Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Adware...it's gotta be here somewhere...

This is a discussion on Adware...it's gotta be here somewhere... within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi and thanks for even reading this. I'm having a problem with ads popping up. I've run Ad-Aware, Spybot and


 
 
Thread Tools Search this Thread
Old 08-20-2005, 10:30 AM   #1
Guest
 
Join Date: Aug 2005
Posts: 11
OS:



Hi and thanks for even reading this. I'm having a problem with ads popping up. I've run Ad-Aware, Spybot and CWShredder. I've gone to Trend Micro's website and run their free adware removal. Still, somehow, ads continue to pop up. I ran a Hijackthis log (and used the Hijackthis Analyzer), hoping that someone who understands it can help me. Thank you VERY much in advance. You folks here are awesome. Here's the log.


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at https://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:20:27 AM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://desktop.presario.net/scripts/...LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - https://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - https://zone.msn.com/bingame/apop/def...ploader_v5.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - https://musicstore.connect.com/assets...LStreaming.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - https://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - https://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - https://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab


End of KRC HijackThis Analyzer Log.
====================================================================


Thanks again in advance for any help you can provide.
Alex159 is offline  
Sponsored Links
Advertisement
 
Old 08-20-2005, 10:39 AM   #2
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A


Please post a raw un-analysed log.

I would also like you to generate a Startup list by going to HiJackThis>Config> Misc Tools
Tick "List also minor sections (full)
Click on the Generate StartupList log

Thanks,
sUBs
__________________

sUBs is offline  
Old 08-20-2005, 10:49 AM   #3
Guest
 
Join Date: Aug 2005
Posts: 11
OS:


Alrighty here's the un-analyzed log.

--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:44:21 AM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://desktop.presario.net/scripts/...LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - https://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - https://zone.msn.com/bingame/apop/def...ploader_v5.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - https://musicstore.connect.com/assets...LStreaming.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - https://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - https://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - https://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab

--------------------------------------------------------------------------


And here's the Startup list log.




StartupList report, 8/20/05, 11:45:59 AM
StartupList version: 1.52.2
Started from : C:\HJT\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
Service Connection = c:\cpqs\bwtools\sccenter.exe
TaskMonitor = c:\windows\taskmon.exe
LoadQM = loadqm.exe
EM_EXEC = C:\MOUSE\SYSTEM\EM_EXEC.EXE
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 20/8/2005, 11:16:14)

[rename]
NUL=C:\PROGRA~1\TRENDM~1\ANTISP~1\SSENGINE.DLL
NUL=C:\WINDOWS\APPLIC~1\TRENDM~1\ANTISP~1\TMP\3
NUL=C:\WINDOWS\DESKTOP\TMAS-W~1.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
IF ERRORLEVEL 1 PAUSE

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
DOS=HIGH,UMB,AUTO
FILESHIGH=80
BUFFERSHIGH=40,4
DEVICEHIGH=C:\WINDOWS\SYSTEM\CPQIDECD.SYS /D:IDECD001
SHELL=C:\COMMAND.COM /P /E:2048

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

c:\mouse\mouse.exe
LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:IDECD001 /M:12
C:\SBPCI\SBINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = https://fpdownload.macromedia.com/pub...sh/swflash.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = https://download.microsoft.com/downlo...22/wmv9VCM.CAB

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

[IWinAmpActiveX Class]
InProcServer32 = C:\PROGRAM FILES\COMMON FILES\NULLSOFT\ACTIVEX\2.0\AMPX.DLL
CODEBASE = https://cdn.digitalcity.com/_media/dalaillama/ampx.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = https://zone.msn.com/bingame/apop/def...ploader_v5.cab

[MALPlaybackCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SMALPLAYBACKCTRL.OCX
CODEBASE = https://musicstore.connect.com/assets...LStreaming.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = https://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab

[IWinAmpActiveX Class]
InProcServer32 = C:\PROGRA~1\COMMON~1\NULLSOFT\ACTIVEX\2.4\AMPX.DLL
CODEBASE = https://pdl.stream.aol.com/downloads/...ampx_en_dl.cab

[MiniBugTransporterX Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MINIBUGTRANSPORTER.DLL
CODEBASE = https://wdownload.weatherbug.com/mini...ansporter.cab?

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = https://us.dl1.yimg.com/download.yaho...st20040510.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX
CODEBASE = https://housecall60.trendmicro.com/housecall/xscan60.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

INTTAP = C:\WINDOWS\SYSTEM\INTTAP.exe

--------------------------------------------------

End of report, 7,888 bytes
Report generated in 0.122 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Alex159 is offline  
Sponsored Links
Advertisement
 
Old 08-20-2005, 11:18 AM   #4
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A


You do not appear to have an anti-virus application installed on this machine. Let's start off by getting you a free but yet effective antivirus program. Please choose one from any of these 3 programs which are free for home use:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download & Install CleanUp!


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

  1. Go to Start>Run - type REGEDIT
  2. Go to File>Export & save the Registry somewhere as a backup.
  3. After you have done that, Navigate to these keys -
    Quote:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  4. Right click & delete the subkey - INTTAP
  5. Close the Registry Editor when you've finished

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Have HijackThis Fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://www.globalefinder.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.globalefinder.com/sp2.php
R3 - Default URLSearchHook is missing
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - https://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - https://musicstore.connect.com/asset...ALStreaming.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - https://wdownload.weatherbug.com/min...ransporter.cab?



