|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-05-2006, 10:21 AM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
 |
IN PC HELL! Please help- HJT Attached
Please help me! I am having so many problems that I don't know where to start! I have run in safe mode and run all the spyware, antivirus, cleaners etc that I could. I am getting constant popups, internet redirects, and weird notepad files keep appearing on my desktop. I also have redirected links showing up in Yahoo (Intellitext looking stuff). Every time I get rid of something, something new shows up! I need help, i am not computer savvy enough to deal with this!
Here's my latest HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 12:11:36 PM, on 4/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\basfipm.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\WINDOWS\System32\HPZipm12.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-i.globalhomeproducts.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Home Products R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,cqatthl.exe O1 - Hosts: 165.136.75.230 ghpdd1.globalhomeproducts.com ghpdd1 O1 - Hosts: 165.136.75.245 ghpda1.globalhomeproducts.com ghpda1 O1 - Hosts: 165.136.75.232 ghptd1.globalhomeproducts.com ghptd1 O1 - Hosts: 165.136.75.233 ghpta1.globalhomeproducts.com ghpta1 O1 - Hosts: 165.136.75.234 ghptw1.globalhomeproducts.com ghptw1 O1 - Hosts: 165.136.75.236 ghpmd1.globalhomeproducts.com ghpmd1 O1 - Hosts: 165.136.75.237 ghpmd2.globalhomeproducts.com ghpmd2 O1 - Hosts: 165.136.75.238 ghpma1.globalhomeproducts.com ghpma1 O1 - Hosts: 165.136.75.239 ghpma2.globalhomeproducts.com ghpma2 O1 - Hosts: 165.136.75.240 ghpmw1.globalhomeproducts.com ghpmw1 O1 - Hosts: 165.136.75.241 ghpmw2.globalhomeproducts.com ghpmw2 O1 - Hosts: 165.136.75.130 ghppd1.globalhomeproducts.com ghppd1 O1 - Hosts: 165.136.75.131 ghppd2.globalhomeproducts.com ghppd2 O1 - Hosts: 165.136.75.132 ghppa1.globalhomeproducts.com ghppa1 O1 - Hosts: 165.136.75.133 ghppa2.globalhomeproducts.com ghppa2 O1 - Hosts: 165.136.75.134 ghppw1.globalhomeproducts.com ghppw1 O1 - Hosts: 165.136.75.135 ghppw2.globalhomeproducts.com ghppw2 O1 - Hosts: 165.136.75.136 ghppbi1.globalhomeproducts.com ghppbi1 O1 - Hosts: 165.136.75.137 ghpprpt1.globalhomeproducts.com ghpprpt1 O1 - Hosts: 63.175.54.214 kshare.scglobal.com O1 - Hosts: 126.14.24.61 ehrms.adphc.com O1 - Hosts: 126.14.48.95 ghp.hostedeet.com O1 - Hosts: 126.14.48.165 ghpent.hostedeet.com O1 - Hosts: 155.16.119.20 2200 pscars01.ps.net O1 - Hosts: 155.16.119.30 2200 pscweb01.ps.net O1 - Hosts: 155.16.119.10 2200 opastest01.ps.net O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsq4A.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmuumk.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www-i.globalhomeproducts.com O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.formica.com/qp2.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140719415747 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {ACF93F61-9F60-4C1E-A015-E3B3812BD58C} (PVDMDocViewControls.PVDMDocView) - https://login.imagesilo.com/CABS/PVDMDocView400.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ariba.webex.com/client/v_myw...ex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\Software\..\Telephony: DomainName = main.globalhomeproducts.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\k6jslg1716.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\o484lelq1hqe.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-05-2006, 01:24 PM
|
#2 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,698
OS: winxp pro sp2
 |
Hello Kayla and Welcome to TSF!!! All apologies on the delay.........
You have the latest version of VX2. Download L2mfix from one of these two locations: http://www.downloads.subratam.org/l2mfix.exe http://www.atribune.org/downloads/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! If after the reboot the log does not open double click on it in the l2mfix folder and post that log. Along with a fresh HJT log. Credit shadowwar
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain" 
|
|
|
|
|
04-05-2006, 06:18 PM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
Thank you so much! ok, here's l2mfix option #1 log:
L2MFIX find log 032106
These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbawx] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\system32\\cbawx.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\k6jslg1716.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] "DllName"="C:\\WINDOWS\\System32\\NavLogon.dll" "StartShell"="NavStartShellEvent" "Logoff"="NavLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\o484lelq1hqe.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{7A72C272-FC32-FE7C-D5B8-F8DFF2793276}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension" "{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Unbind" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions" "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu" "{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices" "{B446400D-0030-457b-8F64-422A19605186}"="Logitech Gallery" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{1014C30A-47E3-4726-9189-C56A77C627D3}"="" @="" "{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}"="PhotoToys" "{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References" "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ browseui.dll Mon Jan 9 2006 2:01:58p A.... 1,022,976 999.00 K cbawx.dll Tue Mar 28 2006 10:40:28a ..SH. 577,588 564.05 K cbxxw.dll Mon Mar 27 2006 10:39:36p ..SH. 38,925 38.01 K cdfview.dll Mon Jan 9 2006 2:01:58p A.... 151,040 147.50 K danim.dll Mon Jan 9 2006 2:01:58p A.... 1,054,208 1.00 M dxtrans.dll Mon Jan 9 2006 2:01:58p A.... 205,312 200.50 K extmgr.dll Mon Jan 9 2006 2:01:58p ..... 