WinFixer and other popups - HJT log Please Help

[lxTurboxl]

Well, I just dont know what to do. Ive ran ad aware, Dr.Web, Spybot, nortan, trend micro, ewido, and ive even deleted some odd things from Hijackthis to the best of my ability. Im still getting WinFixer and other such annoying popups. Please help me out.

Log :

Logfile of HijackThis v1.99.1
Scan saved at 11:02:50 AM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\SLambrow\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {1ECEF3D6-3797-4AA4-AC21-D883E44424D5} - C:\WINNT\system32\kutxz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfMachine dispatcher] c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="BroadGun pdfMachine" -port="PDFPORT1:"
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kdslps.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\ilm32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[lxTurboxl]

Just a little more info the help out who ever can help me out.

ewido is showing me something about Spyware.Look2me and problems with :

[444] ..srbapiu.dll
[184] ..srbapiu.dll
[160] ..ilm32.dll

ewido said there was a problem deleting those files and I couldnt do it manually. I even went to safe mode and closed every process that the system would allow me to, then tried to delete them but still nothing.

Some site told me I had a parasite "Bookedspace" but I think I got rid of it.

Anyway, thanks for any help.

[tetonbob]

You have a couple of different nasties aboard....let's take one out, and find the "keepers" for the other.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and CWShredder. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo (TQ.zip) http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
L2MFix log
HJT log

[lxTurboxl]

"Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log."

While doing this step, my computer rebooted and everything appeared then disappeared as you said it would, but it seemed like nothing was happening after that. I waited a good 45 minutes without my comp making any sound or anything. I opened up task manager and my CPU usage was at 0% for about 5 seconds then would jump to 99% for a split second then 0% again. Which led me to believe it was doing nothing. I logged off (not restart), logged back on and hit the "X" on the L2mfix program so it wouldnt remove task bar. Then I deleted it from registry start up.

Now, I havent got a pop-up since then (its been about 10 minutes), but I'm sure thats just luck. Anyway, please let me know if its suppose to take that long or if it was even working at all. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 01:38:13 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\SLambrow\My Documents\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {1ECEF3D6-3797-4AA4-AC21-D883E44424D5} - C:\WINNT\system32\kutxz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfMachine dispatcher] c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="BroadGun pdfMachine" -port="PDFPORT1:"
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kdslps.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[tetonbob]

Let's say that L2MFix did some of the work, but we'll need to look again with other tools.....later. For now, please do this, so that we can address the other infection (qoologic) on your system:

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo (TQ.zip) http://www.techsupportforum.com/atta...achmentid=3761
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Also, please Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Panda ActiveScan log

[lxTurboxl]

Well, here goes :

WinPFind.txt log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 8/16/2005 07:28:52 AM 15649617 C:\WINNT\lpt$vpn.785
qoologic 8/16/2005 07:28:52 AM 15649617 C:\WINNT\lpt$vpn.785
SAHAgent 8/16/2005 07:28:52 AM 15649617 C:\WINNT\lpt$vpn.785
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINNT\RMAgentOutput.dll
UPX! 10/24/2003 01:53:00 PM 6656 C:\WINNT\svcproc.exe
UPX! 1/10/2005 04:17:24 PM 170053 C:\WINNT\tsc.exe
PECompact2 8/16/2005 07:28:52 AM 15649617 C:\WINNT\VPTNFILE.785
qoologic 8/16/2005 07:28:52 AM 15649617 C:\WINNT\VPTNFILE.785
SAHAgent 8/16/2005 07:28:52 AM 15649617 C:\WINNT\VPTNFILE.785
UPX! 2/18/2005 06:40:14 PM 1044560 C:\WINNT\vsapi32.dll
aspack 2/18/2005 06:40:14 PM 1044560 C:\WINNT\vsapi32.dll