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Enable - Show all files and folder
Click Yes to confirm & then click OK

Locate and delete the following files:
  • C:\WINDOWS\SYSTEM\INTTAP.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Reconnect your internet connection & perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click [Scan Now]
  3. Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


I would also require a fresh HJT log.
__________________

sUBs is offline  
Old 08-20-2005, 10:43 PM   #5
Guest
 
Join Date: Aug 2005
Posts: 11
OS:


Alright I did what you suggested and here's what I have so far. First, the Hijackthis Log.

Logfile of HijackThis v1.99.1
Scan saved at 11:40:33 PM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://desktop.presario.net/scripts/...LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - https://zone.msn.com/bingame/apop/def...ploader_v5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - https://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - https://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://www.pandasoftware.com/actives...ree/asinst.cab
--------------------------------------------------------------------------


And here's the Panda Active Scan log.


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WGDAP32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SRGE.DLL
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
Adware:adware/enhsrch No disinfected C:\WINDOWS\dinst.exe
Adware:adware/savenow No disinfected C:\WINDOWS\ALL USERS\APPLICATION DATA\nsv
Adware:adware/delfinmedia No disinfected C:\WINDOWS\ALL USERS\APPLICATION DATA\vidctrl
Adware:adware/apropos No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DRRAW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DJRAW16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DWGSIG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WG2_32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RKCLTC1.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\n9058rq5.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MRVIDC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GSOUPPOL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\sRge.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Imv16.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lskrn13n.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SYDOC401.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RLGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CPASPI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mvtext40.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mvwmdm.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RFAPH.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\FCAMEBUF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SGDOC401.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WGDAP32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DPCPCSVC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CAGMGR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mjltus40.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MTRECR40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MUSHRUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MPCMS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mxpmsp.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\JMVAEE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\KZRNEL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\demasf.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WZTSECUR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav22A1.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav22E6.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6021.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav61A5.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8101.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8103.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8112.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8114.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8120.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8124.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8131.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8134.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8140.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8142.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8145.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8151.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8153.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8160.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8161.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8164.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8170.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8172.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8175.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8182.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8191.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8195.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81A1.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81D3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81E0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81E3.TMP
Adware:Adware/QoolShown No disinfected C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\utrt.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING32.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/QoolShown No disinfected C:\WINDOWS\gvwvv.dat
Adware:Adware/QoolShown No disinfected C:\WINDOWS\fgfggsk.dll
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\setup_silent_26223.exe
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\xodooar.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\banner.dll
Adware:Adware/EnhSrch No disinfected C:\WINDOWS\dinst.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\xdsddp.exe
Adware:Adware/ISearch No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg.exe
Adware:Adware/eZula No disinfected C:\Program Files\WAV to MP3 Encoder\mm332.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7395.TMP\ProxyStub.dll
Adware:Adware/nCase No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73B5.TMP
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8002.TMP
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050819175611.zip[RemoveDisplayUtility.exe]


Thanks for all your help so far. I really appreciate it.
Alex159 is offline  
Old 08-21-2005, 01:14 AM   #6
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install.

KillBox v2.0.0.175.zip

WinPfind.zip

TrackQoo.zip

L2m9Xfix.exe

DSRFIX


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy
  • C:\WINDOWS\SYSTEM\WGDAP32.DLL
    C:\WINDOWS\SYSTEM\SRGE.DLL
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
    C:\WINDOWS\dinst.exe
    C:\WINDOWS\SYSTEM\DRRAW.DLL
    C:\WINDOWS\SYSTEM\DJRAW16.DLL
    C:\WINDOWS\SYSTEM\DWGSIG.DLL
    C:\WINDOWS\SYSTEM\WG2_32.DLL
    C:\WINDOWS\SYSTEM\RKCLTC1.DLL
    C:\WINDOWS\SYSTEM\UpdInst.exe
    C:\WINDOWS\SYSTEM\n9058rq5.exe
    C:\WINDOWS\SYSTEM\MRVIDC32.DLL
    C:\WINDOWS\SYSTEM\GSOUPPOL.DLL
    C:\WINDOWS\SYSTEM\sRge.dll
    C:\WINDOWS\SYSTEM\Imv16.dll
    C:\WINDOWS\SYSTEM\lskrn13n.dll
    C:\WINDOWS\SYSTEM\SYDOC401.DLL
    C:\WINDOWS\SYSTEM\RLGWIZC.DLL
    C:\WINDOWS\SYSTEM\CPASPI.DLL
    C:\WINDOWS\SYSTEM\mvtext40.dll
    C:\WINDOWS\SYSTEM\mvwmdm.dll
    C:\WINDOWS\SYSTEM\RFAPH.DLL
    C:\WINDOWS\SYSTEM\FCAMEBUF.DLL
    C:\WINDOWS\SYSTEM\SGDOC401.DLL
    C:\WINDOWS\SYSTEM\WGDAP32.DLL
    C:\WINDOWS\SYSTEM\DPCPCSVC.DLL
    C:\WINDOWS\SYSTEM\CAGMGR32.DLL
    C:\WINDOWS\SYSTEM\mjltus40.dll
    C:\WINDOWS\SYSTEM\MTRECR40.DLL
    C:\WINDOWS\SYSTEM\MUSHRUI.DLL
    C:\WINDOWS\SYSTEM\MPCMS.DLL
    C:\WINDOWS\SYSTEM\mxpmsp.dll
    C:\WINDOWS\SYSTEM\JMVAEE.DLL
    C:\WINDOWS\SYSTEM\KZRNEL32.DLL
    C:\WINDOWS\SYSTEM\demasf.dll
    C:\WINDOWS\SYSTEM\WZTSECUR.DLL
    C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\utrt.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING32.exe
    C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe
    C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
    C:\WINDOWS\gvwvv.dat
    C:\WINDOWS\fgfggsk.dll
    C:\WINDOWS\setup_silent_26223.exe
    C:\WINDOWS\ru.exe
    C:\WINDOWS\xodooar.exe
    C:\WINDOWS\banner.dll
    C:\WINDOWS\dinst.exe
    C:\WINDOWS\xdsddp.exe
    C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg.exe
    C:\Program Files\WAV to MP3 Encoder\mm332.exe
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7395.TMP\ProxyStub .dll
    C:\Program Files\Yahoo!\YPSR\Quarantine\20050819175611.zip
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:
If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double click on dsrfix.zip & extract the contents to a new folder
Open the folder & double-click on dsrfix.bat
Once dsrfix has completed, it will close on its own