55,808 54.50 K hscmajw.dll Wed Mar 29 2006 12:56:42p A.... 51,712 50.50 K iepeers.dll Mon Jan 9 2006 2:01:58p A.... 251,904 246.00 K inseng.dll Mon Jan 9 2006 2:01:58p A.... 96,256 94.00 K irismon.dll Tue Apr 4 2006 7:56:02a A.... 417,792 408.00 K legitc~1.dll Tue Feb 14 2006 9:20:14a A.... 550,120 537.23 K mshtml.dll Tue Jan 31 2006 10:59:04p A.... 3,073,024 2.93 M mshtmled.dll Mon Jan 9 2006 2:02:00p A.... 448,512 438.00 K msrating.dll Mon Jan 9 2006 2:02:00p A.... 146,432 143.00 K mstime.dll Mon Jan 9 2006 2:02:00p A.... 530,944 518.50 K msxml3a.dll Tue Apr 4 2006 7:56:00a A.... 24,576 24.00 K pngfilt.dll Mon Jan 9 2006 2:02:00p A.... 39,424 38.50 K shdocvw.dll Mon Jan 9 2006 2:02:00p A.... 1,495,040 1.43 M shlwapi.dll Mon Jan 9 2006 2:02:00p A.... 474,112 463.00 K sporder.dll Tue Mar 28 2006 12:29:24p A.... 8,464 8.27 K urlmon.dll Mon Jan 9 2006 2:02:00p A.... 613,376 599.00 K wininet.dll Mon Jan 9 2006 2:02:00p A.... 662,016 646.50 K xpsp3res.dll Tue Feb 7 2006 9:04:54p A.... 22,528 22.00 K 24 items found: 24 files (2 H/S), 0 directories. Total of file sizes: 12,012,089 bytes 11.45 M Locate .tmp files: C:\WINDOWS\SYSTEM32\ gjqpud~1.tmp Wed Apr 5 2006 3:35:48p A.... 127,488 124.50 K mcrh.tmp Mon Apr 3 2006 11:44:42a A.... 143 0.14 K xwabc.tmp Tue Mar 28 2006 11:54:48a ..SH. 361,409 352.94 K 3 items found: 3 files (1 H/S), 0 directories. Total of file sizes: 489,040 bytes 477.58 K ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is F8FD-7292 Directory of C:\WINDOWS\System32 04/05/2006 08:18 PM 359,580 xwabc.ini2 04/05/2006 05:25 PM 340,584 xwabc.bak2 04/03/2006 01:18 PM <DIR> DLLCACHE 03/28/2006 11:54 AM 361,409 xwabc.tmp 03/28/2006 10:41 AM 358,461 xwabc.bak1 03/28/2006 10:41 AM 358,461 xwabc.ini 03/28/2006 10:40 AM 577,588 cbawx.dll 03/27/2006 10:39 PM 38,925 cbxxw.dll 05/19/2004 01:14 AM <DIR> Microsoft 7 File(s) 2,395,008 bytes 2 Dir(s) 23,167,709,184 bytes free |
|
|
|
|
04-05-2006, 06:31 PM
|
#4 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
L2MFIX Option 2 Log and Fresh HJT
L2mfix 032106
Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 488 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 640 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1644 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbawx] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\system32\\cbawx.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\k6jslg1716.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] "DllName"="C:\\WINDOWS\\System32\\NavLogon.dll" "StartShell"="NavStartShellEvent" "Logoff"="NavLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\o484lelq1hqe.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{1014C30A-47E3-4726-9189-C56A77C627D3}"=- [-HKEY_CLASSES_ROOT\CLSID\{1014C30A-47E3-4726-9189-C56A77C627D3}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: zip warning: name not matched: dlls\*.* zip error: Nothing to do! (backup.zip) adding: backregs/notibac.reg (164 bytes security) (deflated 88%) adding: backregs/shell.reg (164 bytes security) (deflated 73%) Logfile of HijackThis v1.99.1 Scan saved at 8:35:32 PM, on 4/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\WINDOWS\System32\basfipm.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Apoint\Apntex.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe C:\Program Files\TightVNC\WinVNC.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-i.globalhomeproducts.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Home Products R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,cqatthl.exe O1 - Hosts: 165.136.75.230 ghpdd1.globalhomeproducts.com ghpdd1 O1 - Hosts: 165.136.75.245 ghpda1.globalhomeproducts.com ghpda1 O1 - Hosts: 165.136.75.232 ghptd1.globalhomeproducts.com ghptd1 O1 - Hosts: 165.136.75.233 ghpta1.globalhomeproducts.com ghpta1 O1 - Hosts: 165.136.75.234 ghptw1.globalhomeproducts.com ghptw1 O1 - Hosts: 165.136.75.236 ghpmd1.globalhomeproducts.com ghpmd1 O1 - Hosts: 165.136.75.237 ghpmd2.globalhomeproducts.com ghpmd2 O1 - Hosts: 165.136.75.238 ghpma1.globalhomeproducts.com ghpma1 O1 - Hosts: 165.136.75.239 ghpma2.globalhomeproducts.com ghpma2 O1 - Hosts: 165.136.75.240 ghpmw1.globalhomeproducts.com ghpmw1 O1 - Hosts: 165.136.75.241 ghpmw2.globalhomeproducts.com ghpmw2 O1 - Hosts: 165.136.75.130 ghppd1.globalhomeproducts.com ghppd1 O1 - Hosts: 165.136.75.131 ghppd2.globalhomeproducts.com ghppd2 O1 - Hosts: 165.136.75.132 ghppa1.globalhomeproducts.com ghppa1 O1 - Hosts: 165.136.75.133 ghppa2.globalhomeproducts.com ghppa2 O1 - Hosts: 165.136.75.134 ghppw1.globalhomeproducts.com ghppw1 O1 - Hosts: 165.136.75.135 ghppw2.globalhomeproducts.com ghppw2 O1 - Hosts: 165.136.75.136 ghppbi1.globalhomeproducts.com ghppbi1 O1 - Hosts: 165.136.75.137 ghpprpt1.globalhomeproducts.com ghpprpt1 O1 - Hosts: 63.175.54.214 kshare.scglobal.com O1 - Hosts: 126.14.24.61 ehrms.adphc.com O1 - Hosts: 126.14.48.95 ghp.hostedeet.com O1 - Hosts: 126.14.48.165 ghpent.hostedeet.com O1 - Hosts: 155.16.119.20 2200 pscars01.ps.net O1 - Hosts: 155.16.119.30 2200 pscweb01.ps.net O1 - Hosts: 155.16.119.10 2200 opastest01.ps.net O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www-i.globalhomeproducts.com O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.formica.com/qp2.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140719415747 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {ACF93F61-9F60-4C1E-A015-E3B3812BD58C} (PVDMDocViewControls.PVDMDocView) - https://login.imagesilo.com/CABS/PVDMDocView400.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ariba.webex.com/client/v_myw...ex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\Software\..\Telephony: DomainName = main.globalhomeproducts.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\k6jslg1716.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\o484lelq1hqe.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing) |
