Tech Support banner

Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
20 Posts
Discussion Starter #1
First let me say that I'm pretty new to this to say the least. I have, however, done my best to follow all the tips-instructions given before posting my log. Pop-ups are one thing, but it seems I have run into some major issues and could use your help. Thanks in advance for your time !!!

Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~1\vptray.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:15:27 PM, on 11/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\LDSDSP.EXE
C:\WINDOWS\SYSTEM\NHEPHLF.EXE
C:\PROGRAM FILES\ATAT\WRAR.EXE
C:\PROGRAM FILES\SYSTEM FILES\SYSTEM.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL (file missing)
O2 - BHO: (no name) - {6AAF3979-9465-4393-8753-60550DA67B4D} - C:\WINDOWS\SYSTEM\UEOEDW.DLL (file missing)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {7456419D-F878-E9D9-2DF4-D0F88D93CCC8} - C:\WINDOWS\SYSTEM\YUF.DLL
O2 - BHO: (no name) - {2E07419A-AE2B-E18F-2DF4-D0F88D93CCC9} - C:\WINDOWS\SYSTEM\YUF.DLL
O2 - BHO: (no name) - {C4FDC400-3E07-7CB0-C704-E8D11563891A} - C:\WINDOWS\Vacbnjuz.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL (file missing)
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\SYSTEM\APD123.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\ldsdsp.exe reg_run
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKCU\..\Run: [Xevtfn] C:\WINDOWS\SYSTEM\nhephlf.exe
O4 - HKCU\..\Run: [Elpr] "C:\Program Files\atat\wrar.exe" -vt mt
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\PROGRAM FILES\SPYWARE CLEANER\SPYWARECLEANER.Exe" /boot
O4 - Startup: ncic.exe
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://mail.tripplite.com/iNotes.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.tripplite.com/iNotes6.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/504941.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\PROGRAM FILES\SYSTEM FILES\PLUGIN.DLL


End of KRC HijackThis Analyzer Log.
 

·
Registered
Joined
·
1,462 Posts
Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
Download Track qoo
  • Save it somewhere you will remember like the Desktop

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6AAF3979-9465-4393-8753-60550DA67B4D} - C:\WINDOWS\SYSTEM\UEOEDW.DLL (file missing)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {7456419D-F878-E9D9-2DF4-D0F88D93CCC8} - C:\WINDOWS\SYSTEM\YUF.DLL
O2 - BHO: (no name) - {2E07419A-AE2B-E18F-2DF4-D0F88D93CCC9} - C:\WINDOWS\SYSTEM\YUF.DLL
O2 - BHO: (no name) - {C4FDC400-3E07-7CB0-C704-E8D11563891A} - C:\WINDOWS\Vacbnjuz.dll
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\SYSTEM\APD123.exe
O4 - HKCU\..\Run: [Xevtfn] C:\WINDOWS\SYSTEM\nhephlf.exe
O4 - HKCU\..\Run: [Elpr] "C:\Program Files\atat\wrar.exe" -vt mt
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\PROGRAM FILES\SYSTEM FILES\PLUGIN.DLL

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\SYSTEM\UEOEDW.DLL
C:\WINDOWS\SYSTEM\YUF.DLL
C:\WINDOWS\Vacbnjuz.dll
C:\WINDOWS\SYSTEM\APD123.exe
C:\WINDOWS\SYSTEM\nhephlf.exe
C:\Program Files\atat\
C:\Program Files\System Files\
C:\WINDOWS\SYSTEM\ms.exe


Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
 

·
Registered
Joined
·
20 Posts
Discussion Starter #3
The detail and instructions have been amazing so far, Thanks !!
Here are the results of my WINPFIND and Track.qoo.vbs:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
winsync 11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
ad-w-a-r-e.com 11/6/05 8:37:52 AM RH 1761312 c:\windows\USER.DAT
winsync 11/6/05 8:35:50 AM RH 8421426 c:\windows\SYSTEM.DAT
UPX! 6/24/04 1:12:00 AM 55296 c:\windows\96WU19RD.EXE
PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929

Items found in c:\windows\hosts

UPX! 10/5/05 12:42:58 PM 38912 c:\windows\mtuninst.exe
69.59.186.63 11/6/05 7:38:56 AM 46080 c:\windows\sdsdfsd.dll
209.66.67.134 11/6/05 7:38:56 AM 46080 c:\windows\sdsdfsd.dll
web-nex 11/6/05 7:38:56 AM 46080 c:\windows\sdsdfsd.dll
winsync 11/6/05 7:38:56 AM 46080 c:\windows\sdsdfsd.dll
69.59.186.63 11/6/05 7:38:56 AM 10240 c:\windows\jkake.dll
209.66.67.134 11/6/05 7:38:56 AM 10240 c:\windows\jkake.dll
web-nex 11/6/05 7:38:56 AM 10240 c:\windows\jkake.dll
winsync 11/6/05 7:38:56 AM 10240 c:\windows\jkake.dll
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll

Checking %System% folder...
PTech 11/9/99 3:55:54 PM 88571 c:\windows\SYSTEM\MDACRDME.HTM
PTech 8/22/98 12:24:08 AM 74460 c:\windows\SYSTEM\OLFAXDRV.DRV
UPX! 11/3/05 8:24:32 AM 81920 c:\windows\SYSTEM\202_app13.exe
UPX! 10/5/05 12:42:56 PM 136704 c:\windows\SYSTEM\oins.exe
UPX! 7/24/04 12:09:34 AM 206848 c:\windows\SYSTEM\in10b6s.dll
69.59.186.63 11/1/05 9:38:58 PM 30720 c:\windows\SYSTEM\wuauclt.dll
209.66.67.134 11/1/05 9:38:58 PM 30720 c:\windows\SYSTEM\wuauclt.dll
66.63.167.97 11/1/05 9:38:58 PM 30720 c:\windows\SYSTEM\wuauclt.dll
66.63.167.77 11/1/05 9:38:58 PM 30720 c:\windows\SYSTEM\wuauclt.dll
web-nex 11/1/05 9:38:58 PM 30720 c:\windows\SYSTEM\wuauclt.dll
winsync 11/1/05 9:38:58 PM 30720 c:\windows\SYSTEM\wuauclt.dll
rec2_run 11/1/05 9:38:58 PM 30720 c:\windows\SYSTEM\wuauclt.dll
UPX! 11/1/05 9:41:04 PM 25105 c:\windows\SYSTEM\MTE2ODM6ODoxNg.exe

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
11/6/05 8:37:52 AM RH 1761312 c:\windows\USER.DAT
11/6/05 8:35:50 AM RH 8421426 c:\windows\SYSTEM.DAT
11/2/05 10:29:08 PM H 9718 c:\windows\ttfCache
11/2/05 8:44:22 AM H 1277197 c:\windows\ShellIconCache
11/5/05 10:31:40 AM H 54156 c:\windows\QTFont.qfn
11/4/05 6:57:14 PM H 9793 c:\windows\HELP\windows.GID
9/22/05 9:23:06 PM H 22968 c:\windows\TEMP\tp5a000.tmf
11/2/05 6:33:56 PM HS 11275 c:\windows\TEMP\Ssk.log
11/3/05 1:17:32 PM HS 1203 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
10/9/05 11:43:32 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\BZ2P6Z05\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\80XYCIN2\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\8UPZV6DY\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\9AE6DSRJ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QJWLDPI2\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\OL6RCX63\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\2NQVY5EZ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WYY6G5VH\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QPGNKZ4L\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\7EJP0WKT\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\CB65SPKE\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\YKSDICXR\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\LFFX7LN4\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\SLY3GXMV\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QNWRY1Q5\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\FU3YZF6K\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\I38J3W18\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\6V0RYT43\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\M8E5NLOO\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\3R1XLXHQ\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\T0S7LX05\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\691QVI5G\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\4XU3OP2N\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WZRVYK9H\desktop.ini
11/6/05 7:38:04 AM H 6 c:\windows\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 c:\windows\SYSTEM\JOY.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 c:\windows\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 c:\windows\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 c:\windows\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 c:\windows\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 c:\windows\SYSTEM\TIMEDATE.CPL
Creative Technology Ltd. 3/19/98 1:00:00 AM 18432 c:\windows\SYSTEM\AUDIOHQ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 15360 c:\windows\SYSTEM\THEMES.CPL
Creative Technology Ltd. 12/8/98 1:53:00 AM 223744 c:\windows\SYSTEM\CtDetect.cpl
Microsoft Corporation 2/10/99 4:48:48 AM 40960 c:\windows\SYSTEM\FINDFAST.CPL
RealNetworks, Inc. 11/25/01 12:30:06 AM 24576 c:\windows\SYSTEM\prefscpl.cpl
Apple Computer, Inc. 12/14/03 9:20:50 AM 323072 c:\windows\SYSTEM\QuickTime.cpl
Apple Computer, Inc. 12/15/95 2:10:00 AM R 342016 c:\windows\SYSTEM\QTW32.CPL
Microsoft Corporation 7/11/97 61440 c:\windows\SYSTEM\MLCFG32.CPL
Sun Microsystems, Inc. 2/20/05 2:29:20 PM 49262 c:\windows\SYSTEM\jpicpl32.cpl
Microsoft Corporation 7/26/00 10:37:08 AM 41232 c:\windows\SYSTEM\odbccp32.cpl
InstallShield Software Corporation4/16/04 11:24:54 AM 61440 c:\windows\SYSTEM\ISUSPM.cpl
11/1/05 9:39:00 PM 31744 c:\windows\SYSTEM\vgactl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
10/31/05 7:31:56 AM 583 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
10/31/05 7:31:54 AM 544 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
11/6/05 7:38:54 AM 91648 C:\WINDOWS\Start Menu\Programs\StartUp\ncic.exe