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Enable - Show hidden files and folder
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\WINDOWS\ALL USERS\APPLICATION DATA\nsv
    C:\WINDOWS\ALL USERS\APPLICATION DATA\vidctrl
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

1. From within that folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Double-click L2m9Xfix.exe & extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

When it finishes, it will create a log - log.txt file which should be in the same folder as RunThis.bat.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


Perform another online scan with Internet Explorer with Panda ActiveScan


REBOOT AGAIN & Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • L2m9Xfix's log
  • WinPfind
  • TrackQoo1.vbs
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

sUBs is offline  
Old 08-21-2005, 09:39 PM   #7
Guest
 
Join Date: Aug 2005
Posts: 11
OS:


Alright so I think I did everything just as you said. The only problem I ran into was when I tried to run TrackQoo1.vbs It gives me this error message:

File name or class name not found during Automation operation: 'GetObject'

After browsing around on the internet for 5-10 minutes I didn't have any signs of the pop ups that I was having before, which is definitely an improvement. Here's the logs you asked for.

Hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 10:29:08 PM, on 8/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://desktop.presario.net/scripts/...LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - https://zone.msn.com/bingame/apop/def...ploader_v5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - https://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - https://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://www.pandasoftware.com/actives...ree/asinst.cab

--------------------------------------------------------------------------


Panda Active Scan



Incident Status Location

Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
Adware:adware/enhsrch No disinfected C:\WINDOWS\dinst.exe
Adware:adware/apropos No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\n9058rq5.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\utrt.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING32.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/QoolShown No disinfected C:\WINDOWS\gvwvv.dat
Adware:Adware/QoolShown No disinfected C:\WINDOWS\fgfggsk.dll
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\setup_silent_26223.exe
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\xodooar.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\banner.dll
Adware:Adware/EnhSrch No disinfected C:\WINDOWS\dinst.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\xdsddp.exe
Adware:Adware/ISearch No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg.exe
Adware:Adware/eZula No disinfected C:\Program Files\WAV to MP3 Encoder\mm332.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7395.TMP\ProxyStub.dll
Adware:Adware/nCase No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73B5.TMP
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8002.TMP
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050819175611.zip[RemoveDisplayUtility.exe]
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CAGMGR32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CAMCAT.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CML3d.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CPASPI.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\demasf.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DJRAW16.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DPCPCSVC.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DRRAW.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DWGSIG.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\FANTEXT.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\FCAMEBUF.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\GSOUPPOL.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\Imv16.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\JMVAEE.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\KZRNEL32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\lskrn13n.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mjltus40.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MPCMS.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MRVIDC32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MTRECR40.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MUSHRUI.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mvtext40.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mvwmdm.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mxpmsp.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\RFAPH.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\RKCLTC1.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\RLGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\SGDOC401.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\sRge.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\SYDOC401.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\WG2_32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\WZTSECUR.DLL

Incident Status Location

Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
Adware:adware/enhsrch No disinfected C:\WINDOWS\dinst.exe
Adware:adware/apropos No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\n9058rq5.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\utrt.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING32.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/QoolShown No disinfected C:\WINDOWS\gvwvv.dat
Adware:Adware/QoolShown No disinfected C:\WINDOWS\fgfggsk.dll
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\setup_silent_26223.exe
Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\xodooar.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\banner.dll
Adware:Adware/EnhSrch No disinfected C:\WINDOWS\dinst.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\xdsddp.exe
Adware:Adware/ISearch No disinfected C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg.exe
Adware:Adware/eZula No disinfected C:\Program Files\WAV to MP3 Encoder\mm332.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7395.TMP\ProxyStub.dll
Adware:Adware/nCase No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73B5.TMP
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8002.TMP
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20050819175611.zip[RemoveDisplayUtility.exe]
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CAGMGR32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CAMCAT.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CML3d.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\CPASPI.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\demasf.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DJRAW16.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DPCPCSVC.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DRRAW.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\DWGSIG.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\FANTEXT.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\FCAMEBUF.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\GSOUPPOL.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\Imv16.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\JMVAEE.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\KZRNEL32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\lskrn13n.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mjltus40.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MPCMS.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MRVIDC32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MTRECR40.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\MUSHRUI.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mvtext40.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mvwmdm.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\mxpmsp.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\RFAPH.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\RKCLTC1.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\RLGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\SGDOC401.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\sRge.dll
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\SYDOC401.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\WG2_32.DLL
Adware:Adware/Look2Me No disinfected C:\l2m9xfix\backups\WZTSECUR.DLL
--------------------------------------------------------------------------