|
|
|
|
04-06-2006, 10:24 AM
|
#5 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,698
OS: winxp pro sp2
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs).
Go to My Computer->Tools (or View)->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98). * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). =============================================================== Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found: =============================================================== Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,cqatthl. exe O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O16 - DPF: {ACF93F61-9F60-4C1E-A015-E3B3812BD58C} (PVDMDocViewControls.PVDMDocView) - https://login.imagesilo.com/CABS/PVDMDocView400.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ariba.webex.com/client/v_myw...ex/ieatgpc.cab O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\k6jslg1716.dll (file missing) O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\o484lelq1hqe.dll (file missing) =============================================================== Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\rusqj.exe cqatthl.exe C:\WINDOWS\system32\cbawx.dll C:\WINDOWS\system32\k6jslg1716.dll C:\WINDOWS\system32\o484lelq1hqe.dll =============================================================== Reboot your system in Normal Mode. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner
*Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJack This log.
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"
|
|
|
|
|
04-06-2006, 12:28 PM
|
#6 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
Problem with Safe Mode
I'm having issues in safe mode. When I restart in safe mode my desktop is not visible. I just have a black screen that says safe mode in the corners and some other writing around the edges. The only way that I can access anything is to control+alt+delete and browse for new task through the task manager. Unfortunately though, when I go to Windows/system32/control to open the control manager it won't open. Desktop shows as a running program for a second and then goes away and the control panel never opens. The desktop itself will flash for a minute and then disappear. I get the standard message that I'm running in safe mode and some options will not be available and asks if I wat to go to restore instead.
I'm not sure if I am doing something wrong when I go into safe mode or what. I am just restarting and hitting F8 to get the safe mode option and logging on that way. Any ideas?  Thanks! |
|
|
|
|
04-06-2006, 03:14 PM
|
#7 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
Disregard Previous Post
Disregard my post about safemode. It's still not working correctly, but I was able to use the browse function in taskmanager while in safe mode to run HJT and to check for the files on the C drive. Getting ready to run the Panda Activescan. Will post shortly.
|
|
|
|
|
04-06-2006, 06:11 PM
|
#8 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
Panda Scan and HJT Log
Panda Scan TXT file attached
Logfile of HijackThis v1.99.1 Scan saved at 8:15:32 PM, on 4/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\WINDOWS\System32\basfipm.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-i.globalhomeproducts.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Home Products R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl.exe O1 - Hosts: 165.136.75.230 ghpdd1.globalhomeproducts.com ghpdd1 O1 - Hosts: 165.136.75.245 ghpda1.globalhomeproducts.com ghpda1 O1 - Hosts: 165.136.75.232 ghptd1.globalhomeproducts.com ghptd1 O1 - Hosts: 165.136.75.233 ghpta1.globalhomeproducts.com ghpta1 O1 - Hosts: 165.136.75.234 ghptw1.globalhomeproducts.com ghptw1 O1 - Hosts: 165.136.75.236 ghpmd1.globalhomeproducts.com ghpmd1 O1 - Hosts: 165.136.75.237 ghpmd2.globalhomeproducts.com ghpmd2 O1 - Hosts: 165.136.75.238 ghpma1.globalhomeproducts.com ghpma1 O1 - Hosts: 165.136.75.239 ghpma2.globalhomeproducts.com ghpma2 O1 - Hosts: 165.136.75.240 ghpmw1.globalhomeproducts.com ghpmw1 O1 - Hosts: 165.136.75.241 ghpmw2.globalhomeproducts.com ghpmw2 O1 - Hosts: 165.136.75.130 ghppd1.globalhomeproducts.com ghppd1 O1 - Hosts: 165.136.75.131 ghppd2.globalhomeproducts.com ghppd2 O1 - Hosts: 165.136.75.132 ghppa1.globalhomeproducts.com ghppa1 O1 - Hosts: 165.136.75.133 ghppa2.globalhomeproducts.com ghppa2 O1 - Hosts: 165.136.75.134 ghppw1.globalhomeproducts.com ghppw1 O1 - Hosts: 165.136.75.135 ghppw2.globalhomeproducts.com ghppw2 O1 - Hosts: 165.136.75.136 ghppbi1.globalhomeproducts.com ghppbi1 O1 - Hosts: 165.136.75.137 ghpprpt1.globalhomeproducts.com ghpprpt1 O1 - Hosts: 63.175.54.214 kshare.scglobal.com O1 - Hosts: 126.14.24.61 ehrms.adphc.com O1 - Hosts: 126.14.48.95 ghp.hostedeet.com O1 - Hosts: 126.14.48.165 ghpent.hostedeet.com O1 - Hosts: 155.16.119.20 2200 pscars01.ps.net O1 - Hosts: 155.16.119.30 2200 pscweb01.ps.net O1 - Hosts: 155.16.119.10 2200 opastest01.ps.net O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www-i.globalhomeproducts.com O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.formica.com/qp2.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140719415747 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\Software\..\Telephony: DomainName = main.globalhomeproducts.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing) |
|
|
|
|
04-07-2006, 09:26 AM
|
#9 (permalink) |
|
Manager, The Conversation Pit/Analyst, Security Team
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 11,698
OS: winxp pro sp2
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs).