Checking files in %USERPROFILE%\Application Data folder...
3/12/03 7:55:10 PM 0 C:\WINDOWS\Application Data\dm.ini
4/24/05 1:39:14 PM 921 C:\WINDOWS\Application Data\dw.log
1/1/05 3:59:56 PM 21168 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
yie6_SBC = IEAK
YPC 3.0.1 = Yahoo! Parental Controls

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\windows\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TaskMonitor c:\windows\taskmon.exe
SystemTray SysTray.Exe
LexStart Lexstart.exe
LexmarkPrinTray PrinTray.exe
vptray c:\PROGRA~1\NORTON~1\vptray.exe
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
ISUSScheduler "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
autoupdate rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
winsync C:\WINDOWS\ldsdsp.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SchedulingAgent mstask.exe
rtvscn95 c:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch c:\PROGRA~1\NORTON~1\defwatch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Spyware Cleaner "C:\PROGRAM FILES\SPYWARE CLEANER\SPYWARECLEANER.Exe" /boot

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
OEMCleanup C:\WINDOWS\OPTIONS\OEMRESET.EXE
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LXSUPMON C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
Motive SmartBridge C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
xpsystem C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
WindUpdates C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
gwmaxas C:\WINDOWS\SYSTEM\pnwpci.exe
3L47BSK2NXKSX6 C:\WINDOWS\SYSTEM\ObvAkhI.exe
pt9V37e IR30016.EXE
AutoUpdater "c:\Program Files\AutoUpdate\AutoUpdate.exe"
ALCHEM C:\WINDOWS\ALCHEM.exe
Pcsv C:\WINDOWS\system32\pcs\pcsvc.exe
Dpi C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
MovieNetworks "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
wininetd C:\WINDOWS\SYSTEM\wininetd.exe
CFIMP C:\WINDOWS\CFIMP.exe
New.net Startup rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
AutoLoaderpEqf1JblOJbO "C:\WINDOWS\SYSTEM\IR30016.EXE"
AutoLoaderAproposClient "C:\JULY14_LOADER.EXE"
SREPL40M C:\WINDOWS\SYSTEM\SREPL40M.exe
ScanRegistry c:\windows\scanregw.exe /autorun
Zone Labs Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Yahoo! Pager 1
xpsystem C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
YAq9RXKnV JGMLTSCM.EXE
Elpr C:\WINDOWS\Application Data\hruu.exe
Quh C:\WINDOWS\SYSTEM\igtudzn.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/6/05 8:47:50 AM


TRACK QOO.VBS:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LexStart"="Lexstart.exe"
"LexmarkPrinTray"="PrinTray.exe"
"vptray"="c:\\PROGRA~1\\NORTON~1\\vptray.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.EXE -startup"
"ISUSScheduler"="\"C:\\PROGRAM FILES\\COMMON FILES\\INSTALLSHIELD\\UPDATESERVICE\\issch.exe\" -start"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WUAUCLT.DLL,SHStart"
"winsync"="C:\\WINDOWS\\ldsdsp.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
 

·
Registered
Joined
·
1,462 Posts
Lotsa stuff in there so lets see what we can get rid of first ok?
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido security suite it is a free version of the program.
  1. Install ewido security suite
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


Open Ewido Security Suite and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Reboot, and post that Log here, as well as a fresh HijackThis Log.
 

·
Registered
Joined
·
20 Posts
Discussion Starter #5
Thanks again for the detailed information. You make it easy to follow and that's important for a moderate user like myself. I really do appreciate you taking the time to assist!! Anyway, I feel like I'm in the dark ages because Ewido was developed for Windows 2000 and I'm only running Win 98'. Is there an alternate program you can point me too? In the meantime, I have run some other programs trying to resolve the matter and it has definitely helped, although I'm not sure if I'm totally free. Here is my latest log:

Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~1\vptray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:33:51 PM, on 11/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\LDSDSP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\ldsdsp.exe reg_run
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: ncic.exe
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - http://mail.tripplite.com/iNotes.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.tripplite.com/iNotes6.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/504941.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Registered
Joined
·
1,462 Posts
WOW.
You do impressive work! hahaha 90% of what you had, appears to be gone!

Paste from ClipBoard!
Download Killbox
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Select each of the following files below with your mouse, then right click and select copy, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Now in Killbox go to, File then select, Paste from clipboard! Now hit the X button - choose YES when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:
c:\windows\SYSTEM\wuauclt.dll
c:\windows\mtuninst.exe
c:\windows\sdsdfsd.dll
c:\windows\jkake.dll
c:\windows\SYSTEM\202_app13.exe
c:\windows\SYSTEM\oins.exe
c:\windows\SYSTEM\in10b6s.dll
c:\windows\SYSTEM\MTE2ODM6ODoxNg.exe
c:\windows\SYSTEM\vgactl.cpl
C:\WINDOWS\Start Menu\Programs\StartUp\ncic.exe
C:\WINDOWS\ldsdsp.exe
c:\windows\96WU19RD.EXE
Copy the following into notepad and save it as "qoo.reg" WITH the quotes.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-
"autoupdate"=-
Please note, if any spaces appear in the text of the second line when you copy it, they should be removed BEFORE saving this file.

Once saved double click the file, and allow it to merge with the registry.

Reboot Now

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
20 Posts
Discussion Starter #7
Hey, thanks for the compliment, I appreciate it. Sorry about the delay in responding, I ran into 2 separate but related major car issues. ugh !! I digress though. I have followed your most recent instructions and advice and will now post the results of my Kaspersky scan. Unless I'm mistaken, it didn't clean anything, just detected it, right? Regardless, here it is:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 09, 2005 21:32:15
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/11/2005
Kaspersky Anti-Virus database records: 149483
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 48597
Number of viruses found: 16
Number of infected objects: 37
Number of suspicious objects: 4
Duration of the scan process: 4077 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\in10b6s.dll Infected: Trojan-Dropper.Win32.Small.abe
c:\WINDOWS\SYSTEM\wuauclt.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
c:\WINDOWS\SYSTEM\vgactl.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED/alpha.xls.com Infected: Email-Worm.Win32.Sircam.c
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED Infected: Email-Worm.Win32.Sircam.c
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/alpha.xls.com Infected: Email-Worm.Win32.Sircam.c
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Sircam.c
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer7.zip/install.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer7.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip/dale.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Start Menu\Programs\StartUp\ncic.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\504941.exe Infected: Trojan.Win32.Dialer.q
c:\WINDOWS\Downloaded Program Files\CONFLICT.2\504941.exe Infected: Trojan.Win32.Dialer.q
c:\WINDOWS\Downloaded Program Files\504941.exe Infected: Trojan.Win32.Dialer.q
c:\WINDOWS\ldsdsp.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\WINDOWS\pykyw.dat Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\WINDOWS\sdsdfsd.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\WINDOWS\bqmqdac.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\WINDOWS\jkake.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\Program Files\Norton AntiVirus\Quarantine\F0210000.VBN Infected: Exploit.HTML.Mht
c:\Program Files\Norton AntiVirus\Quarantine\F0210002.VBN/hp2.htm Infected: Trojan-Downloader.VBS.Psyme.y
c:\Program Files\Norton AntiVirus\Quarantine\F0210002.VBN Infected: Trojan-Downloader.VBS.Psyme.y
c:\Program Files\Norton AntiVirus\Quarantine\F0210004.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c
c:\Program Files\Norton AntiVirus\Quarantine\F0210004.VBN/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
c:\Program Files\Norton AntiVirus\Quarantine\F0210004.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
c:\Program Files\Norton AntiVirus\Quarantine\F0210004.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
c:\Program Files\Norton AntiVirus\Quarantine\F0210004.VBN Infected: Trojan-Downloader.Java.OpenConnection.v
c:\Program Files\Norton AntiVirus\Quarantine\F0210006.VBN Infected: Exploit.HTML.Mht
c:\Program Files\Norton AntiVirus\Quarantine\F0210008.VBN/wmp.htm Infected: Trojan-Downloader.VBS.Psyme.y
c:\Program Files\Norton AntiVirus\Quarantine\F0210008.VBN Infected: Trojan-Downloader.VBS.Psyme.y
c:\Program Files\Norton AntiVirus\Quarantine\027F0000.VBN/Counter.class Infected: Trojan.Java.ClassLoader.i
c:\Program Files\Norton AntiVirus\Quarantine\027F0000.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.k
c:\Program Files\Norton AntiVirus\Quarantine\027F0000.VBN/Beyond.class Infected: Trojan.Java.ClassLoader.k
c:\Program Files\Norton AntiVirus\Quarantine\027F0000.VBN Infected: Trojan.Java.ClassLoader.k
c:\Program Files\Norton AntiVirus\Quarantine\027F0002.VBN/Counter.class Infected: Trojan.Java.ClassLoader.i
c:\Program Files\Norton AntiVirus\Quarantine\027F0002.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.k
c:\Program Files\Norton AntiVirus\Quarantine\027F0002.VBN/Beyond.class Infected: Trojan.Java.ClassLoader.k
c:\Program Files\Norton AntiVirus\Quarantine\027F0002.VBN Infected: Trojan.Java.ClassLoader.k
c:\Program Files\KFH\setup.exe/data0007 Infected: Trojan.Win32.DelFiles.s
c:\Program Files\KFH\setup.exe Infected: Trojan.Win32.DelFiles.s

Scan process completed.