Checking %System% folder...
69.59.186.63 8/16/2005 01:22:30 PM 30208 C:\WINNT\SYSTEM32\datadx.dll
209.66.67.134 8/16/2005 01:22:30 PM 30208 C:\WINNT\SYSTEM32\datadx.dll
66.63.167.97 8/16/2005 01:22:30 PM 30208 C:\WINNT\SYSTEM32\datadx.dll
66.63.167.77 8/16/2005 01:22:30 PM 30208 C:\WINNT\SYSTEM32\datadx.dll
web-nex 8/16/2005 01:22:30 PM 30208 C:\WINNT\SYSTEM32\datadx.dll
winsync 8/16/2005 01:22:30 PM 30208 C:\WINNT\SYSTEM32\datadx.dll
rec2_run 8/16/2005 01:22:30 PM 30208 C:\WINNT\SYSTEM32\datadx.dll
69.59.186.63 8/17/2005 01:44:10 PM 46080 C:\WINNT\SYSTEM32\ddfssfd.dll
209.66.67.134 8/17/2005 01:44:10 PM 46080 C:\WINNT\SYSTEM32\ddfssfd.dll
web-nex 8/17/2005 01:44:10 PM 46080 C:\WINNT\SYSTEM32\ddfssfd.dll
winsync 8/17/2005 01:44:10 PM 46080 C:\WINNT\SYSTEM32\ddfssfd.dll
69.59.186.63 8/17/2005 01:44:10 PM 10240 C:\WINNT\SYSTEM32\dkeja.dll
209.66.67.134 8/17/2005 01:44:10 PM 10240 C:\WINNT\SYSTEM32\dkeja.dll
web-nex 8/17/2005 01:44:10 PM 10240 C:\WINNT\SYSTEM32\dkeja.dll
winsync 8/17/2005 01:44:10 PM 10240 C:\WINNT\SYSTEM32\dkeja.dll
UPX! 1/13/2005 09:41:48 PM 11254 C:\WINNT\SYSTEM32\locate.com
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 6/20/2003 08:00:00 AM 529168 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 6/20/2003 08:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/17/2005 01:40:28 PM 835376 C:\WINNT\ShellIconCache
S 8/18/2005 08:06:20 AM 64 C:\WINNT\CSC\00000001
S 8/16/2005 01:11:26 PM 64 C:\WINNT\CSC\00000002
H 7/23/2005 01:00:26 PM 0 C:\WINNT\inf\oem26.inf
H 8/17/2005 08:01:08 PM 1024 C:\WINNT\system32\config\default.LOG
H 8/18/2005 08:09:40 AM 1024 C:\WINNT\system32\config\SAM.LOG
H 8/18/2005 08:07:44 AM 1024 C:\WINNT\system32\config\SECURITY.LOG
H 8/18/2005 08:12:12 AM 1024 C:\WINNT\system32\config\software.LOG
SH 8/16/2005 01:16:42 PM 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\39ae9ca0-0cad-4d5b-a46f-b163ebecbe78
SH 8/16/2005 01:16:42 PM 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH 8/17/2005 01:44:00 PM 188 C:\WINNT\Tasks\RUTASK.job
H 8/18/2005 08:06:20 AM 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 6/20/2003 08:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
8/16/2005 01:22:30 PM 31232 C:\WINNT\SYSTEM32\conres.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 237328 C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Intel Corporation 9/9/2002 01:12:56 AM 94208 C:\WINNT\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 08:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2/20/2001 02:09:54 PM 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 6/20/2003 08:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 09:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 03:52:54 AM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 125712 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 04:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 08:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 07:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/26/2005 04:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/17/2005 12:49:24 PM 92160 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dcrn.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gkmfymkk
{564ca57a-f4b7-483d-a93b-2c79f6f5b0df} = C:\WINNT\system32\dkeja.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\system32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\system32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ECEF3D6-3797-4AA4-AC21-D883E44424D5}
SDWin32 Class = C:\WINNT\system32\kutxz.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
Smapp C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
IgfxTray C:\WINNT\system32\igfxtray.exe
HotKeysCmds C:\WINNT\system32\hkcmd.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
vptray C:\Program Files\NavNT\vptray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
pdfMachine dispatcher c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="BroadGun pdfMachine" -port="PDFPORT1:"
winsync C:\WINNT\system32\kdslps.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/18/2005 08:14:13 AM

______________________________________________________________


Track qoo.vbs log

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"pdfMachine dispatcher"="c:\\Program Files\\BroadGun Software\\pdfMachine\\mapisnd.exe -printer=\"BroadGun pdfMachine\" -port=\"PDFPORT1:\""
"winsync"="C:\\WINNT\\system32\\kdslps.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- gkmfymkk
{564ca57a-f4b7-483d-a93b-2c79f6f5b0df}
C:\WINNT\system32\dkeja.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINNT\system32\docprop2.dll

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINNT\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINNT\system32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

==============================
C:\Documents and Settings\SLambrow\Start Menu\Programs\Startup

==============================
C:\WINNT\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
conres.cpl
desk.cpl Microsoft Corporation
fax.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
INPUT.CPL Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sticpl.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


___________________________________________________________

Panda ActiveScan log


Incident Status Location

Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dcrn.exe
Adware:Adware/AdBehavior No disinfected C:\WINNT\SYSTEM32\KDSLPS.EXE
Adware:adware/clkoptimizer No disinfected C:\WINNT\SYSTEM32\datadx.dll
Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\SLAMBROW\APPLICATION DATA\Sskknwrd.dll
Adware:adware/aurora No disinfected C:\WINNT\svcproc.exe
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dcrn.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\SLambrow\My Documents\l2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\SLambrow\My Documents\l2mfix.exe[Process.exe]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
__________________________________________________________

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 08:38:37 AM, on 8/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Documents and Settings\SLambrow\My Documents\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {1ECEF3D6-3797-4AA4-AC21-D883E44424D5} - C:\WINNT\system32\kutxz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfMachine dispatcher] c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="BroadGun pdfMachine" -port="PDFPORT1:"
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kdslps.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



___________________________________________________________

There she blows...