Go to My Computer->Tools (or View)->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98). * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). =============================================================== Download Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! Don’t run it yet =============================================================== Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any open browsers. =============================================================== Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl. Exe =============================================================== Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\windows\system32\rusqj.exe C:\WINDOWS\system32\hscmajw.dll C:\WINDOWS\keyboard61.dat C:\WINDOWS\SYSTEM32\cbxxw.dll C:\WINDOWS\SYSTEM32\gjqpu.dat C:\WINDOWS\SYSTEM32\gjqpu.dat.tmp =============================================================== Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
** Ewido scan would require at least an hour Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. Reboot your system in Normal Mode and run a fresh HJT log along with another Panda Scan. Please post the logs. · HijackThis · Ewido · Panda
__________________
"If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"
|
|
|
|
|
04-10-2006, 11:14 AM
|
#10 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
Sorry it took me a little while, but here are the logs
Logfile of HijackThis v1.99.1
Scan saved at 2:59:25 PM, on 4/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\WINDOWS\System32\basfipm.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\WINDOWS\system32\drivers\dcfssvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-i.globalhomeproducts.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Home Products R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl.exe O1 - Hosts: 165.136.75.230 ghpdd1.globalhomeproducts.com ghpdd1 O1 - Hosts: 165.136.75.245 ghpda1.globalhomeproducts.com ghpda1 O1 - Hosts: 165.136.75.232 ghptd1.globalhomeproducts.com ghptd1 O1 - Hosts: 165.136.75.233 ghpta1.globalhomeproducts.com ghpta1 O1 - Hosts: 165.136.75.234 ghptw1.globalhomeproducts.com ghptw1 O1 - Hosts: 165.136.75.236 ghpmd1.globalhomeproducts.com ghpmd1 O1 - Hosts: 165.136.75.237 ghpmd2.globalhomeproducts.com ghpmd2 O1 - Hosts: 165.136.75.238 ghpma1.globalhomeproducts.com ghpma1 O1 - Hosts: 165.136.75.239 ghpma2.globalhomeproducts.com ghpma2 O1 - Hosts: 165.136.75.240 ghpmw1.globalhomeproducts.com ghpmw1 O1 - Hosts: 165.136.75.241 ghpmw2.globalhomeproducts.com ghpmw2 O1 - Hosts: 165.136.75.130 ghppd1.globalhomeproducts.com ghppd1 O1 - Hosts: 165.136.75.131 ghppd2.globalhomeproducts.com ghppd2 O1 - Hosts: 165.136.75.132 ghppa1.globalhomeproducts.com ghppa1 O1 - Hosts: 165.136.75.133 ghppa2.globalhomeproducts.com ghppa2 O1 - Hosts: 165.136.75.134 ghppw1.globalhomeproducts.com ghppw1 O1 - Hosts: 165.136.75.135 ghppw2.globalhomeproducts.com ghppw2 O1 - Hosts: 165.136.75.136 ghppbi1.globalhomeproducts.com ghppbi1 O1 - Hosts: 165.136.75.137 ghpprpt1.globalhomeproducts.com ghpprpt1 O1 - Hosts: 63.175.54.214 kshare.scglobal.com O1 - Hosts: 126.14.24.61 ehrms.adphc.com O1 - Hosts: 126.14.48.95 ghp.hostedeet.com O1 - Hosts: 126.14.48.165 ghpent.hostedeet.com O1 - Hosts: 155.16.119.20 2200 pscars01.ps.net O1 - Hosts: 155.16.119.30 2200 pscweb01.ps.net O1 - Hosts: 155.16.119.10 2200 opastest01.ps.net O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www-i.globalhomeproducts.com O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.formica.com/qp2.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140719415747 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\Software\..\Telephony: DomainName = main.globalhomeproducts.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing) --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 2:46:09 PM, 4/7/2006 + Report-Checksum: 290EC118 + Scan result: [268] C:\WINDOWS\system32\cbawx.dll -> Adware.Virtumonde : Cleaned with backup [988] C:\WINDOWS\system32\hscmajw.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\Program Files\WebEx\ieatgpc.tmp/ieatgpc.dll -> Adware.WebEx : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP426\A0065890.exe -> Not-A-Virus.PSWTool.Win32.GetPass.e : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP429\A0066432.dll -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066538.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066539.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066540.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066550.exe -> Adware.WebHancer : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066553.dll -> Adware.WebHancer : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066555.exe -> Adware.WebHancer : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066557.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066561.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0066562.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067038.exe -> Trojan.Small : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067039.EXE -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067053.dll -> Adware.SurfSide : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067097.ocx -> Adware.Coupons : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067100.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067102.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067105.exe -> Downloader.PurityScan.w : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067109.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0067110.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0068123.dll -> Adware.SurfSide : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0068125.exe -> Adware.SurfSide : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP442\A0068141.dll -> Adware.WebHancer : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP445\A0068591.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP450\A0069375.dll -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0069465.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0069467.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\snapshot\MFEX-3.DAT -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\A0069470.exe -> Adware.SafeSurfing : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\snapshot\MFEX-3.DAT -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0069476.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0069868.