Let me know how to further proceed. Thanks !!!
 

·
Registered
Joined
·
6,574 Posts
Open Killbox, and copy and paste each of these files (one at a time) into it. Use the same settings as before, and then hit the X to kill.

c:\WINDOWS\SYSTEM\in10b6s.dll
c:\WINDOWS\SYSTEM\wuauclt.dll
c:\WINDOWS\SYSTEM\vgactl.cpl
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED/alpha.xls.com
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/alpha.xls.com
c:\WINDOWS\Application Data\Identities\{25A67E20-5CB2-11D5-8EC7-EE7228568160}\Microsoft\Outlook Express\Inbox.dbx
c:\WINDOWS\Start Menu\Programs\StartUp\ncic.exe
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\504941.exe
c:\WINDOWS\Downloaded Program Files\CONFLICT.2\504941.exe
c:\WINDOWS\Downloaded Program Files\504941.exe
c:\WINDOWS\ldsdsp.exe
c:\WINDOWS\pykyw.dat
c:\WINDOWS\sdsdfsd.dll
c:\WINDOWS\bqmqdac.exe
c:\WINDOWS\jkake.dll
c:\Program Files\KFH\setup.exe


Reboot your computer now.

What is KFH in your program files?

Empty these folder:

c:\Program Files\Norton AntiVirus\Quarantine\
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\


Rescan with Kaspersky and bring us back the results.
 

·
Registered
Joined
·
20 Posts
Discussion Starter #9
Once again I did my best to follow the great, and detailed, instructions. Here is the latest Kaspersky file. If I recall, it seems similar to the original. I hope that's not too bad.

------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 10, 2005 21:01:45
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/11/2005
Kaspersky Anti-Virus database records: 149600
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 49353
Number of viruses found: 16
Number of infected objects: 35
Number of suspicious objects: 4
Duration of the scan process: 4135 sec

Infected Object Name - Virus Name
c:\RECYCLED\DC5.VBN/wmp.htm Infected: Trojan-Downloader.VBS.Psyme.y
c:\RECYCLED\DC5.VBN Infected: Trojan-Downloader.VBS.Psyme.y
c:\RECYCLED\DC6.VBN/Counter.class Infected: Trojan.Java.ClassLoader.i
c:\RECYCLED\DC6.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.k
c:\RECYCLED\DC6.VBN/Beyond.class Infected: Trojan.Java.ClassLoader.k
c:\RECYCLED\DC6.VBN Infected: Trojan.Java.ClassLoader.k
c:\RECYCLED\DC8.VBN Infected: Exploit.HTML.Mht
c:\RECYCLED\DC9.VBN/hp2.htm Infected: Trojan-Downloader.VBS.Psyme.y
c:\RECYCLED\DC9.VBN Infected: Trojan-Downloader.VBS.Psyme.y
c:\RECYCLED\DC10.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c
c:\RECYCLED\DC10.VBN/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
c:\RECYCLED\DC10.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
c:\RECYCLED\DC10.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
c:\RECYCLED\DC10.VBN Infected: Trojan-Downloader.Java.OpenConnection.v
c:\RECYCLED\DC11.VBN Infected: Exploit.HTML.Mht
c:\RECYCLED\DC12.VBN/Counter.class Infected: Trojan.Java.ClassLoader.i
c:\RECYCLED\DC12.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.k
c:\RECYCLED\DC12.VBN/Beyond.class Infected: Trojan.Java.ClassLoader.k
c:\RECYCLED\DC12.VBN Infected: Trojan.Java.ClassLoader.k
c:\RECYCLED\DC124.ZIP/dale.exe Suspicious: Password-protected-EXE
c:\RECYCLED\DC124.ZIP Suspicious: Password-protected-EXE
c:\RECYCLED\DC159.ZIP/install.exe Suspicious: Password-protected-EXE
c:\RECYCLED\DC159.ZIP Suspicious: Password-protected-EXE
c:\!KillBox\in10b6s.dll Infected: Trojan-Dropper.Win32.Small.abe
c:\!KillBox\wuauclt.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
c:\!KillBox\vgactl.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
c:\!KillBox\setup.exe/data0007 Infected: Trojan.Win32.DelFiles.s
c:\!KillBox\setup.exe Infected: Trojan.Win32.DelFiles.s
c:\!KillBox\jkake.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\sdsdfsd.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED/alpha.xls.com Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/alpha.xls.com Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\Inbox.dbx Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\ncic.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\504941.exe Infected: Trojan.Win32.Dialer.q
c:\!KillBox\ldsdsp.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\pykyw.dat Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\bqmqdac.exe Infected: Trojan-Downloader.Win32.Qoologic.ac

Scan process completed.
 

·
Registered
Joined
·
20 Posts
Discussion Starter #10
After my last post I came across the following error message upon every reboot after my cleanup. The message states:
Error loading C:WINDOWS\SYSTEM\WUAUCLT.DLL

Since it has happened on every reboot since, I'm concerned it's a problem. Along with looking at the log posted previously, can you advise what this error message is about?

Thanks !!!!!!!!!!!
 

·
Registered
Joined
·
1,462 Posts
must be a hidden key somewhere,
Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
Download Track qoo
  • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    1. Go to the WinPFind folder
    2. Locate WinPFind.txt
    3. Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
 

·
Registered
Joined
·
20 Posts
Discussion Starter #12
Okay here you go. It should be noted, however, that when I try to run the Track qoo.vbs I received the following error message:

Error: File name or class name not found during automation operation: "Get Object'
Code: 800A01BO
Source: Microsoft VBScript runtime error

Anyway, here are the logs you requested, or what was available:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
winsync 11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
qoologic 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
PTech 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
urllogic 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
ad-beh 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
66.63.167.77 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
abetterinternet.com 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
web-nex 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
ad-w-a-r-e.com 11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
winsync 11/12/05 10:15:28 PM RH 8486962 c:\windows\SYSTEM.DAT

Items found in c:\windows\HOSTS
127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 stech.web-nexus.net
127.0.0.1 www.web-nexus.net
127.0.0.1 agentq.vpptechnologies.com
127.0.0.1 main.vpptechnologies.com #[IE-SpyAd]
127.0.0.1 media-0.vpptechnologies.com
127.0.0.1 media-1.vpptechnologies.com
127.0.0.1 media-4.vpptechnologies.com
127.0.0.1 media-5.vpptechnologies.com
127.0.0.1 media-6.vpptechnologies.com
127.0.0.1 media-a.vpptechnologies.com
127.0.0.1 media-b.vpptechnologies.com
127.0.0.1 media-c.vpptechnologies.com
127.0.0.1 media-d.vpptechnologies.com
127.0.0.1 media-e.vpptechnologies.com
127.0.0.1 media-f.vpptechnologies.com
127.0.0.1 msxml.vpptechnologies.com
127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
127.0.0.1 thumbs.vpptechnologies.com
127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede]
127.0.0.1 www.ad-w-a-r-e.com #[AdWare.Win32.Look2Me.ab]
127.0.0.1 abetterinternet.com #[Downloader.Stubby.A][Adware.Aurora]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 st.abetterinternet.com
127.0.0.1 static.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]

UPX! 6/24/04 1:12:00 AM 55296 c:\windows\96WU19RD.EXE
PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll

Checking %System% folder...
PTech 11/9/99 3:55:54 PM 88571 c:\windows\SYSTEM\MDACRDME.HTM
PTech 8/22/98 12:24:08 AM 74460 c:\windows\SYSTEM\OLFAXDRV.DRV
UPX! 11/3/05 8:24:32 AM 81920 c:\windows\SYSTEM\202_app13.exe
PTech 8/29/05 1:27:12 PM 520968 c:\windows\SYSTEM\LegitCheckControl.DLL
UPX! 10/5/05 12:42:56 PM 136704 c:\windows\SYSTEM\oins.exe
UPX! 11/1/05 9:41:04 PM 25105 c:\windows\SYSTEM\MTE2ODM6ODoxNg.exe