Thanks for any help.

[lxTurboxl]

Just a little tid bit, I think you may have a dead link :

Download Track qoo (TQ.zip) http://www.techsupportforum.com/atta...achmentid=3761

Anyway, I DLed it from somewhere else and got it to work fine.

Thanks for any help with analyzing my report logs.

[tetonbob]

Thanks for the feedback....I've updated my link.

Go to Control Panel>Scheduled Tasks and delete the following task(if necessary, stop the task first:

RUTASK

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Update your Ewido definitions.

REBOOT into safe mode!

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gkmfymkk

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{564ca57a-f4b7-483d-a93b-2c79f6f5b0df}

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINNT\lpt$vpn.785
C:\WINNT\svcproc.exe
C:\WINNT\VPTNFILE.785
C:\WINNT\SYSTEM32\datadx.dll
C:\WINNT\SYSTEM32\ddfssfd.dll
C:\WINNT\SYSTEM32\dkeja.dll
C:\WINNT\Tasks\RUTASK.job
C:\WINNT\SYSTEM32\conres.cpl
C:\WINNT\system32\dkeja.dll
C:\WINNT\system32\kdslps.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dcrn.exe
C:\WINNT\SYSTEM32\KDSLPS.EXE
C:\WINNT\SYSTEM32\datadx.dll
C:\DOCUMENTS AND SETTINGS\SLAMBROW\APPLICATION DATA\Sskknwrd.dll
C:\PROGRAM FILES\Aprps

On the reboot...please boot back to safe mode.

Once in safe mode run KILLBOX again and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections if available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

We need to run killbox TWICE as some of these files may survive our first attempt at deletion.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: SDWin32 Class - {1ECEF3D6-3797-4AA4-AC21-D883E44424D5} - C:\WINNT\system32\kutxz.dll (file missing)
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kdslps.exe reg_run


Now close all windows other than HiJackThis, then click Fix Checked.

Run Ewido again.

* Click [Scanner]
* Click [Complete System Scan] to begin scanning.
* Click [OK] when prompted to clean files
* With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
* Once finished, click the [Save report] button
* Save the report to your desktop

Restart back in Normal Mode and Post a fresh HijackThis log along with another WinPFind.txt log, Track qoo.vbs log and Ewido log!

[lxTurboxl]

I don't see RUTASK in scheduled tasks folder thingy

Control Panel>Scheduled Tasks

[lxTurboxl]

Lets see how we did :

WinPFind Log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINNT\RMAgentOutput.dll
UPX! 1/10/2005 04:17:24 PM 170053 C:\WINNT\tsc.exe
UPX! 2/18/2005 06:40:14 PM 1044560 C:\WINNT\vsapi32.dll
aspack 2/18/2005 06:40:14 PM 1044560 C:\WINNT\vsapi32.dll

Checking %System% folder...
UPX! 1/13/2005 09:41:48 PM 11254 C:\WINNT\SYSTEM32\locate.com
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 6/20/2003 08:00:00 AM 529168 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 6/20/2003 08:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/18/2005 12:59:10 PM 64 C:\WINNT\CSC\00000001
S 8/16/2005 01:11:26 PM 64 C:\WINNT\CSC\00000002
H 7/23/2005 01:00:26 PM 0 C:\WINNT\inf\oem26.inf
H 8/18/2005 01:01:12 PM 1024 C:\WINNT\system32\config\default.LOG
H 8/18/2005 12:27:48 PM 1024 C:\WINNT\system32\config\SAM.LOG
H 8/18/2005 01:00:40 PM 1024 C:\WINNT\system32\config\SECURITY.LOG
H 8/18/2005 01:02:44 PM 1024 C:\WINNT\system32\config\software.LOG
SH 8/16/2005 01:16:42 PM 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\39ae9ca0-0cad-4d5b-a46f-b163ebecbe78
SH 8/16/2005 01:16:42 PM 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H 8/18/2005 12:59:14 PM 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 6/20/2003 08:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 237328 C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Intel Corporation 9/9/2002 01:12:56 AM 94208 C:\WINNT\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 08:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2/20/2001 02:09:54 PM 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 6/20/2003 08:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 09:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 03:52:54 AM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 125712 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 04:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 08:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 07:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 6/20/2003 08:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/26/2005 04:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
9/7/2004 11:50:10 AM 38475 C:\Documents and Settings\SLambrow\Application Data\Comma Separated Values (DOS).ADR
2/5/2004 03:15:44 PM 17184 C:\Documents and Settings\SLambrow\Application Data\GDIPFONTCACHEV1.DAT
9/7/2004 12:37:26 PM 38460 C:\Documents and Settings\SLambrow\Application Data\Microsoft Excel.ADR
9/7/2004 12:38:04 PM 9344 C:\Documents and Settings\SLambrow\Application Data\Microsoft Excel.EML