Log of L2M9XFix v1

************

Running from directory:
C:\l2m9xfix

************

Files found:

C:\WINDOWS\system\CAGMGR32.DLL
C:\WINDOWS\system\CAGMGR32.DLL
C:\WINDOWS\system\CAGMGR32.DLL
C:\WINDOWS\system\CAGMGR32.DLL
C:\WINDOWS\system\CAMCAT.DLL
C:\WINDOWS\system\CAMCAT.DLL
C:\WINDOWS\system\CAMCAT.DLL
C:\WINDOWS\system\CAMCAT.DLL
C:\WINDOWS\system\CML3d.DLL
C:\WINDOWS\system\CML3d.DLL
C:\WINDOWS\system\CML3d.DLL
C:\WINDOWS\system\CML3d.DLL
C:\WINDOWS\system\CPASPI.DLL
C:\WINDOWS\system\CPASPI.DLL
C:\WINDOWS\system\CPASPI.DLL
C:\WINDOWS\system\CPASPI.DLL
C:\WINDOWS\system\demasf.dll
C:\WINDOWS\system\demasf.dll
C:\WINDOWS\system\demasf.dll
C:\WINDOWS\system\demasf.dll
C:\WINDOWS\system\DJRAW16.DLL
C:\WINDOWS\system\DJRAW16.DLL
C:\WINDOWS\system\DJRAW16.DLL
C:\WINDOWS\system\DJRAW16.DLL
C:\WINDOWS\system\DPCPCSVC.DLL
C:\WINDOWS\system\DPCPCSVC.DLL
C:\WINDOWS\system\DPCPCSVC.DLL
C:\WINDOWS\system\DPCPCSVC.DLL
C:\WINDOWS\system\DRRAW.DLL
C:\WINDOWS\system\DRRAW.DLL
C:\WINDOWS\system\DRRAW.DLL
C:\WINDOWS\system\DRRAW.DLL
C:\WINDOWS\system\DWGSIG.DLL
C:\WINDOWS\system\DWGSIG.DLL
C:\WINDOWS\system\DWGSIG.DLL
C:\WINDOWS\system\DWGSIG.DLL
C:\WINDOWS\system\FANTEXT.DLL
C:\WINDOWS\system\FANTEXT.DLL
C:\WINDOWS\system\FANTEXT.DLL
C:\WINDOWS\system\FANTEXT.DLL
C:\WINDOWS\system\FCAMEBUF.DLL
C:\WINDOWS\system\FCAMEBUF.DLL
C:\WINDOWS\system\FCAMEBUF.DLL
C:\WINDOWS\system\FCAMEBUF.DLL
C:\WINDOWS\system\GSOUPPOL.DLL
C:\WINDOWS\system\GSOUPPOL.DLL
C:\WINDOWS\system\GSOUPPOL.DLL
C:\WINDOWS\system\GSOUPPOL.DLL
C:\WINDOWS\system\Imv16.dll
C:\WINDOWS\system\Imv16.dll
C:\WINDOWS\system\Imv16.dll
C:\WINDOWS\system\Imv16.dll
C:\WINDOWS\system\JMVAEE.DLL
C:\WINDOWS\system\JMVAEE.DLL
C:\WINDOWS\system\JMVAEE.DLL
C:\WINDOWS\system\JMVAEE.DLL
C:\WINDOWS\system\KZRNEL32.DLL
C:\WINDOWS\system\KZRNEL32.DLL
C:\WINDOWS\system\KZRNEL32.DLL
C:\WINDOWS\system\KZRNEL32.DLL
C:\WINDOWS\system\lskrn13n.dll
C:\WINDOWS\system\lskrn13n.dll
C:\WINDOWS\system\lskrn13n.dll
C:\WINDOWS\system\lskrn13n.dll
C:\WINDOWS\system\mjltus40.dll
C:\WINDOWS\system\mjltus40.dll
C:\WINDOWS\system\mjltus40.dll
C:\WINDOWS\system\mjltus40.dll
C:\WINDOWS\system\MPCMS.DLL
C:\WINDOWS\system\MPCMS.DLL
C:\WINDOWS\system\MPCMS.DLL
C:\WINDOWS\system\MPCMS.DLL
C:\WINDOWS\system\MRVIDC32.DLL
C:\WINDOWS\system\MRVIDC32.DLL
C:\WINDOWS\system\MRVIDC32.DLL
C:\WINDOWS\system\MRVIDC32.DLL
C:\WINDOWS\system\MTRECR40.DLL
C:\WINDOWS\system\MTRECR40.DLL
C:\WINDOWS\system\MTRECR40.DLL
C:\WINDOWS\system\MTRECR40.DLL
C:\WINDOWS\system\MUSHRUI.DLL
C:\WINDOWS\system\MUSHRUI.DLL
C:\WINDOWS\system\MUSHRUI.DLL
C:\WINDOWS\system\MUSHRUI.DLL
C:\WINDOWS\system\mvtext40.dll
C:\WINDOWS\system\mvtext40.dll
C:\WINDOWS\system\mvtext40.dll
C:\WINDOWS\system\mvtext40.dll
C:\WINDOWS\system\mvwmdm.dll
C:\WINDOWS\system\mvwmdm.dll
C:\WINDOWS\system\mvwmdm.dll
C:\WINDOWS\system\mvwmdm.dll
C:\WINDOWS\system\mxpmsp.dll
C:\WINDOWS\system\mxpmsp.dll
C:\WINDOWS\system\mxpmsp.dll
C:\WINDOWS\system\mxpmsp.dll
C:\WINDOWS\system\RFAPH.DLL
C:\WINDOWS\system\RFAPH.DLL
C:\WINDOWS\system\RFAPH.DLL
C:\WINDOWS\system\RFAPH.DLL
C:\WINDOWS\system\RKCLTC1.DLL
C:\WINDOWS\system\RKCLTC1.DLL
C:\WINDOWS\system\RKCLTC1.DLL
C:\WINDOWS\system\RKCLTC1.DLL
C:\WINDOWS\system\RLGWIZC.DLL
C:\WINDOWS\system\RLGWIZC.DLL
C:\WINDOWS\system\RLGWIZC.DLL
C:\WINDOWS\system\RLGWIZC.DLL
C:\WINDOWS\system\SGDOC401.DLL
C:\WINDOWS\system\SGDOC401.DLL
C:\WINDOWS\system\SGDOC401.DLL
C:\WINDOWS\system\SGDOC401.DLL
C:\WINDOWS\system\sRge.dll
C:\WINDOWS\system\sRge.dll
C:\WINDOWS\system\sRge.dll
C:\WINDOWS\system\sRge.dll
C:\WINDOWS\system\SYDOC401.DLL
C:\WINDOWS\system\SYDOC401.DLL
C:\WINDOWS\system\SYDOC401.DLL
C:\WINDOWS\system\SYDOC401.DLL
C:\WINDOWS\system\WG2_32.DLL
C:\WINDOWS\system\WG2_32.DLL
C:\WINDOWS\system\WG2_32.DLL
C:\WINDOWS\system\WG2_32.DLL
C:\WINDOWS\system\WZTSECUR.DLL
C:\WINDOWS\system\WZTSECUR.DLL
C:\WINDOWS\system\WZTSECUR.DLL
C:\WINDOWS\system\WZTSECUR.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{988A8960-0FEE-11DA-A1F4-0001029209D1}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\SRGE.DLL"
[HKEY_CLASSES_ROOT\CLSID\{988A8960-0FEE-11DA-A1F4-0001029209D1}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\SRGE.DLL"
[HKEY_CLASSES_ROOT\CLSID\{988A8960-0FEE-11DA-A1F4-0001029209D1}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\SRGE.DLL"
[HKEY_CLASSES_ROOT\CLSID\{988A8960-0FEE-11DA-A1F4-0001029209D1}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\SRGE.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F9F62AC0-CDF5-94B7-3FCB-1CCBB2EA42E0}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!