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
11/12/05 10:16:40 PM RH 3125280 c:\windows\USER.DAT
11/12/05 10:15:28 PM RH 8486962 c:\windows\SYSTEM.DAT
11/6/05 11:03:28 PM H 9718 c:\windows\ttfCache
11/2/05 8:44:22 AM H 1277197 c:\windows\ShellIconCache
11/12/05 1:15:10 PM H 54156 c:\windows\QTFont.qfn
11/4/05 6:57:14 PM H 9793 c:\windows\HELP\windows.GID
11/6/05 11:14:22 AM HS 1203 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
10/9/05 11:43:32 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\BZ2P6Z05\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\80XYCIN2\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\8UPZV6DY\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\9AE6DSRJ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QJWLDPI2\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\OL6RCX63\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\2NQVY5EZ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WYY6G5VH\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QPGNKZ4L\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\7EJP0WKT\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\CB65SPKE\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\YKSDICXR\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\LFFX7LN4\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\SLY3GXMV\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QNWRY1Q5\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\FU3YZF6K\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\I38J3W18\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\6V0RYT43\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\M8E5NLOO\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\3R1XLXHQ\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\T0S7LX05\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\691QVI5G\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\4XU3OP2N\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WZRVYK9H\desktop.ini
11/12/05 1:07:56 PM H 6 c:\windows\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 c:\windows\SYSTEM\JOY.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 c:\windows\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 c:\windows\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 c:\windows\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 c:\windows\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 c:\windows\SYSTEM\TIMEDATE.CPL
Creative Technology Ltd. 3/19/98 1:00:00 AM 18432 c:\windows\SYSTEM\AUDIOHQ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 15360 c:\windows\SYSTEM\THEMES.CPL
Creative Technology Ltd. 12/8/98 1:53:00 AM 223744 c:\windows\SYSTEM\CtDetect.cpl
Microsoft Corporation 2/10/99 4:48:48 AM 40960 c:\windows\SYSTEM\FINDFAST.CPL
RealNetworks, Inc. 11/25/01 12:30:06 AM 24576 c:\windows\SYSTEM\prefscpl.cpl
Apple Computer, Inc. 12/14/03 9:20:50 AM 323072 c:\windows\SYSTEM\QuickTime.cpl
Apple Computer, Inc. 12/15/95 2:10:00 AM R 342016 c:\windows\SYSTEM\QTW32.CPL
Microsoft Corporation 7/11/97 61440 c:\windows\SYSTEM\MLCFG32.CPL
Sun Microsystems, Inc. 2/20/05 2:29:20 PM 49262 c:\windows\SYSTEM\jpicpl32.cpl
Microsoft Corporation 7/26/00 10:37:08 AM 41232 c:\windows\SYSTEM\odbccp32.cpl
InstallShield Software Corporation4/16/04 11:24:54 AM 61440 c:\windows\SYSTEM\ISUSPM.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
10/31/05 7:31:56 AM 583 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
10/31/05 7:31:54 AM 544 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
11/6/05 2:13:16 PM 376 C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
3/12/03 7:55:10 PM 0 C:\WINDOWS\Application Data\dm.ini
11/6/05 11:08:00 AM 1044 C:\WINDOWS\Application Data\dw.log
1/1/05 3:59:56 PM 21168 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
yie6_SBC = IEAK
YPC 3.0.1 = Yahoo! Parental Controls

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\windows\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TaskMonitor c:\windows\taskmon.exe
SystemTray SysTray.Exe
LexStart Lexstart.exe
LexmarkPrinTray PrinTray.exe
vptray c:\PROGRA~1\NORTON~1\vptray.exe
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
ISUSScheduler "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
autoupdate rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
winsync C:\WINDOWS\ldsdsp.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SchedulingAgent mstask.exe
rtvscn95 c:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch c:\PROGRA~1\NORTON~1\defwatch.exe
KB891711 c:\windows\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LXSUPMON C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
Motive SmartBridge C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
xpsystem C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
pt9V37e IR30016.EXE
ScanRegistry c:\windows\scanregw.exe /autorun

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Yahoo! Pager 1
YAq9RXKnV JGMLTSCM.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/12/05 10:24:21 PM

EGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LexStart"="Lexstart.exe"
"LexmarkPrinTray"="PrinTray.exe"
"vptray"="c:\\PROGRA~1\\NORTON~1\\vptray.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.EXE -startup"
"ISUSScheduler"="\"C:\\PROGRAM FILES\\COMMON FILES\\INSTALLSHIELD\\UPDATESERVICE\\issch.exe\" -start"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WUAUCLT.DLL,SHStart"
"winsync"="C:\\WINDOWS\\ldsdsp.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

-----------------
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Still got some bad guys running....

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Open add/remove programs and remove Viewpoint.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsync C:\WINDOWS\ldsdsp.exe reg_run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
xpsystem C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
pt9V37e IR30016.EXE



Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

c:\windows\96WU19RD.EXE
C:\windows\SYSTEM\202_app13.exe
c:\windows\SYSTEM\oins.exe
c:\windows\SYSTEM\MTE2ODM6ODoxNg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM\SERVICES\WMPLAYER.EXE
C:\WINDOWS\ldsdsp.exe


Once you reboot...run those same files back through killbox again. We need to do this twice to make sure nothing survived.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log".

I then need you to repeat the same procedure above again... using the TrendMicro scan tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

Post the Trendmicro log, hijackthis log, and another WinPFind log
 

·
Registered
Joined
·
20 Posts
Discussion Starter #14
I am REALLY SORRY about the length of this post !!!!!!!! But you did ask for it. :wink:

Here are the logs you requested, in order:

TRENDMICRO:
Started Scanning
Files and Directories
Found 'xmlparse.dll' in 'c:\WINDOWS\SYSTEM'
Found 'xmltok.dll' in 'c:\WINDOWS\SYSTEM'
Found 'SplWbr.dll' in 'c:\WINDOWS\SYSTEM'
Found 'ALCHEM.INF' in 'c:\WINDOWS\INF'
Found 'delfinAD.ebd' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinBD.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinED.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinID.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinDL.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinAF.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinLO.ebd' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinCO.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinLD.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinTG.ebd' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinKY.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinST.ebd' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'delfinSI.edx' in 'c:\WINDOWS\All Users\Application Data\pcsvc'
Found 'NDNuninstall5_48.exe' in 'c:\WINDOWS'
Found 'NDNuninstall5_64.exe' in 'c:\WINDOWS'
Found 'sepsd.bin' in 'c:\WINDOWS'
Found '' in 'c:\WINDOWS\bsx32'
Found 'EECH1.bsx' in 'c:\WINDOWS\bsx32'
Found 'SPZ3.bsx' in 'c:\WINDOWS\bsx32'
Found '' in 'c:\Program Files\Lycos'
Found '' in 'c:\Program Files\Save'
Found '' in 'c:\Program Files\MaxSpeed'
Found 'msbbau.dat' in 'c:\Temp'
Programs in Memory
Internet URL Shortcuts
Internet Cookies
Windows Registry
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Settings'
Found '' in 'Software\Kazaa\Transfer'
Found '' in 'Software\KaZaA\CDN'
Found '' in 'Software\KaZaA\CloudLoad'
Found '' in 'Software\KaZaA\ConnectionInfo'
Found '' in 'Software\KaZaA\LocalContent'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\InstantMessaging'
Found '' in 'Software\Kazaa\LocalContent'
Found '' in 'Software\Kazaa\Promotions\Broadband'
Found '' in 'Software\Kazaa\Skins'
Found '' in 'Software\Kazaa\UserDetails'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found '' in 'SOFTWARE\Classes\AppID\WinAffiliateBHO.DLL'
Found 'LastSearchHash' in 'Software\Kazaa'
Found 'IgnoreAll' in 'Software\Kazaa\InstantMessaging'
Found 'DisableListFiles' in 'Software\Kazaa\LocalContent'
Found 'LastBBShown' in 'Software\Kazaa\Promotions\Broadband'
Found '' in 'Software\Kazaa\Search'
Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'CacheDiscoveryTime' in 'Software\Kazaa\Transfer'
Found 'CacheHost' in 'Software\Kazaa\Transfer'
Found 'CachePort' in 'Software\Kazaa\Transfer'
Found 'CountryCode' in 'Software\Kazaa\UserDetails'
Found 'Date' in 'Software\Kazaa\Settings'
Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'AutoConnected' in 'Software\Kazaa\UserDetails'
Found 'UseCount' in 'Software\Kazaa\Settings'
Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer'
Found 'UserName' in 'Software\Kazaa\UserDetails'
Found 'FirewallStatus' in 'SOFTWARE\Kazaa'
Found 'ListenPort' in 'SOFTWARE\Kazaa'
Found 'my_ip_address' in 'SOFTWARE\Kazaa'
Found 'network_config' in 'SOFTWARE\Kazaa'
Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
Found 'UDP_receive_status' in 'SOFTWARE\Kazaa'
Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
Found '' in 'Software\sep'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\MaxSpeed'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{120E090D-9136-4b78-8258-F0B44B4BD2AC}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D}'
Found '' in 'Software\Ropa'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'c:\WINDOWS\SYSTEM\xmlparse.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\xmlparse.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\xmlparse.dll'
Checking for 'c:\WINDOWS\SYSTEM\xmltok.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\xmltok.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\xmltok.dll'
Checking for 'c:\WINDOWS\SYSTEM\SplWbr.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\SplWbr.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\SplWbr.dll'
Checking for 'c:\WINDOWS\INF\ALCHEM.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\ALCHEM.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\ALCHEM.INF'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinAD.ebd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinAD.ebd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinAD.ebd'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinBD.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinBD.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinBD.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinED.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinED.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinED.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinID.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinID.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinID.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinDL.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinDL.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinDL.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinAF.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinAF.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinAF.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinLO.ebd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinLO.ebd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinLO.ebd'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinCO.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinCO.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinCO.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinLD.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinLD.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinLD.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinTG.ebd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinTG.ebd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinTG.ebd'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinKY.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinKY.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinKY.edx'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinST.ebd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinST.ebd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinST.ebd'
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinSI.edx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinSI.edx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\pcsvc\delfinSI.edx'
Checking for 'c:\WINDOWS\NDNuninstall5_48.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall5_48.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall5_48.exe'
Checking for 'c:\WINDOWS\NDNuninstall5_64.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall5_64.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall5_64.exe'
Checking for 'c:\WINDOWS\sepsd.bin' in shortcut areas.
Checking for 'c:\WINDOWS\sepsd.bin' in startup areas.
Cleaning 'c:\WINDOWS\sepsd.bin'
Checking for 'c:\WINDOWS\bsx32' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32' in startup areas.
Cleaning 'c:\WINDOWS\bsx32'
Checking for 'c:\WINDOWS\bsx32\ASI3KAN6.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3KAN6.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3KAN6.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3CREDITCARD.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3CREDITCARD.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3CREDITCARD.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI2.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI2.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI2.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3SPORTSINT.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3SPORTSINT.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3SPORTSINT.bsx'
Checking for 'c:\WINDOWS\bsx32\EECH1.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\EECH1.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\EECH1.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3FREEXBOX.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3FREEXBOX.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3FREEXBOX.bsx'
Checking for 'c:\WINDOWS\bsx32\ASISSRE.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASISSRE.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASISSRE.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3********2.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3********2.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3********2.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3KAN11.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3KAN11.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3KAN11.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3KAN1.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3KAN1.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3KAN1.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3NETFLIX2.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3NETFLIX2.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3NETFLIX2.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3HYDRO.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3HYDRO.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3HYDRO.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3DIRTYH.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3DIRTYH.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3DIRTYH.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3LMORON.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3LMORON.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3LMORON.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3PCHSWEEPS.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3PCHSWEEPS.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3PCHSWEEPS.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3AMERS.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3AMERS.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3AMERS.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3PARTYPOKER.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3PARTYPOKER.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3PARTYPOKER.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3MYDISH.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3MYDISH.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3MYDISH.bsx'
Checking for 'c:\WINDOWS\bsx32\SPECAUTO.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\SPECAUTO.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\SPECAUTO.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3********.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3********.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3********.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3CHRISMORT.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3CHRISMORT.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3CHRISMORT.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3CHOCPBMM.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3CHOCPBMM.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3CHOCPBMM.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3KAN2.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3KAN2.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3KAN2.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPC.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPC.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPC.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3SUPERIOR.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3SUPERIOR.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3SUPERIOR.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3MYINKS.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3MYINKS.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3MYINKS.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3ENDOMET.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3ENDOMET.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3ENDOMET.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3LOWRATE.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3LOWRATE.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3LOWRATE.bsx'
Checking for 'c:\WINDOWS\bsx32\bspace.html' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\bspace.html' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\bspace.html'
Checking for 'c:\WINDOWS\bsx32\ASI3WEIGHTL.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3WEIGHTL.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3WEIGHTL.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3LEXREPAIR.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3LEXREPAIR.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3LEXREPAIR.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3FREECS.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3FREECS.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3FREECS.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3CCB.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3CCB.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3CCB.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3CARQ.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3CARQ.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3CARQ.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3CARQ2.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3CARQ2.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3CARQ2.bsx'
Checking for 'c:\WINDOWS\bsx32\ASIPP.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASIPP.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASIPP.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3ACCUQ.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3ACCUQ.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3ACCUQ.bsx'
Checking for 'c:\WINDOWS\bsx32\ASICLRE.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASICLRE.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASICLRE.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3KAN10.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3KAN10.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3KAN10.bsx'
Checking for 'c:\WINDOWS\bsx32\ASIEPRE.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASIEPRE.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASIEPRE.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3POP.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3POP.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3POP.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3ABSPLAT.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3ABSPLAT.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3ABSPLAT.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPMTV.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPMTV.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPMTV.bsx'
Checking for 'c:\WINDOWS\bsx32\ASIRCPRE.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASIRCPRE.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASIRCPRE.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3ASKNOW2.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3ASKNOW2.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3ASKNOW2.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3KAN7.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3KAN7.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3KAN7.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPSHOP.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPSHOP.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPSHOP.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPG.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPG.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPG.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPD.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPD.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPD.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPN.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPN.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPN.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPJ.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPJ.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPJ.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPF.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPF.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPF.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPFIN.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPFIN.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPFIN.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPFAM.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPFAM.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPFAM.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPE.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPE.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPE.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPFI.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPFI.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPFI.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPH.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPH.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPH.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPHL.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPHL.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPHL.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPM.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPM.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPM.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPW.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPW.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPW.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPSP.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPSP.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPSP.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPR.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPR.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPR.bsx'
Checking for 'c:\WINDOWS\bsx32\ASISS2RE.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASISS2RE.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASISS2RE.bsx'
Checking for 'c:\WINDOWS\bsx32\SPZ3.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\SPZ3.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\SPZ3.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3HAIRLOSS.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3HAIRLOSS.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3HAIRLOSS.bsx'
Checking for 'c:\WINDOWS\bsx32\TMPS.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\TMPS.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\TMPS.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3KAN12.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3KAN12.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3KAN12.bsx'
Checking for 'c:\WINDOWS\bsx32\SPECENTER.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\SPECENTER.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\SPECENTER.bsx'
Checking for 'c:\WINDOWS\bsx32\ASI3ODYSSEY.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\ASI3ODYSSEY.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\ASI3ODYSSEY.bsx'
Checking for 'c:\WINDOWS\bsx32\EECH1.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\EECH1.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\EECH1.bsx'
[SCANMODS] The file 'c:\WINDOWS\bsx32\EECH1.bsx' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\WINDOWS\bsx32\SPZ3.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\bsx32\SPZ3.bsx' in startup areas.
Cleaning 'c:\WINDOWS\bsx32\SPZ3.bsx'
[SCANMODS] The file 'c:\WINDOWS\bsx32\SPZ3.bsx' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\Program Files\Lycos' in shortcut areas.
Checking for 'c:\Program Files\Lycos' in startup areas.
Cleaning 'c:\Program Files\Lycos'
Checking for 'c:\Program Files\Save' in shortcut areas.
Checking for 'c:\Program Files\Save' in startup areas.
Cleaning 'c:\Program Files\Save'
Checking for 'c:\Program Files\MaxSpeed' in shortcut areas.
Checking for 'c:\Program Files\MaxSpeed' in startup areas.
Cleaning 'c:\Program Files\MaxSpeed'
Checking for 'c:\Temp\msbbau.dat' in shortcut areas.
Checking for 'c:\Temp\msbbau.dat' in startup areas.
Cleaning 'c:\Temp\msbbau.dat'
Finished Cleaning
Started Scanning
Files and Directories
Programs in Memory
Internet URL Shortcuts
Internet Cookies
Windows Registry
Finished Scanning

HIJACKTHIS ANALYZER:

===================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~1\vptray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:19:13 PM, on 11/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM.EXE
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\AGENT.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - http://mail.tripplite.com/iNotes.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.tripplite.com/iNotes6.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/504941.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab


End of KRC HijackThis Analyzer Log.
====================================================================

WINPFIND:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
winsync 11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
qoologic 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
PTech 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
urllogic 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
ad-beh 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
66.63.167.77 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
abetterinternet.com 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
web-nex 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
ad-w-a-r-e.com 11/14/05 6:21:52 PM RH 3125280 c:\windows\USER.DAT
winsync 11/14/05 6:21:52 PM RH 8486962 c:\windows\SYSTEM.DAT

Items found in c:\windows\HOSTS
127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 stech.web-nexus.net
127.0.0.1 www.web-nexus.net
127.0.0.1 agentq.vpptechnologies.com
127.0.0.1 main.vpptechnologies.com #[IE-SpyAd]
127.0.0.1 media-0.vpptechnologies.com
127.0.0.1 media-1.vpptechnologies.com
127.0.0.1 media-4.vpptechnologies.com
127.0.0.1 media-5.vpptechnologies.com
127.0.0.1 media-6.vpptechnologies.com
127.0.0.1 media-a.vpptechnologies.com
127.0.0.1 media-b.vpptechnologies.com
127.0.0.1 media-c.vpptechnologies.com
127.0.0.1 media-d.vpptechnologies.com
127.0.0.1 media-e.vpptechnologies.com
127.0.0.1 media-f.vpptechnologies.com
127.0.0.1 msxml.vpptechnologies.com
127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
127.0.0.1 thumbs.vpptechnologies.com
127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede]
127.0.0.1 www.ad-w-a-r-e.com #[AdWare.Win32.Look2Me.ab]
127.0.0.1 abetterinternet.com #[Downloader.Stubby.A][Adware.Aurora]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 st.abetterinternet.com
127.0.0.1 static.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]

PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll

Checking %System% folder...
PTech 11/9/99 3:55:54 PM 88571 c:\windows\SYSTEM\MDACRDME.HTM
PTech 8/22/98 12:24:08 AM 74460 c:\windows\SYSTEM\OLFAXDRV.DRV
PTech 8/29/05 1:27:12 PM 520968 c:\windows\SYSTEM\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
11/14/05 6:23:04 PM RH 3125280 c:\windows\USER.DAT
11/14/05 6:24:32 PM RH 8486962 c:\windows\SYSTEM.DAT
11/6/05 11:03:28 PM H 9718 c:\windows\ttfCache
11/14/05 1:20:26 AM H 738339 c:\windows\ShellIconCache
11/12/05 1:15:10 PM H 54156 c:\windows\QTFont.qfn
11/4/05 6:57:14 PM H 9793 c:\windows\HELP\windows.GID
11/6/05 11:14:22 AM HS 1203 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
10/9/05 11:43:32 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\BZ2P6Z05\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\80XYCIN2\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\8UPZV6DY\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\9AE6DSRJ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QJWLDPI2\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\OL6RCX63\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\2NQVY5EZ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WYY6G5VH\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QPGNKZ4L\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\7EJP0WKT\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\CB65SPKE\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\YKSDICXR\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\LFFX7LN4\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\SLY3GXMV\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QNWRY1Q5\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\FU3YZF6K\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\I38J3W18\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\6V0RYT43\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\M8E5NLOO\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\3R1XLXHQ\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\T0S7LX05\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\691QVI5G\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\4XU3OP2N\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WZRVYK9H\desktop.ini
11/14/05 12:53:58 PM H 6 c:\windows\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 c:\windows\SYSTEM\JOY.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 c:\windows\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 c:\windows\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 c:\windows\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 c:\windows\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 c:\windows\SYSTEM\TIMEDATE.CPL
Creative Technology Ltd. 3/19/98 1:00:00 AM 18432 c:\windows\SYSTEM\AUDIOHQ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 15360 c:\windows\SYSTEM\THEMES.CPL
Creative Technology Ltd. 12/8/98 1:53:00 AM 223744 c:\windows\SYSTEM\CtDetect.cpl
Microsoft Corporation 2/10/99 4:48:48 AM 40960 c:\windows\SYSTEM\FINDFAST.CPL
RealNetworks, Inc. 11/25/01 12:30:06 AM 24576 c:\windows\SYSTEM\prefscpl.cpl
Apple Computer, Inc. 12/14/03 9:20:50 AM 323072 c:\windows\SYSTEM\QuickTime.cpl
Apple Computer, Inc. 12/15/95 2:10:00 AM R 342016 c:\windows\SYSTEM\QTW32.CPL
Microsoft Corporation 7/11/97 61440 c:\windows\SYSTEM\MLCFG32.CPL
Sun Microsystems, Inc. 2/20/05 2:29:20 PM 49262 c:\windows\SYSTEM\jpicpl32.cpl
Microsoft Corporation 7/26/00 10:37:08 AM 41232 c:\windows\SYSTEM\odbccp32.cpl
InstallShield Software Corporation4/16/04 11:24:54 AM 61440 c:\windows\SYSTEM\ISUSPM.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
10/31/05 7:31:56 AM 583 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
10/31/05 7:31:54 AM 544 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
11/6/05 2:13:16 PM 376 C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
3/12/03 7:55:10 PM 0 C:\WINDOWS\Application Data\dm.ini
11/6/05 11:08:00 AM 1044 C:\WINDOWS\Application Data\dw.log
1/1/05 3:59:56 PM 21168 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
yie6_SBC = IEAK
YPC 3.0.1 = Yahoo! Parental Controls

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\windows\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TaskMonitor c:\windows\taskmon.exe
SystemTray SysTray.Exe
LexStart Lexstart.exe
LexmarkPrinTray PrinTray.exe
vptray c:\PROGRA~1\NORTON~1\vptray.exe
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
ISUSScheduler "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
autoupdate rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SchedulingAgent mstask.exe
rtvscn95 c:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch c:\PROGRA~1\NORTON~1\defwatch.exe
KB891711 c:\windows\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LXSUPMON C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
Motive SmartBridge C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
pt9V37e IR30016.EXE
ScanRegistry c:\windows\scanregw.exe /autorun

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Yahoo! Pager 1
YAq9RXKnV JGMLTSCM.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/14/05 6:30:07 PM
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Actually...I didn't. That's why I asked for the 2nd Trendmicro scan log (You posted the first one). Please run that scanner again and post it's log along with the tools log below..

**Note** Run the Trendmicro last after the tool below.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder and the new Trendmicro log.

Let me know how things are running.
 

·
Registered
Joined
·
20 Posts
Discussion Starter #16
Oops, my fault. I did intend on posting the 2nd scan results, but obviously I failed to do so. I apologize for the inconvenience. While I did follow your most recent request to download and run the aproposfix.exe, it provided an error message stating it isn't compatible with my OS, which is Win 98'. I will, instead, post the newest logs for trendmico and hijack this. Thanks again for your continued assistance and guidance.

TrendMicro:
Started Scanning
Files and Directories
Programs in Memory
Internet URL Shortcuts
Internet Cookies
Windows Registry
Finished Scanning

Hijack This:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~1\vptray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:04:40 PM, on 11/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - http://mail.tripplite.com/iNotes.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.tripplite.com/iNotes6.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/504941.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Well that bites.... Swore that tool worked in 98. Ok...lets try it the hard way.....

Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…BEFORE!!! running this tool.

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4. Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane (Bottom Window)
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after.

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.
Once you copy that to a notepad file...highlight the text and copy it here.

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!



Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Mwav log
 

·
Registered
Joined
·
20 Posts
Discussion Starter #18
I certainly hope this is what you're looking for:

WinPFind.txt log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
winsync 11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
qoologic 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
PTech 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
urllogic 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
ad-beh 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
66.63.167.77 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
abetterinternet.com 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
web-nex 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
ad-w-a-r-e.com 11/17/05 7:08:38 PM RH 3125280 c:\windows\USER.DAT
winsync 11/17/05 7:08:38 PM RH 8486962 c:\windows\SYSTEM.DAT

Items found in c:\windows\HOSTS
127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 stech.web-nexus.net
127.0.0.1 www.web-nexus.net
127.0.0.1 agentq.vpptechnologies.com
127.0.0.1 main.vpptechnologies.com #[IE-SpyAd]
127.0.0.1 media-0.vpptechnologies.com
127.0.0.1 media-1.vpptechnologies.com
127.0.0.1 media-4.vpptechnologies.com
127.0.0.1 media-5.vpptechnologies.com
127.0.0.1 media-6.vpptechnologies.com
127.0.0.1 media-a.vpptechnologies.com
127.0.0.1 media-b.vpptechnologies.com
127.0.0.1 media-c.vpptechnologies.com
127.0.0.1 media-d.vpptechnologies.com
127.0.0.1 media-e.vpptechnologies.com
127.0.0.1 media-f.vpptechnologies.com
127.0.0.1 msxml.vpptechnologies.com
127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
127.0.0.1 thumbs.vpptechnologies.com
127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede]
127.0.0.1 www.ad-w-a-r-e.com #[AdWare.Win32.Look2Me.ab]
127.0.0.1 abetterinternet.com #[Downloader.Stubby.A][Adware.Aurora]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 st.abetterinternet.com
127.0.0.1 static.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]

PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\VPTNFILE.929
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
UPX! 1/10/05 4:17:24 PM 170053 c:\windows\tsc.exe
PECompact2 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
qoologic 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
SAHAgent 11/3/05 12:15:30 PM 16315789 c:\windows\lpt$vpn.929
UPX! 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 c:\windows\vsapi32.dll

Checking %System% folder...
PTech 11/9/99 3:55:54 PM 88571 c:\windows\SYSTEM\MDACRDME.HTM
PTech 8/22/98 12:24:08 AM 74460 c:\windows\SYSTEM\OLFAXDRV.DRV
PTech 8/29/05 1:27:12 PM 520968 c:\windows\SYSTEM\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/4/05 6:53:48 PM RH 348192 c:\windows\HWINFO.DAT
11/17/05 7:12:26 PM RH 3125280 c:\windows\USER.DAT
11/17/05 7:08:38 PM RH 8486962 c:\windows\SYSTEM.DAT
11/6/05 11:03:28 PM H 9718 c:\windows\ttfCache
11/16/05 10:29:10 PM H 739184 c:\windows\ShellIconCache
11/12/05 1:15:10 PM H 54156 c:\windows\QTFont.qfn
11/4/05 6:57:14 PM H 9793 c:\windows\HELP\windows.GID
11/6/05 11:14:22 AM HS 1203 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
10/9/05 11:43:32 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\BZ2P6Z05\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\80XYCIN2\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\8UPZV6DY\desktop.ini
10/9/05 11:43:34 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\9AE6DSRJ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QJWLDPI2\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\OL6RCX63\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\2NQVY5EZ\desktop.ini
10/10/05 5:42:46 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WYY6G5VH\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QPGNKZ4L\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\7EJP0WKT\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\CB65SPKE\desktop.ini
10/13/05 3:06:18 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\YKSDICXR\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\LFFX7LN4\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\SLY3GXMV\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\QNWRY1Q5\desktop.ini
10/15/05 9:52:22 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\FU3YZF6K\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\I38J3W18\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\6V0RYT43\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\M8E5NLOO\desktop.ini
10/17/05 12:51:26 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\3R1XLXHQ\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\T0S7LX05\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\691QVI5G\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\4XU3OP2N\desktop.ini
10/21/05 8:15:52 PM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WZRVYK9H\desktop.ini
11/17/05 2:52:08 PM H 6 c:\windows\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 c:\windows\SYSTEM\JOY.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 c:\windows\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 c:\windows\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 c:\windows\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 c:\windows\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 c:\windows\SYSTEM\TIMEDATE.CPL
Creative Technology Ltd. 3/19/98 1:00:00 AM 18432 c:\windows\SYSTEM\AUDIOHQ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 15360 c:\windows\SYSTEM\THEMES.CPL
Creative Technology Ltd. 12/8/98 1:53:00 AM 223744 c:\windows\SYSTEM\CtDetect.cpl
Microsoft Corporation 2/10/99 4:48:48 AM 40960 c:\windows\SYSTEM\FINDFAST.CPL
RealNetworks, Inc. 11/25/01 12:30:06 AM 24576 c:\windows\SYSTEM\prefscpl.cpl
Apple Computer, Inc. 12/14/03 9:20:50 AM 323072 c:\windows\SYSTEM\QuickTime.cpl
Apple Computer, Inc. 12/15/95 2:10:00 AM R 342016 c:\windows\SYSTEM\QTW32.CPL
Microsoft Corporation 7/11/97 61440 c:\windows\SYSTEM\MLCFG32.CPL
Sun Microsystems, Inc. 2/20/05 2:29:20 PM 49262 c:\windows\SYSTEM\jpicpl32.cpl
Microsoft Corporation 7/26/00 10:37:08 AM 41232 c:\windows\SYSTEM\odbccp32.cpl
InstallShield Software Corporation4/16/04 11:24:54 AM 61440 c:\windows\SYSTEM\ISUSPM.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
10/31/05 7:31:56 AM 583 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
10/31/05 7:31:54 AM 544 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
11/6/05 2:13:16 PM 376 C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
3/12/03 7:55:10 PM 0 C:\WINDOWS\Application Data\dm.ini
11/6/05 11:08:00 AM 1044 C:\WINDOWS\Application Data\dw.log
1/1/05 3:59:56 PM 21168 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
yie6_SBC = IEAK
YPC 3.0.1 = Yahoo! Parental Controls