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\system32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\system32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
Smapp C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
IgfxTray C:\WINNT\system32\igfxtray.exe
HotKeysCmds C:\WINNT\system32\hkcmd.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
vptray C:\Program Files\NavNT\vptray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
pdfMachine dispatcher c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="BroadGun pdfMachine" -port="PDFPORT1:"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/18/2005 01:05:02 PM

________________________________________________________________

Track qoo Log

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"pdfMachine dispatcher"="c:\\Program Files\\BroadGun Software\\pdfMachine\\mapisnd.exe -printer=\"BroadGun pdfMachine\" -port=\"PDFPORT1:\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINNT\system32\docprop2.dll

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINNT\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINNT\system32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

==============================
C:\Documents and Settings\SLambrow\Start Menu\Programs\Startup

==============================
C:\WINNT\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
fax.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
INPUT.CPL Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sticpl.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

_______________________________________________________________

Ewido Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:56:56 PM, 8/18/2005
+ Report-Checksum: E1732F23

+ Scan result:

C:\Documents and Settings\SLambrow\Cookies\slambrow@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\SLambrow\Cookies\slambrow@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End

_____________________________________________________________

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 01:09:36 PM, on 8/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Documents and Settings\SLambrow\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfMachine dispatcher] c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="BroadGun pdfMachine" -port="PDFPORT1:"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

___________________________________________________________

I'm praying for a clean slate.

Thanks again.

[lxTurboxl]

Polite Bump.

[tetonbob]

Well done. Your logs appear clean. I know you're anxious to move on, and I am for you to, but I'd like you to run two more tools, to see if anything has been left behind.....

Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[lxTurboxl]

It just never ends! There should be a program where you press one thing and your 100% clean =)

anyway..

Trend Micro Log (second one)


Started Scanning
Internet Cookies
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning

___________________________________________________________

Panda Log


Incident Status Location

Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Spyware:spyware/surfsidekick No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\!Submit\ProxyStub.dll
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\SLambrow\My Documents\l2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\SLambrow\My Documents\l2mfix.exe[Process.exe]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll

____________________________________________________________

Thanks again for the help.

[tetonbob]

I agree...a one touch solution would be nice.....alas!

This is just a bit of cleanup......the registry finding is a remnant, and can be cleaned with a registry cleaner such as CCleaner or Registry Mechanic.

Make sure you can still view hidden files and folders.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot' and "Unregister .dll before Deleting". Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say yes:

C:\Program Files\Aprps\ProxyStub.dll
C:\!Submit\ProxyStub.dll

Reboot into safe mode.

Next, navigate to and manually delete the following folders:

C:\Program Files\Aprps
C:\!Submit

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into normal mode now.

Run another scan at Panda, and post that log and a new HJT log here. We should be close now....and then we'll get you some better protection information.

[lxTurboxl]

I used regseeker to try to get rid of that registry entry but it didnt seem to pick it up. It did pick up a bunch of other stuff, but thats another issue.

Then I followed the rest of the directions.

Panda Log


Incident Status Location

Spyware:spyware/surfsidekick No disinfected Windows Registry
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\SLambrow\My Documents\l2mfix\l2mfix\Process.exe
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\SLambrow\My Documents\l2mfix.exe[Process.exe]
_____________________________________________________________

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 03:14:39 PM, on 8/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Documents and Settings\SLambrow\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfMachine dispatcher] c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="BroadGun pdfMachine" -port="PDFPORT1:"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = picorp1.picorp.net
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[tetonbob]

There is no active file associated with that registry entry....it is just clutter right now. See if CCleaner will do the trick.

Download CCleaner

Let's allow this tool to back up the registry before using it to clean your system.

First click 'Issues' tab, then 'Options' them 'Advanced' then in right pane, check the box that says 'show prompt to backup registry' .

Next, click 'Scan for Issues'. After the scan, click 'Fix selected issues'



Other than that...... Your logs are clean. Any more issues? If not you should be good to go.

We still have a few items to address.


Reset hidden/system files and folders
Windows 2000
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Advanced settings box option.
• Select the Hidden files Folders.
• Deselect the Show all files option.
• Click Yes to confirm.
• Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

[lxTurboxl]

Again, thanks for all the help. Vote tetonbob for president, I say. I'll be sure to come back if I have any questions or issues.

Thanks!