--------------------------------------------------------------------------

WinPFind
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
SAHAgent 8/21/05 3:37:10 PM 7696416 c:\windows\SYSTEM.DAT
winsync 8/21/05 3:37:10 PM 7696416 c:\windows\SYSTEM.DAT
69.59.186.63 8/18/05 11:07:12 PM 46080 c:\windows\fgfggsk.dll
209.66.67.134 8/18/05 11:07:12 PM 46080 c:\windows\fgfggsk.dll
web-nex 8/18/05 11:07:12 PM 46080 c:\windows\fgfggsk.dll
winsync 8/18/05 11:07:12 PM 46080 c:\windows\fgfggsk.dll
UPX! 10/20/04 10:53:10 PM 83178 c:\windows\setup_silent_26223.exe

Items found in c:\windows\hosts

UPX! 7/25/05 4:41:52 PM 113048 c:\windows\invitessk.exe
UPX! 8/18/05 2:28:32 PM 82432 c:\windows\ru.exe
PECompact2 8/18/05 2:24:00 PM 15636721 c:\windows\VPTNFILE.791
qoologic 8/18/05 2:24:00 PM 15636721 c:\windows\VPTNFILE.791
SAHAgent 8/18/05 2:24:00 PM 15636721 c:\windows\VPTNFILE.791
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
69.59.186.63 8/18/05 11:07:14 PM 10240 c:\windows\rbebb.dll
209.66.67.134 8/18/05 11:07:14 PM 10240 c:\windows\rbebb.dll
web-nex 8/18/05 11:07:14 PM 10240 c:\windows\rbebb.dll
winsync 8/18/05 11:07:14 PM 10240 c:\windows\rbebb.dll
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 8/18/05 2:24:00 PM 15636721 c:\windows\lpt$vpn.791
qoologic 8/18/05 2:24:00 PM 15636721 c:\windows\lpt$vpn.791
SAHAgent 8/18/05 2:24:00 PM 15636721 c:\windows\lpt$vpn.791
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll

Checking %System% folder...
Umonitor 8/18/05 1:47:22 PM 405504 c:\windows\SYSTEM\DRRAW.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\DJRAW16.DLL
Umonitor 8/18/05 1:47:22 PM 405504 c:\windows\SYSTEM\DWGSIG.DLL
PEC2 2/14/97 11:24:14 PM 197171 c:\windows\SYSTEM\Dwapilib.tlb
SAHAgent 7/30/05 11:10:42 AM 3503 c:\windows\SYSTEM\n9058rq5.ini
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\WG2_32.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\RKCLTC1.DLL
SAHAgent 7/30/05 10:28:34 AM 35 c:\windows\SYSTEM\msfmg5cg.ini
SAHAgent 6/14/05 8:34:14 AM 203264 c:\windows\SYSTEM\n9058rq5.exe
Umonitor 8/18/05 1:47:22 PM 405504 c:\windows\SYSTEM\MRVIDC32.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\GSOUPPOL.DLL
SAHAgent 7/30/05 10:28:34 AM 35 c:\windows\SYSTEM\84noplkf.ini
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\Imv16.dll
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\lskrn13n.dll
UPX! 2/23/03 5:59:38 PM 77312 c:\windows\SYSTEM\kegbtdvr.exe
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\SYDOC401.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\RLGWIZC.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\CPASPI.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mvtext40.dll
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mvwmdm.dll
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\RFAPH.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\FCAMEBUF.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\SGDOC401.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\FANTEXT.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\DPCPCSVC.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\CAGMGR32.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mjltus40.dll
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\MTRECR40.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\MUSHRUI.DLL
UPX! 8/18/05 5:05:30 PM 68096 c:\windows\SYSTEM\qttexl.exe
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\MPCMS.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mxpmsp.dll
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\JMVAEE.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\KZRNEL32.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\demasf.dll
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\WZTSECUR.DLL
Umonitor 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\CML3d.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/21/05 3:42:14 PM 7696416 c:\windows\SYSTEM.DAT
H 8/21/05 3:39:36 PM 1204256 c:\windows\USER.DAT
H 8/20/05 11:40:26 AM 54156 c:\windows\QTFont.qfn
H 8/20/05 11:46:02 PM 14329 c:\windows\ttfCache
SH 8/18/05 2:28:32 PM 82432 c:\windows\ru.exe
H 8/20/05 11:45:58 PM 915901 c:\windows\ShellIconCache
S 8/18/05 1:47:22 PM 405504 c:\windows\SYSTEM\DRRAW.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\DJRAW16.DLL
H 7/16/05 8:10:02 PM 8628 c:\windows\SYSTEM\HPF72t06.GID
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\WG2_32.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\RKCLTC1.DLL
S 8/18/05 1:47:22 PM 405504 c:\windows\SYSTEM\MRVIDC32.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\GSOUPPOL.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\sRge.dll
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\lskrn13n.dll
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\SYDOC401.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\RLGWIZC.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\CPASPI.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mvtext40.dll
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mvwmdm.dll
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\RFAPH.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\FCAMEBUF.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\SGDOC401.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\CAMCAT.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\FANTEXT.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\DPCPCSVC.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\CAGMGR32.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mjltus40.dll
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\MTRECR40.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\MUSHRUI.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\MPCMS.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\mxpmsp.dll
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\JMVAEE.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\KZRNEL32.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\demasf.dll
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\WZTSECUR.DLL
S 8/18/05 1:50:18 PM 405504 c:\windows\SYSTEM\CML3d.DLL
SH 8/21/05 3:36:44 PM 1309 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
H 8/20/05 11:32:40 AM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata00.sqm
H 7/4/05 12:26:02 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata01.sqm
H 7/4/05 11:14:00 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata02.sqm
H 7/4/05 11:14:02 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata03.sqm
H 7/4/05 11:14:16 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata04.sqm
H 7/4/05 11:14:36 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata05.sqm
H 7/4/05 11:14:42 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata06.sqm
H 7/4/05 11:14:52 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata07.sqm
H 7/5/05 10:50:10 AM 460 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata08.sqm
H 7/5/05 10:54:02 AM 1096 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata09.sqm
H 7/5/05 10:54:04 AM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata10.sqm
H 7/6/05 1:19:26 PM 472 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata11.sqm
H 7/6/05 1:19:32 PM 424 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata12.sqm
H 7/6/05 1:19:40 PM 412 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata13.sqm
H 7/6/05 1:22:38 PM 340 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata14.sqm
H 7/6/05 1:23:56 PM 1132 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata15.sqm
H 7/6/05 1:23:56 PM 340 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata16.sqm
H 7/7/05 10:28:32 AM 1168 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata17.sqm
H 7/7/05 10:28:32 AM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata18.sqm
H 7/7/05 3:32:22 PM 1120 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata19.sqm
SH 7/25/05 10:27:22 AM 135680 c:\windows\All Users\DRM\drmv2.lic
SH 8/18/05 12:39:32 PM 36352 c:\windows\All Users\DRM\drmv2.sst
SH 7/25/05 10:27:22 AM 16384 c:\windows\All Users\DRM\drmv2.licIndex
H 8/21/05 3:36:34 PM 6 c:\windows\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 c:\windows\SYSTEM\JOY.CPL
1/27/00 1:18:10 PM 65536 c:\windows\SYSTEM\CPQDIAG.CPL
Microsoft Corporation 2/2/05 7:31:24 PM 41232 c:\windows\SYSTEM\odbccp32.cpl
Microsoft Corporation 2/10/99 3:48:48 AM 40960 c:\windows\SYSTEM\FINDFAST.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 c:\windows\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 c:\windows\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 c:\windows\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 c:\windows\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 c:\windows\SYSTEM\TIMEDATE.CPL
Compaq Computer Corporation 10/25/99 7:27:44 PM 110592 c:\windows\SYSTEM\UICONFIG.cpl
Compaq Computer Corporation 8/23/99 9:45:08 AM 159744 c:\windows\SYSTEM\OSDCPL.cpl
10/14/99 5:27:06 PM 110592 c:\windows\SYSTEM\cch.cpl
PCtel, Inc. 11/29/99 2:49:10 PM 53760 c:\windows\SYSTEM\PTCTRL.CPL
Apple Computer, Inc. 12/14/03 9:20:50 AM 323072 c:\windows\SYSTEM\QuickTime.cpl
Sun Microsystems, Inc. 12/6/04 9:31:48 PM 49265 c:\windows\SYSTEM\jpicpl32.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
8/20/05 6:07:48 PM 8161 C:\WINDOWS\Application Data\dw.log
2/21/05 9:00:18 PM 32440 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D05-8F11-11d2-804F-00105A133818}
ButtonText = Translate :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D02-8F11-11d2-804F-00105A133818}
MenuText = &Find Pages Linking to this URL :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D03-8F11-11d2-804F-00105A133818}
MenuText = Find Other Pages on this &Host :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRAM FILES\AIM\AIM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
PTSNOOP ptsnoop.exe
Service Connection c:\cpqs\bwtools\sccenter.exe
TaskMonitor c:\windows\taskmon.exe
LoadQM loadqm.exe
EM_EXEC C:\MOUSE\SYSTEM\EM_EXEC.EXE
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
AVG7_CC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
CountrySelection pctptt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SchedulingAgent mstask.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoCDBurning 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