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SSC\VPSHELL2.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\windows\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\SYSTEM\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\googletoolbar1.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TaskMonitor c:\windows\taskmon.exe
SystemTray SysTray.Exe
LexStart Lexstart.exe
LexmarkPrinTray PrinTray.exe
vptray c:\PROGRA~1\NORTON~1\vptray.exe
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
ISUSScheduler "C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\issch.exe" -start
autoupdate rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
SchedulingAgent mstask.exe
rtvscn95 c:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch c:\PROGRA~1\NORTON~1\defwatch.exe
KB891711 c:\windows\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LXSUPMON C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
Motive SmartBridge C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
pt9V37e IR30016.EXE
ScanRegistry c:\windows\scanregw.exe /autorun

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Yahoo! Pager 1
YAq9RXKnV JGMLTSCM.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/17/05 7:17:03 PM


Track qoo.vbs log:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LexStart"="Lexstart.exe"
"LexmarkPrinTray"="PrinTray.exe"
"vptray"="c:\\PROGRA~1\\NORTON~1\\vptray.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.EXE -startup"
"ISUSScheduler"="\"C:\\PROGRAM FILES\\COMMON FILES\\INSTALLSHIELD\\UPDATESERVICE\\issch.exe\" -start"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WUAUCLT.DLL,SHStart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

-----------------

MvaV log:
Object "troj/taladra-f BackDoor" found in File System! Action Taken: No Action Taken.
Object "maxspeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "browsertoolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "maxspeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "browsertoolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "prizesurfer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "abetterinternet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "nn_bar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YDropper.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\inotes.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\BridgeX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\logo.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\scribble.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\dot.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\mnature.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\hoverbot.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\will.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\powerpup.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSO97SR2\Office\Actors\genius.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\WatchGuard\Mobile User VPN\IreGUI.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\rbjr32.exe" refers to invalid object "D:\WIN95\rbjr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\BS96SE.EXE" refers to invalid object "D:\MSO97SR2\aamsstp\app\bs96se.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MotiveSB.exe" refers to invalid object "C:\PROGRA~1\SBCSEL~1\SMARTB~1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\SmartBridge.exe" refers to invalid object "C:\PROGRA~1\SBCSEL~1\SMARTB~1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\IreIke.exe" refers to invalid object "C:\Program Files\WatchGuard\Mobile User VPN\IreIke.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\HijackThis.exe" refers to invalid object "C:\UNZIPPED\HIJACKTHIS[1]\hijackthis.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\msoc.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3DE0300B-922D-11CF-AC2E-00A024581E5C}" refers to invalid object "V:\bin.32\icpubdll.tlb". Action Taken: No Action Taken.
Entry "HKCR\.p7s" refers to invalid object "P7SFile". Action Taken: No Action Taken.
Entry "HKCR\.p7m" refers to invalid object "P7MFile". Action Taken: No Action Taken.
Entry "HKCR\.sst" refers to invalid object "CertificateStoreFile". Action Taken: No Action Taken.
Entry "HKCR\.p10" refers to invalid object "P10File". Action Taken: No Action Taken.
Entry "HKCR\YPager.Messenger" refers to invalid object "{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}". Action Taken: No Action Taken.
Entry "HKCR\YPager.Messenger.1" refers to invalid object "{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}". Action Taken: No Action Taken.
Entry "HKCR\.bul" refers to invalid object "HolidayLights.Bulb". Action Taken: No Action Taken.
Entry "HKCR\Ypager.HTMLCallback.1" refers to invalid object "{3B6ED8C5-5B91-11D5-803C-00D0B768B4B0}". Action Taken: No Action Taken.
Entry "HKCR\Ypager.HTMLCallback" refers to invalid object "{3B6ED8C5-5B91-11D5-803C-00D0B768B4B0}". Action Taken: No Action Taken.
Entry "HKCR\.dgf" refers to invalid object "InterTrustDigiFile". Action Taken: No Action Taken.
Entry "HKCR\PWActiveXImgCtl.PWImageControl.1" refers to invalid object "{351CF0CE-B05A-11D2-ABD9-00104B685417}". Action Taken: No Action Taken.
Entry "HKCR\PWActiveXImgCtl.PWImageControl" refers to invalid object "{351CF0CE-B05A-11D2-ABD9-00104B685417}". Action Taken: No Action Taken.
Entry "HKCR\PWActiveXImgCtl.PWMediaSendControl.1" refers to invalid object "{6B4788E2-BAE8-11D2-A1B4-00400512739B}". Action Taken: No Action Taken.
Entry "HKCR\PWActiveXImgCtl.PWMediaSendControl" refers to invalid object "{6B4788E2-BAE8-11D2-A1B4-00400512739B}". Action Taken: No Action Taken.
Entry "HKCR\.alb" refers to invalid object "PhotoRecord.Album". Action Taken: No Action Taken.
Entry "HKCR\YDropper.FileDropper.1" refers to invalid object "{BAC01377-73DD-4796-854D-2A8997E3D68A}". Action Taken: No Action Taken.
Entry "HKCR\YDropper.FileDropper" refers to invalid object "{BAC01377-73DD-4796-854D-2A8997E3D68A}". Action Taken: No Action Taken.
Entry "HKCR\MsoHelpKeyDlg.1" refers to invalid object "{B58C2440-A1A3-11d1-B024-006097C9A284}". Action Taken: No Action Taken.
Entry "HKCR\MsoHelpKeyDlg" refers to invalid object "{B58C2440-A1A3-11d1-B024-006097C9A284}". Action Taken: No Action Taken.
Entry "HKCR\MsoHelpAWDlg.1" refers to invalid object "{B58C2441-A1A3-11d1-B024-006097C9A284}". Action Taken: No Action Taken.
Entry "HKCR\MsoHelpAWDlg" refers to invalid object "{B58C2441-A1A3-11d1-B024-006097C9A284}". Action Taken: No Action Taken.
Entry "HKCR\YBIOCtrl.YBIOCtrl.2" refers to invalid object "{EF99BD32-C1FB-11D2-892F-0090271D4F88}". Action Taken: No Action Taken.
Entry "HKCR\YBIOCtrl.CompanionBHO.4" refers to invalid object "{02478D38-C3F9-4efb-9B51-7695ECA05670}". Action Taken: No Action Taken.
Entry "HKCR\YPhotos.PhotosCtrl.1" refers to invalid object "{D18F962A-3722-4B59-B08D-28BB9EB2281E}". Action Taken: No Action Taken.
Entry "HKCR\YPhotos.PhotosCtrl" refers to invalid object "{D18F962A-3722-4B59-B08D-28BB9EB2281E}". Action Taken: No Action Taken.
Entry "HKCR\BJAXSecurityManager.SecurityManager.1" refers to invalid object "{CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306}". Action Taken: No Action Taken.
Entry "HKCR\BJAXSecurityManager.SecurityManager" refers to invalid object "{CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306}". Action Taken: No Action Taken.
Entry "HKCR\iNotes.iNotes.1" refers to invalid object "{1E2941E3-8E63-11d4-9D5A-00902742D6E0}". Action Taken: No Action Taken.
Entry "HKCR\wgx_auto_file\shell\open\command" refers to invalid object ""C:\Program Files\WatchGuard\Mobile User VPN\WgctSpd.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\.dwg" refers to invalid object "Adobe.Illustrator.dwg". Action Taken: No Action Taken.
Entry "HKCR\.dxf" refers to invalid object "Adobe.Illustrator.dxf". Action Taken: No Action Taken.
Entry "HKCR\.bcf" refers to invalid object "Belarc.Content.Filter". Action Taken: No Action Taken.
Entry "HKCR\.zl0" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl1" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl2" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl3" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl4" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl5" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl6" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl7" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl8" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl9" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zla" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlb" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlc" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zld" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zle" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.z0" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlf" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlg" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlh" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zli" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlj" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlk" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zll" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlm" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zln" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlo" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlp" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlq" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlr" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zls" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlt" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.z1" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlu" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlv" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlw" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlx" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zly" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlz" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm0" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm1" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm2" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm3" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm4" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm5" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm6" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm7" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm8" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm9" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\PCheck.PCheck.1" refers to invalid object "{FD1A9E6B-05DA-4ca2-830D-654DA1DDBD9E}". Action Taken: No Action Taken.
Entry "HKCR\PCheck.PCheck" refers to invalid object "{FD1A9E6B-05DA-4ca2-830D-654DA1DDBD9E}". Action Taken: No Action Taken.
File C:\WINDOWS\ahmxdwrz.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.e". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WinNB57.dll tagged as "not-a-virus:AdWare.Win32.Mirar.b". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\fran-hot.exe infected by "Trojan-Dropper.Win32.Agent.abb" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\VB2.exe tagged as "not-a-virus:AdWare.Win32.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ventaa.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.e". Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\ptf_0031.exe tagged as "not-a-virus:AdWare.Win32.Pacer.l". Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\pcs_0031.exe tagged as "not-a-virus:AdWare.Win32.Pacer.k". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\WinNB57.dll tagged as "not-a-virus:AdWare.Win32.Mirar.b". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\fran-hot.exe infected by "Trojan-Dropper.Win32.Agent.abb" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\VB2.exe tagged as "not-a-virus:AdWare.Win32.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ventaa.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.e". Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\ptf_0031.exe tagged as "not-a-virus:AdWare.Win32.Pacer.l". Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\pcs_0031.exe tagged as "not-a-virus:AdWare.Win32.Pacer.k". Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\1712.exe tagged as "not-a-virus:porn-Dialer.Win32.RTSMini". Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\UWFX5_0001_MNINetInstaller.exe tagged as not-a-virus:Downloader.Win32.Agent.d. No Action Taken.
File C:\WINDOWS\ahmxdwrz.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.e". Action Taken: No Action Taken.
File C:\Program Files\Windows Media Player\wmplayer.exe tagged as "not-a-virus:AdWare.Win32.Pacer.e". Action Taken: No Action Taken.
File C:\!KillBox\in10b6s.dll infected by "Trojan-Dropper.Win32.Small.abe" Virus! Action Taken: No Action Taken.
File C:\!KillBox\wuauclt.dll infected by "Trojan-Downloader.Win32.Qoologic.ae" Virus! Action Taken: No Action Taken.
File C:\!KillBox\vgactl.cpl infected by "Trojan-Downloader.Win32.Qoologic.ad" Virus! Action Taken: No Action Taken.
File C:\!KillBox\jkake.dll infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus! Action Taken: No Action Taken.
File C:\!KillBox\sdsdfsd.dll infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus! Action Taken: No Action Taken.
File C:\!KillBox\ncic.exe infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus! Action Taken: No Action Taken.
File C:\!KillBox\504941.exe infected by "Trojan.Win32.Dialer.q" Virus! Action Taken: No Action Taken.
File C:\!KillBox\ldsdsp.exe infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus! Action Taken: No Action Taken.
File C:\!KillBox\pykyw.dat infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus! Action Taken: No Action Taken.
File C:\!KillBox\bqmqdac.exe infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus! Action Taken: No Action Taken.
File C:\!KillBox\96WU19RD.EXE tagged as "not-a-virus:AdWare.Win32.F1Organizer.h". Action Taken: No Action Taken.
File C:\!KillBox\MTE2ODM6ODoxNg.exe tagged as "not-a-virus:AdWare.Win32.ISearch.d". Action Taken: No Action Taken.
File C:\unzipped\hijackthis[1]\backups\backup-20051106-082955-270.dll tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken.
File C:\unzipped\hijackthis[1]\backups\backup-20051106-082955-814.dll tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken.
File C:\unzipped\hijackthis[1]\backups\backup-20051106-082955-551.dll tagged as "not-a-virus:AdWare.Win32.BookedSpace.g". Action Taken: No Action Taken.
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Ok...I want to try another Cleaner. Please Download and Install CCleaner

1. Once it's installed open the program.
2. By defualt the Cleaner button should be active
3. On the bottom right..click "Run Cleaner" and let it run. It will scan and delete the TEMP files simular to clean up.
4. Once it's done click on the "Issues" button.
5. Make sure everything is checked in the Scanner settings and click "Scan for Issues" Once it's done scanning....let it FIX everything it found. It will ask if you want to backup what it's fixing...so please say YES. It will make a .reg file which can be used to recover the entrys if something goes wrong.
6. Once that's finished close the program.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\ahmxdwrz.exe
C:\WINDOWS\SYSTEM\WinNB57.dll
C:\WINDOWS\SYSTEM\fran-hot.exe
C:\WINDOWS\SYSTEM\VB2.exe
C:\WINDOWS\SYSTEM\ventaa.exe
C:\WINDOWS\Downloaded Program Files\1712.exe
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_MNINetInstaller.exe
C:\Program Files\Windows Media Player\wmplayer.exe


Once you reboot...please run KILLBOX again using the same instructions and files. We need to make sure NOTHING survives.

Important:

One of your hijackers (Cool Web Search) has trashed the main Windows Media Player file. We have deleted this file with KILLBOX. You now have two choices.

1. Visit this site...http://www.spywareinfo.com/~merijn/winfiles.html and scroll down to the wmplayer.exe section. If your media player is one of those versions..download the file and put it back in the correct location on your system..which is C:\Program Files\Windows Media Player\wmplayer.exe

2. If that doesn't work...or you have another version that's not listed.....you will need to download and install the whole media player from Microsoft again.



Then post another Mwav log and the log from the following scanner...

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please let me know how things are running.
 

·
Registered
Joined
·
20 Posts
Discussion Starter #20
Okay, the CCleaner seemed to work well, as did the reinstallation of the Win Media Player for 98SE. I also ran the MVAV and Kaspersky and the logs are as follows:

MVAV:
Object "troj/taladra-f BackDoor" found in File System! Action Taken: No Action Taken.
Object "maxspeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "browsertoolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "maxspeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "browsertoolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "abetterinternet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YDropper.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\inotes.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\BridgeX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\rbjr32.exe" refers to invalid object "D:\WIN95\rbjr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\BS96SE.EXE" refers to invalid object "D:\MSO97SR2\aamsstp\app\bs96se.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MotiveSB.exe" refers to invalid object "C:\PROGRA~1\SBCSEL~1\SMARTB~1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\SmartBridge.exe" refers to invalid object "C:\PROGRA~1\SBCSEL~1\SMARTB~1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\msoc.dll" refers to invalid object "C:\Program Files\Microsoft Office\Office". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3DE0300B-922D-11CF-AC2E-00A024581E5C}" refers to invalid object "V:\bin.32\icpubdll.tlb". Action Taken: No Action Taken.
Entry "HKCR\.p7s" refers to invalid object "P7SFile". Action Taken: No Action Taken.
Entry "HKCR\.p7m" refers to invalid object "P7MFile". Action Taken: No Action Taken.
Entry "HKCR\.sst" refers to invalid object "CertificateStoreFile". Action Taken: No Action Taken.
Entry "HKCR\.p10" refers to invalid object "P10File". Action Taken: No Action Taken.
Entry "HKCR\YPager.Messenger" refers to invalid object "{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}". Action Taken: No Action Taken.
Entry "HKCR\YPager.Messenger.1" refers to invalid object "{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}". Action Taken: No Action Taken.
Entry "HKCR\.wgx" refers to invalid object "wgx_auto_file". Action Taken: No Action Taken.
Entry "HKCR\.bcf" refers to invalid object "Belarc.Content.Filter". Action Taken: No Action Taken.
Entry "HKCR\.zl0" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl1" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl2" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl3" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl4" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl5" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl6" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl7" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl8" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zl9" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zla" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlb" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlc" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zld" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zle" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.z0" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlf" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlg" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlh" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zli" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlj" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlk" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zll" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlm" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zln" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlo" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlp" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlq" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlr" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zls" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlt" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.z1" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlu" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlv" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlw" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlx" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zly" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zlz" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm0" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm1" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm2" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm3" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm4" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm5" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm6" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm7" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm8" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.
Entry "HKCR\.zm9" refers to invalid object "ZAMailSafe". Action Taken: No Action Taken.

Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, November 19, 2005 12:46:04
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/11/2005
Kaspersky Anti-Virus database records: 150908
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 41531
Number of viruses found: 8
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 4175 sec

Infected Object Name - Virus Name
c:\!KillBox\in10b6s.dll Infected: Trojan-Dropper.Win32.Small.abe
c:\!KillBox\wuauclt.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
c:\!KillBox\vgactl.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
c:\!KillBox\setup.exe/data0007 Infected: Trojan.Win32.DelFiles.s
c:\!KillBox\setup.exe Infected: Trojan.Win32.DelFiles.s
c:\!KillBox\jkake.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\sdsdfsd.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED/alpha.xls.com Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/UNNAMED Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\Inbox.dbx/[From "Cindy Charters" <[email protected]>][Date Thu, 26 Jul 2001 10:27:11 -0500]/alpha.xls.com Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\Inbox.dbx Infected: Email-Worm.Win32.Sircam.c
c:\!KillBox\ncic.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\504941.exe Infected: Trojan.Win32.Dialer.q
c:\!KillBox\ldsdsp.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\pykyw.dat Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\bqmqdac.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
c:\!KillBox\fran-hot.exe Infected: Trojan-Dropper.Win32.Agent.abb

Scan process completed.
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top