost.exe +1036=C:\WINDOWS\System32\svchost.exe +1348=C:\WINDOWS\system32\spoolsv.exe +1424=C:\Program Files\ewido\security suite\ewidoctrl.exe +1448=C:\Program Files\Network Associates\VirusScan\mcshield.exe +1476=C:\Program Files\Network Associates\VirusScan\vstskmgr.exe +1644=C:\WINDOWS\System32\svchost.exe +1728=C:\WINDOWS\system32\wdfmgr.exe +1916=C:\WINDOWS\System32\alg.exe +560=C:\WINDOWS\Explorer.EXE +840=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE +844=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe +784=C:\WINDOWS\ATIPTAXX.EXE +1012=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe +516=C:\Program Files\Mozilla Firefox\firefox.exe +1196=C:\Program Files\Aim\Aim 2\aim.exe +1248=C:\WINDOWS\system32\wuauclt.exe +2220=C:\Program Files\Winamp\winamp.exe +3516=C:\Documents and Settings\Chad\Desktop\startdreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User

07-16-2005, 10:42 PM	#20 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,330 OS: N/A	I dont see rpen.exe anymore. Do you?? Your log is clean. Well done Do you have any more problems with your computer? If not, you should be set to go. However, there still remains a few bits of housekeeping ... Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Clear Java Cache Click Start >Settings>Control Panel Click the Java Plugin Icon Click the Cache tab Click the Clear button and click OK to confirm Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel Follow the instructions outlined here to clear Sun Java's cache. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?