Scan Complete
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/21/05 3:44:09 PM
Alex159 is offline  
Old 08-21-2005, 10:07 PM   #8
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy
  • C:\WINDOWS\dinst.exe
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
    C:\WINDOWS\SYSTEM\UpdInst.exe
    C:\WINDOWS\SYSTEM\n9058rq5.exe
    C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\utrt.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING32.exe
    C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe
    C:\WINDOWS\gvwvv.dat
    C:\WINDOWS\fgfggsk.dll
    C:\WINDOWS\setup_silent_26223.exe
    C:\WINDOWS\ru.exe
    C:\WINDOWS\xodooar.exe
    C:\WINDOWS\banner.dll
    C:\WINDOWS\xdsddp.exe
    C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\MTE2NzY6ODoxNg.exe
    C:\Program Files\WAV to MP3 Encoder\mm332.exe
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7395.TMP\ProxyStub .dll
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73B5.TMP
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8002.TMP
    C:\Program Files\Yahoo!\YPSR\Quarantine\20050819175611.zip
    c:\windows\invitessk.exe
    c:\windows\rbebb.dll
    c:\windows\SYSTEM\Dwapilib.tlb
    c:\windows\SYSTEM\n9058rq5.ini
    c:\windows\SYSTEM\msfmg5cg.ini
    c:\windows\SYSTEM\n9058rq5.exe
    c:\windows\SYSTEM\kegbtdvr.exe
    c:\windows\SYSTEM\qttexl.exe
* Go to the File menu, and choose Paste from Clipboard
* Verify that the filenames you pasted are found there from the dropdown menu next to Full Path of File to Delete field.
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Reboot to Safe Mode

Run CleanUp

Run WinPFind

Post WinPFind & HJT logs
__________________

sUBs is offline  
Old 08-22-2005, 09:07 PM   #9
Guest
 
Join Date: Aug 2005
Posts: 11
OS:


Here's the Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:03:54 PM, on 8/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://desktop.presario.net/scripts/...LC=0409&c=1c00
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - https://search.presario.net/scripts/r...c=1c00&lc=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - https://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - https://zone.msn.com/bingame/apop/def...ploader_v5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - https://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - https://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - https://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://www.pandasoftware.com/actives...ree/asinst.cab


And here's the WinPFind log.



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
SAHAgent 8/22/05 9:45:04 PM 7696416 c:\windows\SYSTEM.DAT
winsync 8/22/05 9:45:04 PM 7696416 c:\windows\SYSTEM.DAT

Items found in c:\windows\hosts

PECompact2 8/18/05 2:24:00 PM 15636721 c:\windows\VPTNFILE.791
qoologic 8/18/05 2:24:00 PM 15636721 c:\windows\VPTNFILE.791
SAHAgent 8/18/05 2:24:00 PM 15636721 c:\windows\VPTNFILE.791
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 8/18/05 2:24:00 PM 15636721 c:\windows\lpt$vpn.791
qoologic 8/18/05 2:24:00 PM 15636721 c:\windows\lpt$vpn.791
SAHAgent 8/18/05 2:24:00 PM 15636721 c:\windows\lpt$vpn.791
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll

Checking %System% folder...
SAHAgent 7/30/05 10:28:34 AM 35 c:\windows\SYSTEM\84noplkf.ini