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0069891.old -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0069958.old -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0070294.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\SYSTEM32\cbxxw.dll -> Adware.Virtumonde : Cleaned with backup C:\WINDOWS\SYSTEM32\gjqpu.dat -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\SYSTEM32\gjqpu.dat.tmp -> Downloader.Qoologic.bj : Cleaned with backup C:\WINDOWS\SYSTEM32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup ::Report End Incident Status Location Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\hscmajw.dll Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard61.dat Adware:adware/vaultsearch Not disinfected Windows Registry Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@888[1].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@888[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@ad.yieldmanager[1].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@adopt.hbmediapro[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@ads.pointroll[1].txt Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@adultfriendfinder[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@as-us.falkag[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@as1.falkag[2].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@azjmp[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@casalemedia[2].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@cassava[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@perf.overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@questionmarket[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@realmedia[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@server.iad.liveperson[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@serving-sys[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@stats1.reliablestats[2].txt Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@tickle[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@tribalfusion[1].txt Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@webpower[2].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@www.myaffiliateprogram[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@z1.adserver[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@zedo[1].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@888[1].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@888[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@ad.yieldmanager[1].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@adopt.hbmediapro[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@ads.pointroll[1].txt Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@adultfriendfinder[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@as-us.falkag[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@as1.falkag[2].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@azjmp[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@casalemedia[2].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@cassava[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@perf.overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@questionmarket[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@realmedia[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@server.iad.liveperson[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@serving-sys[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@stats1.reliablestats[2].txt Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@tickle[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@tribalfusion[1].txt Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@webpower[2].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@www.myaffiliateprogram[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@z1.adserver[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\ajacobs\Cookies\ajacobs@zedo[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ajacobs\Desktop\l2mfix\l2mfix.exe[Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ajacobs\Desktop\l2mfix\Process.exe Adware:Adware/Qoologic Not disinfected C:\WINDOWS\SYSTEM32\gjqpu.dat Adware:Adware/Qoologic Not disinfected C:\WINDOWS\SYSTEM32\__delete_on_reboot__hscmajw.dll Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\General Office\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe] Virus:W32/Sober.AH.worm!CME-681 Not disinfected Personal Folders\General Office\You visit illegal websites\list.zip[File-packed_dataInfo.exe] |
|
|
|
|
04-10-2006, 10:21 PM
|
#11 (permalink) |
|
Analyst, Security Team
|
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs). Go to My Computer->Tools (or View)->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98). * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. ** You may change the above options back after your log is clean. If we ask you to fix something that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU). Run the program and click the Web button located on the top right corner. Copy and paste the below web address into the address bar of the Download script window: http://metallica.geekstogo.com/alcanshorty.bfu Checkmark the following boxes: Use settings specified in script for the above option. Show log after script ends. Execute the script by clicking the Execute button. When it finishes running, click the Save button for a copy of the log. Post the log created by the script when you have completed the fix. Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any internet browsers that may still be open. Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl. exe O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them): C:\WINDOWS\system32\rusqj.exe C:\WINDOWS\SYSTEM32\cqatthl. exe C:\WINDOWS\system32\hscmajw.dll C:\WINDOWS\keyboard61.dat C:\WINDOWS\SYSTEM32\gjqpu.dat C:\WINDOWS\SYSTEM32\__delete_on_reboot__hscmajw.dll C:\Program Files\Common Files\VCClient\ Restart and run a new HijackThis scan. Save the log file and post it here. Also give us this log: Download FindQool http://downloads.subratam.org/Lon/FindQool.zip * Extract the files and place the FindQool folder in root. Usually C:\ * Open the folder and run Qlocate.bat. * Post the contents of the txt.log which will open.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-11-2006, 07:52 AM
|
#12 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
New Logs and Notes
Ok, first, please see my notes below. The requested logs are posted underneath.
1. R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = is never visible in the HJT scan when I am in safe mode, only in normal. And of course, if I remove it in normal it just comes back. 2. I did not have HJT remove O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe. This is a required program on my system. 3. While in safe mode I could not find any of the files listed in your post that were supposed to be removed from the C:/ directory. They don't seem to ever be there when I'm in safe mode. 4. The VCClient file is related to number 2 above and cannot be removed. BFU v1.00.9 Windows XP SP2 (WinNT 5.01.2600 SP2) Script started at 9:32:02 AM, on 4/11/2006 Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found) Failed: ServiceStop Network Monitor (service not found) Failed: ServiceStop cmdService (service not found) Failed: ServiceDisable Network Monitor (service not found) Failed: ServiceDisable cmdService (service not found) Failed: ServiceDelete Network Monitor (service not found) Failed: ServiceDelete cmdService (service not found) Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found) Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found) Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found) Option pause between commands: 300 ms Option pause between commands: 50 ms Failed: FolderDelete C:\Program Files\MsConfigs (folder not found) Failed: FolderDelete C:\Program Files\winupdates (folder not found) Failed: FolderDelete C:\Program Files\winupdate (folder not found) Failed: FolderDelete C:\Program Files\winsupdater (folder not found) Failed: FolderDelete C:\Program Files\MsUpdate (folder not found) Failed: FolderDelete C:\Program Files\MsMovies (folder not found) Failed: FolderDelete C:\Program Files\wmplayer (folder not found) Failed: FolderDelete C:\Program Files\outlook (folder not found) Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed) Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed) Failed: FolderDelete C:\DOCUME~1\ajacobs\LOCALS~1\Temp\Temporary Directory 1 for bfu.zip (operation failed) Failed: FileDelete C:\DOCUME~1\ajacobs\LOCALS~1\Temp\~DFBFF9.tmp (operation failed) Failed: FileDelete C:\WINDOWS\Temp\Perflib_Perfdata_67c.dat (operation failed) Failed: FolderDelete C:\Program Files\Maxifiles (folder not found) Failed: FolderDelete C:\Program Files\DNS (folder not found) Failed: FolderDelete C:\Program Files\EQAdvice (folder not found) Failed: FolderDelete C:\Program Files\FCAdvice (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found) Failed: FolderDelete C:\Program Files\Network Monitor (folder not found) Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found) Failed: FolderDelete C:\Program Files\Update06 (folder not found) Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found) Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found) Script completed. Logfile of HijackThis v1.99.1 Scan saved at 9:45:38 AM, on 4/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\WINDOWS\System32\basfipm.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\system32\userinit.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-i.globalhomeproducts.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Home Products R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl.exe O1 - Hosts: 165.136.75.230 ghpdd1.globalhomeproducts.com ghpdd1 O1 - Hosts: 165.136.75.245 ghpda1.globalhomeproducts.com ghpda1 O1 - Hosts: 165.136.75.232 ghptd1.globalhomeproducts.com ghptd1 O1 - Hosts: 165.136.75.233 ghpta1.globalhomeproducts.com ghpta1 O1 - Hosts: 165.136.75.234 ghptw1.globalhomeproducts.com ghptw1 O1 - Hosts: 165.136.75.236 ghpmd1.globalhomeproducts.com ghpmd1 O1 - Hosts: 165.136.75.237 ghpmd2.globalhomeproducts.com ghpmd2 O1 - Hosts: 165.136.75.238 ghpma1.globalhomeproducts.com ghpma1 O1 - Hosts: 165.136.75.239 ghpma2.globalhomeproducts.com ghpma2 O1 - Hosts: 165.136.75.240 ghpmw1.globalhomeproducts.com ghpmw1 O1 - Hosts: 165.136.75.241 ghpmw2.globalhomeproducts.com ghpmw2 O1 - Hosts: 165.136.75.130 ghppd1.globalhomeproducts.com ghppd1 O1 - Hosts: 165.136.75.131 ghppd2.globalhomeproducts.com ghppd2 O1 - Hosts: 165.136.75.132 ghppa1.globalhomeproducts.com ghppa1 O1 - Hosts: 165.136.75.133 ghppa2.globalhomeproducts.com ghppa2 O1 - Hosts: 165.136.75.134 ghppw1.globalhomeproducts.com ghppw1 O1 - Hosts: 165.136.75.135 ghppw2.globalhomeproducts.com ghppw2 O1 - Hosts: 165.136.75.136 ghppbi1.globalhomeproducts.com ghppbi1 O1 - Hosts: 165.136.75.137 ghpprpt1.globalhomeproducts.com ghpprpt1 O1 - Hosts: 63.175.54.214 kshare.scglobal.com O1 - Hosts: 126.14.24.61 ehrms.adphc.com O1 - Hosts: 126.14.48.95 ghp.hostedeet.com O1 - Hosts: 126.14.48.165 ghpent.hostedeet.com O1 - Hosts: 155.16.119.20 2200 pscars01.ps.net O1 - Hosts: 155.16.119.30 2200 pscweb01.ps.net O1 - Hosts: 155.16.119.10 2200 opastest01.ps.net O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www-i.globalhomeproducts.com O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.formica.com/qp2.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140719415747 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\Software\..\Telephony: DomainName = main.globalhomeproducts.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing) Tue 04/11/2006 Running from: C:\FindQool PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE. Known file names MD5 Check.... C:\WINDOWS\system32\gjqpu.dat C:\WINDOWS\system32\blcmjb.exe C:\WINDOWS\system32\rusqj.exe C:\WINDOWS\system32\__delete_on_reboot__hscmajw.dll C:\WINDOWS\system32\hscmajw.dll Files found with locate com. C:\WINDOWS\SYSTEM32\HSCMAJW.DLL C:\WINDOWS\SYSTEM32\GJQPU.DAT C:\WINDOWS\SYSTEM32\BLCMJB.EXE C:\WINDOWS\SYSTEM32\RUSQJ.EXE C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\SSNNP.EXE Re-check using dir /a:-d C:\Documents and Settings\All Users\Start Menu\Programs\Startup 03/28/2006 12:29 PM 127,488 ssnnp.exe ... HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6} [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu] @="{BDA77241-42F6-11d0-85E2-00AA001FE28C}" ... Runs, Listed here as a Doublecheck for the locate com results HKLM "adgejy"="C:\\WINDOWS\\system32\\blcmjb.exe reg_run" HKCU "wanfk"="C:\\WINDOWS\\system32\\blcmjb.exe reg_run" ... Files In Winlogon shell and userinit Listed here as a Doublecheck for the locate com results shell REG_SZ Explorer.exe, C:\WINDOWS\system32\rusqj.exe userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl.exe ... SWReg utility Written by Bobbi Flekman © 2005 Findqool edited 4/05/2006 |
|
|
|
|
04-11-2006, 03:58 PM
|
#13 (permalink) | |
|
Analyst, Security Team
|
Quote:
Those files are not in the C: directory...make sure you searched in the proper location...c:\windows\...etc. wherever I listed the files to delete. Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Download VundoFix at http://www.atribune.org/ccount/click.php?id=4 and save it to your desktop. * Double-click VundoFix.exe to run it. * Put a check next to 'Run VundoFix as a task'. * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK * When VundoFix re-opens, click the 'Scan for Vundo' button. * Once it's done scanning, click the 'Remove Vundo' button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will shutdown your computer. click OK. * Turn your computer back on. * Please post the contents of C:\vundofix.txt here. Make sure the below in BOLD does not contain any spaces (with the exception of Windows NT). If they do, delete the extra space before saving. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad: REGEDIT4 [-HKEY_LOCAL_MACHINE\software\classes\folder\shellex \columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "adgejy"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "wanfk"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "UserInit"="C:\\WINDOWS\\system32\\userinit.exe," "Shell"="Explorer.exe" Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. Fix these in HijackThis: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl. exe O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\cbawx.dll O20 - Winlogon Notify: cbawx - C:\WINDOWS\system32\cbawx.dll Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy and save the below in BOLD to a Notepad file. While in Notepad, make sure that none of the lines contain any spaces (like hscmajw.dl l and SSN NP.EXE...delete that extra space if there). If they do, delete the extra space. Then do a select all in notepad and copy. Go back to KillBox->File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes: C:\WINDOWS\system32\gjqpu.dat C:\WINDOWS\system32\blcmjb.exe C:\WINDOWS\system32\rusqj.exe C:\WINDOWS\system32\__delete_on_reboot__hscmajw.dll C:\WINDOWS\system32\hscmajw.dll C:\WINDOWS\system32\cbawx.dll C:\WINDOWS\SYSTEM32\cqatthl.exe C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\SSNNP.EXE If you get a PendingOperations message, just close it and restart your computer manually. Restart... Run a new FindQool scan...post that log here along with a new HijackThis log.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
|
04-11-2006, 07:15 PM
|
#14 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
New Logs
My apologies. I was under the impression that the VCMain had to do with my Venturi programs for my Blackberry.
Okay... Here's the new logs... Tue 04/11/2006 Running from: C:\FindQool PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE. Known file names MD5 Check.... Files found with locate com. Re-check using dir /a:-d C:\Documents and Settings\All Users\Start Menu\Programs\Startup ... HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6} [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu] @="{BDA77241-42F6-11d0-85E2-00AA001FE28C}" ... Runs, Listed here as a Doublecheck for the locate com results HKLM "adgejy"="C:\\WINDOWS\\system32\\blcmjb.exe reg_run" HKCU "wanfk"="C:\\WINDOWS\\system32\\blcmjb.exe reg_run" ... Files In Winlogon shell and userinit Listed here as a Doublecheck for the locate com results shell REG_SZ Explorer.exe, C:\WINDOWS\system32\rusqj.exe userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl.exe ... SWReg utility Written by Bobbi Flekman © 2005 Findqool edited 4/05/2006 Logfile of HijackThis v1.99.1 Scan saved at 9:12:41 PM, on 4/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\WINDOWS\System32\basfipm.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-i.globalhomeproducts.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Home Products F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rusqj.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,cqatthl.exe O1 - Hosts: 165.136.75.230 ghpdd1.globalhomeproducts.com ghpdd1 O1 - Hosts: 165.136.75.245 ghpda1.globalhomeproducts.com ghpda1 O1 - Hosts: 165.136.75.232 ghptd1.globalhomeproducts.com ghptd1 O1 - Hosts: 165.136.75.233 ghpta1.globalhomeproducts.com ghpta1 O1 - Hosts: 165.136.75.234 ghptw1.globalhomeproducts.com ghptw1 O1 - Hosts: 165.136.75.236 ghpmd1.globalhomeproducts.com ghpmd1 O1 - Hosts: 165.136.75.237 ghpmd2.globalhomeproducts.com ghpmd2 O1 - Hosts: 165.136.75.238 ghpma1.globalhomeproducts.com ghpma1 O1 - Hosts: 165.136.75.239 ghpma2.globalhomeproducts.com ghpma2 O1 - Hosts: 165.136.75.240 ghpmw1.globalhomeproducts.com ghpmw1 O1 - Hosts: 165.136.75.241 ghpmw2.globalhomeproducts.com ghpmw2 O1 - Hosts: 165.136.75.130 ghppd1.globalhomeproducts.com ghppd1 O1 - Hosts: 165.136.75.131 ghppd2.globalhomeproducts.com ghppd2 O1 - Hosts: 165.136.75.132 ghppa1.globalhomeproducts.com ghppa1 O1 - Hosts: 165.136.75.133 ghppa2.globalhomeproducts.com ghppa2 O1 - Hosts: 165.136.75.134 ghppw1.globalhomeproducts.com ghppw1 O1 - Hosts: 165.136.75.135 ghppw2.globalhomeproducts.com ghppw2 O1 - Hosts: 165.136.75.136 ghppbi1.globalhomeproducts.com ghppbi1 O1 - Hosts: 165.136.75.137 ghpprpt1.globalhomeproducts.com ghpprpt1 O1 - Hosts: 63.175.54.214 kshare.scglobal.com O1 - Hosts: 126.14.24.61 ehrms.adphc.com O1 - Hosts: 126.14.48.95 ghp.hostedeet.com O1 - Hosts: 126.14.48.165 ghpent.hostedeet.com O1 - Hosts: 155.16.119.20 2200 pscars01.ps.net O1 - Hosts: 155.16.119.30 2200 pscweb01.ps.net O1 - Hosts: 155.16.119.10 2200 opastest01.ps.net O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [adgejy] C:\WINDOWS\system32\blcmjb.exe reg_run O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer O4 - HKCU\..\Run: [wanfk] C:\WINDOWS\system32\blcmjb.exe reg_run O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www-i.globalhomeproducts.com O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.formica.com/qp2.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140719415747 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\Software\..\Telephony: DomainName = main.globalhomeproducts.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing) |
|
|
|
|
04-13-2006, 06:01 PM
|
#15 (permalink) |
|
Analyst, Security Team
|
Make sure the below in BOLD does not contain any spaces (with the exception of Windows NT). If they do, delete the extra space before saving.
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad: REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "adgejy"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "wanfk"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "UserInit"="C:\\WINDOWS\\system32\\userinit.exe," "Shell"="Explorer.exe" Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes: C:\WINDOWS\system32\rusqj.exe C:\WINDOWS\system32\cqatthl. exe C:\WINDOWS\system32\blcmjb.exe If you get a PendingOperations message, just close it and restart your computer manually. Restart and post a new log for HijackThis.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-17-2006, 07:19 AM
|
#16 (permalink) |
|
Registered User
Join Date: Apr 2006
Location: Ohio
Posts: 13
OS: XP
|
New HJT Log
We must be almost there! I'm not getting popups or redirects anymore!! THANK YOU!!
 Logfile of HijackThis v1.99.1 Scan saved at 9:21:50 AM, on 4/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\basfipm.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\svchost.exe c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www-i.globalhomeproducts.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Home Products O1 - Hosts: 165.136.75.230 ghpdd1.globalhomeproducts.com ghpdd1 O1 - Hosts: 165.136.75.245 ghpda1.globalhomeproducts.com ghpda1 O1 - Hosts: 165.136.75.232 ghptd1.globalhomeproducts.com ghptd1 O1 - Hosts: 165.136.75.233 ghpta1.globalhomeproducts.com ghpta1 O1 - Hosts: 165.136.75.234 ghptw1.globalhomeproducts.com ghptw1 O1 - Hosts: 165.136.75.236 ghpmd1.globalhomeproducts.com ghpmd1 O1 - Hosts: 165.136.75.237 ghpmd2.globalhomeproducts.com ghpmd2 O1 - Hosts: 165.136.75.238 ghpma1.globalhomeproducts.com ghpma1 O1 - Hosts: 165.136.75.239 ghpma2.globalhomeproducts.com ghpma2 O1 - Hosts: 165.136.75.240 ghpmw1.globalhomeproducts.com ghpmw1 O1 - Hosts: 165.136.75.241 ghpmw2.globalhomeproducts.com ghpmw2 O1 - Hosts: 165.136.75.130 ghppd1.globalhomeproducts.com ghppd1 O1 - Hosts: 165.136.75.131 ghppd2.globalhomeproducts.com ghppd2 O1 - Hosts: 165.136.75.132 ghppa1.globalhomeproducts.com ghppa1 O1 - Hosts: 165.136.75.133 ghppa2.globalhomeproducts.com ghppa2 O1 - Hosts: 165.136.75.134 ghppw1.globalhomeproducts.com ghppw1 O1 - Hosts: 165.136.75.135 ghppw2.globalhomeproducts.com ghppw2 O1 - Hosts: 165.136.75.136 ghppbi1.globalhomeproducts.com ghppbi1 O1 - Hosts: 165.136.75.137 ghpprpt1.globalhomeproducts.com ghpprpt1 O1 - Hosts: 63.175.54.214 kshare.scglobal.com O1 - Hosts: 126.14.24.61 ehrms.adphc.com O1 - Hosts: 126.14.48.95 ghp.hostedeet.com O1 - Hosts: 126.14.48.165 ghpent.hostedeet.com O1 - Hosts: 155.16.119.20 2200 pscars01.ps.net O1 - Hosts: 155.16.119.30 2200 pscweb01.ps.net O1 - Hosts: 155.16.119.10 2200 opastest01.ps.net O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www-i.globalhomeproducts.com O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.formica.com/qp2.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/YahooDownload/AxLoader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140719415747 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\Software\..\Telephony: DomainName = main.globalhomeproducts.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = main.globalhomeproducts.com O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\vzaccess manager\venturi\Client\ventc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing) |
|
|
|
|
04-20-2006, 12:48 PM
|
#17 (permalink) |
|
Analyst, Security Team
|
Good job
Your log is clean. To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
| Thread Tools | |
|
|