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/22/05 9:45:04 PM 7696416 c:\windows\SYSTEM.DAT
H 8/22/05 9:46:06 PM 1204256 c:\windows\USER.DAT
H 8/20/05 11:40:26 AM 54156 c:\windows\QTFont.qfn
H 8/21/05 10:44:32 PM 14329 c:\windows\ttfCache
H 8/22/05 9:42:08 PM 1003272 c:\windows\ShellIconCache
H 7/16/05 8:10:02 PM 8628 c:\windows\SYSTEM\HPF72t06.GID
SH 8/22/05 9:38:58 PM 1309 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
H 8/20/05 11:32:40 AM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata00.sqm
H 7/4/05 12:26:02 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata01.sqm
H 7/4/05 11:14:00 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata02.sqm
H 7/4/05 11:14:02 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata03.sqm
H 7/4/05 11:14:16 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata04.sqm
H 7/4/05 11:14:36 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata05.sqm
H 7/4/05 11:14:42 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata06.sqm
H 7/4/05 11:14:52 PM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata07.sqm
H 7/5/05 10:50:10 AM 460 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata08.sqm
H 7/5/05 10:54:02 AM 1096 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata09.sqm
H 7/5/05 10:54:04 AM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata10.sqm
H 7/6/05 1:19:26 PM 472 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata11.sqm
H 7/6/05 1:19:32 PM 424 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata12.sqm
H 7/6/05 1:19:40 PM 412 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata13.sqm
H 7/6/05 1:22:38 PM 340 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata14.sqm
H 7/6/05 1:23:56 PM 1132 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata15.sqm
H 7/6/05 1:23:56 PM 340 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata16.sqm
H 7/7/05 10:28:32 AM 1168 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata17.sqm
H 7/7/05 10:28:32 AM 352 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata18.sqm
H 7/7/05 3:32:22 PM 1120 c:\windows\Application Data\Microsoft\MSN Messenger\2407475068\sqmdata19.sqm
SH 7/25/05 10:27:22 AM 135680 c:\windows\All Users\DRM\drmv2.lic
SH 8/18/05 12:39:32 PM 36352 c:\windows\All Users\DRM\drmv2.sst
SH 7/25/05 10:27:22 AM 16384 c:\windows\All Users\DRM\drmv2.licIndex
H 8/22/05 9:37:28 PM 6 c:\windows\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 c:\windows\SYSTEM\JOY.CPL
1/27/00 1:18:10 PM 65536 c:\windows\SYSTEM\CPQDIAG.CPL
Microsoft Corporation 2/2/05 7:31:24 PM 41232 c:\windows\SYSTEM\odbccp32.cpl
Microsoft Corporation 2/10/99 3:48:48 AM 40960 c:\windows\SYSTEM\FINDFAST.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 c:\windows\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 c:\windows\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 c:\windows\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 c:\windows\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 c:\windows\SYSTEM\TIMEDATE.CPL
Compaq Computer Corporation 10/25/99 7:27:44 PM 110592 c:\windows\SYSTEM\UICONFIG.cpl
Compaq Computer Corporation 8/23/99 9:45:08 AM 159744 c:\windows\SYSTEM\OSDCPL.cpl
10/14/99 5:27:06 PM 110592 c:\windows\SYSTEM\cch.cpl
PCtel, Inc. 11/29/99 2:49:10 PM 53760 c:\windows\SYSTEM\PTCTRL.CPL
Apple Computer, Inc. 12/14/03 9:20:50 AM 323072 c:\windows\SYSTEM\QuickTime.cpl
Sun Microsystems, Inc. 12/6/04 9:31:48 PM 49265 c:\windows\SYSTEM\jpicpl32.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
8/20/05 6:07:48 PM 8161 C:\WINDOWS\Application Data\dw.log
2/21/05 9:00:18 PM 32440 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D05-8F11-11d2-804F-00105A133818}
ButtonText = Translate :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D02-8F11-11d2-804F-00105A133818}
MenuText = &Find Pages Linking to this URL :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D03-8F11-11d2-804F-00105A133818}
MenuText = Find Other Pages on this &Host :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRAM FILES\AIM\AIM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
PTSNOOP ptsnoop.exe
Service Connection c:\cpqs\bwtools\sccenter.exe
TaskMonitor c:\windows\taskmon.exe
LoadQM loadqm.exe
EM_EXEC C:\MOUSE\SYSTEM\EM_EXEC.EXE
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
AVG7_CC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
CountrySelection pctptt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SchedulingAgent mstask.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoCDBurning 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


Scan Complete
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/22/05 9:57:26 PM
Alex159 is offline  
Old 08-22-2005, 11:55 PM   #10
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A


Dont you just love it when things works well?

Still one file left to delete & we're home free.
Locate & delete this file - c:\windows\SYSTEM\84noplkf.ini


After you have done that, get off your chair & do like this little fella here -> ... jump for joy..Your system is clean

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

  1. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Enable - Show hidden files and folder
    Click Yes to confirm & then click OK


  2. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change Download signed ActiveX controls to Prompt
        • Change Download unsigned ActiveX controls to Disable
        • Change Initialize and script ActiveX controls not marked as safe to Disable
        • Change Installation of desktop items to Prompt
        • Change Launching programs and files in an IFRAME to Prompt
        • Change Navigate sub-frames across different domains to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  3. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  4. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  5. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  6. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  7. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  8. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  9. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  10. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

sUBs is offline  
Old 08-23-2005, 10:26 AM   #11
Guest
 
Join Date: Aug 2005
Posts: 11
OS:


Wow thank you so much. I took your advice and installed every program you suggested. I really appreciate all of your help. THANK YOU!!!
Alex159 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:20 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts