Tech Support banner

Status
Not open for further replies.
1 - 20 of 23 Posts

·
Registered
Joined
·
12 Posts
Discussion Starter · #1 ·
HJT analyzer text file:


Logfile of HijackThis v1.99.1
Scan saved at 1:22:44 PM, on 10/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\d2RBZG1pbgAA\command.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\CMSystem\CMSystem.exe
C:\WINDOWS\System32\mousecrm.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
C:\WINDOWS\pnsvelr.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {891C249C-5A07-F97D-E99C-4E949E0374E2} - C:\WINDOWS\qqwqftzm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [vhzmjcm] C:\WINDOWS\vhzmjcm.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - AppInit_DLLs: repairs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2RBZG1pbgAA\command.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe
O23 - Service: OracleOraHome92ManagementServer - Unknown owner - C:\oracle\ora92\bin\OMSNTsrv.exe (file missing)
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pnsvelr.exe


End of KRC HijackThis Analyzer Log.
=================

I am also unable to download widows updates..gives activex error. I have the windows update site also listed under trusted sites.
 

·
Manager, The Conversation Pit/Analyst, Security Te
Joined
·
14,513 Posts
Hello and Welcome to TSF!!!!!


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Click on newdotnet6_38.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\d2RBZG1pbgAA\command.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\System32\mousecrm.exe
C:\WINDOWS\pnsvelr.exe


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:


Surfsidekick
NewdotNet


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - {891C249C-5A07-F97D-E99C-4E949E0374E2} - C:\WINDOWS\qqwqftzm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [vhzmjcm] C:\WINDOWS\vhzmjcm.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2RBZG1pbgAA\command.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\pnsvelr.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\d2RBZG1pbgAA
C:\Program Files\CMSystem
C:\Program Files\SurfSideKick 3
C:\WINDOWS\System32\mousecrm.exe
C:\WINDOWS\qqwqftzm.dll
C:\WINDOWS\vhzmjcm.exe
C:\WINDOWS\lsass.exeDO NOT DELETE C:\WINDOWS\SYSTEM32\LSASS.EXE It is a legit file
C:\WINDOWS\pnsvelr.exe
repairs.dll


Restart and run a new HijackThis scan. Save the log file and post it here.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #3 ·
Thanks for the guidance. I have followed the steps mentioned by you...all steps in safe mode only. I am yet to start the pc in normal mode.

steps done:
change folder options for hidden files/folders,uncheck op sys files.
run ewido,spybot.adaware in this order
run LSPFix and remove newdotnet6_38.dll
run cleanup
kill processes mentioned in your mail using hijackthis process manager.
surfsidekick and newdotnet files not seen in the c drive?

ran a scan in hijackthis and fix for the following failed. When I try "Fix checked" it gives me a blank " Welcome page for hijackthis " with the scan button:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
Trying to fix the following ---O20 - AppInit_DLLs: repairs.dll
gives "Error45--Invalid process call".

I am attaching a copy of the hijack scan. I am holding off on starting pc in normal mode.
Logfile of HijackThis v1.99.1
Scan saved at 12:36:23 PM, on 10/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - AppInit_DLLs: repairs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2RBZG1pbgAA\command.exe (file missing)
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




Thanks
 

·
Manager, The Conversation Pit/Analyst, Security Te
Joined
·
14,513 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Post the log from the Panda scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2RBZG1pbgAA\command.exe (file missing)
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\SurfSideKick 3

Rerun ewido and save the log.


Restart in normal mode.

Run a new HJT scan and save the log file.

Please post the new HJT, Ewido log and either the TMAS or Panda log.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #5 ·
thanks bry....
Still having problems cleaning the surfsidekick.
Ran the cleanup..no problems encountered.
ran Online scan with TrendMicro..
Unable to download Panda software.gives me the Activex control error"current settings prohibit running activex controls on this page". I get this error also when I try to download from windows update even though this site is in the trusted sites.
Ran a scan of HJT ..unable to fix the the items checked from scan. Gives no error and displays the blank page after runnung "Fix checked". after logging out and restart again in Safe mode the scan has all the spyware again.
O20 - AppInit_DLLs: repairs.dll gives "Error45--Invalid process call".
Unable to kill C:\Program Files\SurfSideKick 3..gives eror "File is in use"
Ran ewido..it took 35 mins for the run ..log attached.

Note: when I started Trend Micro in safe mode I saw the sidekick window also comeup with the trend micro site. was able to close this window before running TMS.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:41:50 PM, 10/19/2005
+ Report-Checksum: 3BAF8737

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:01:26 PM, on 10/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458
O20 - AppInit_DLLs: repairs.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2RBZG1pbgAA\command.exe (file missing)
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I have not started the pc in normal mode as yet.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello gopi,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't

Those Program Files are there on the C: drive. Please be certain you are logging into Safe Mode under the same account you ran the HijackThis scan.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Copy the file name below to the clipboard by highlighting it and pressing Ctrl-C:

C:\Program Files\Common Files\system32.dll/gui.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Go to Start > Run and type in services.msc then click OK
* Click the Extended tab.
* Scroll down until you find the service.
===> Service: Command Service (cmdService)
* Click once on the service to highlight it.
* Click Stop
* Right-Click on the service.
* Click on 'Properties'
* Select the 'General' tab
* Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
* From the drop-down menu, click on 'Disabled'
* Click the 'Apply' tab, then click 'OK'

Now repeat the above procedure for the following entries:

Service: lsass (Local Security Authority System Service)
Service: Mouse Cursor Monitor (mousecrm)


Open HijackThis>Config>Misc Tools>Delete an NT Service
*now copy/paste the following entries (one at a time) in the box and click OK: Do not allow a reboot yet.

CmdService
Local Security Authority System Service
Mousecrm


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SurfSideKick 3

If SurfSideKick 3 is not listed in the Add/Remove panel:

Open HijackThis>Config>Misc Tools>Open Uninstall Manager. Look for SurfSideKick 3 and uninstall from there.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2RBZG1pbgAA\command.exe (file missing)
O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)


Delete the following Files and Folders if they still exist.

C:\Program Files\SurfSideKick 3
C:\WINDOWS\d2RBZG1pbgAA
C:\WINDOWS\lsass.exe Careful, do NOT delete the legit C:\WINDOWS\System32\lsass.exe
C:\WINDOWS\System32\mousecrm.exe
repairs.dll --Do a search for this via Start>Search and delete

Reboot into Normal Mode. Run another scan with HijackThis and post the un-analyzed log here. **This scan must be done in Normal Mode.**
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #7 ·
Thanks Ried

Followed all the steps mentioned in your mail. Atached the HJT log run in normal mode.

when starting the system get the following RUNDLL error msg:
error loading C:|Program~1\NewDot~1.DLL . clicking OK moves along.

When I do a file search for ssk.exe, I get 52 files listed. These are from the recovery files from the SPYBOT S&D runs. How do we get rid of these. The system odes not allow me to remove these files.
There was one additional ssk.exe-35B00638.pf file under c:windows\prefetch folder which I was able to get rid off. Can I remove this folder too or is it needed for other apps?

when I open the system config utility under normal startup, under the startup tab I see the folowing still showing up:
NewDot~1
Cashplusmedia1
ssk
one more file with no name/no command and location HKCU\software\MS\windows\current..
how do I remove these from startup.
Logfile of HijackThis v1.99.1
Scan saved at 5:15:49 PM, on 10/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\medgs1.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
E:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dlpp4g.exe reg_run
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vhzmjcm] C:\WINDOWS\vhzmjcm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [rnjujiv] C:\WINDOWS\rnjujiv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [palrxhhdca] C:\WINDOWS\System32\arwlgjbh.exe
O4 - HKLM\..\Run: [oukcl] C:\WINDOWS\System32\cmqya\oukcl.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [MedGS88] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [elos] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [dyluryu] C:\WINDOWS\System32\ubwbxr\dyluryu.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dhnjn] C:\WINDOWS\System32\oydwl\dhnjn.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [csrss2] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [cashplusmedia1.exe] C:\WINDOWS\System32\cashplusmedia1.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bcgqkk] C:\WINDOWS\System32\ykrshim\bcgqkk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [:C=e] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [1i3q520j] C:\WINDOWS\System32\1i3q520j.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks for your help. I have not yet logged into the internet with this pc.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Your pc is badly infected. :sad: This is going to take a couple more rounds to clean completely.

To download any programs asked for, please do so from Normal Mode. Safe Mode with Networking leaves you much more vulnerable.

It is imperative that you follow all directions exactly as outlined below.

Update the Ewido definitions. Do not run it yet.

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

Download Trackqoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet.

Download LQfix http://users.telenet.be/bluepatchy/miekiemoes/tools/LQfix.exe
Save it to your desktop, please do not use yet

Download rdrivRem.zip http://www.atribune.org/downloads/rdrivrem.zip Do not run it yet.

Download the ssk.zip file found here:

From within it, double-click on ssk.bat & allow it to run.

Reboot into Safe Mode.

Doubleclick LQfix.bat that you saved on your desktop before.
A dos window will open and close again, that is normal.

Please double-click rdrivRem.bat to run the program - follow the instructions on the screen.

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files

With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time).

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\medgs1.exe


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint
CMSystem
Internet Optimizer
SurfSideKick 3


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\dlpp4g.exe reg_run
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vhzmjcm] C:\WINDOWS\vhzmjcm.exe
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [rnjujiv] C:\WINDOWS\rnjujiv.exe
O4 - HKLM\..\Run: [palrxhhdca] C:\WINDOWS\System32\arwlgjbh.exe
O4 - HKLM\..\Run: [oukcl] C:\WINDOWS\System32\cmqya\oukcl.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [MedGS88] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [elos] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [dyluryu] C:\WINDOWS\System32\ubwbxr\dyluryu.exe
O4 - HKLM\..\Run: [dhnjn] C:\WINDOWS\System32\oydwl\dhnjn.exe
O4 - HKLM\..\Run: [csrss2] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [cashplusmedia1.exe] C:\WINDOWS\System32\cashplusmedia1.exe
O4 - HKLM\..\Run: [bcgqkk] C:\WINDOWS\System32\ykrshim\bcgqkk.exe
O4 - HKLM\..\Run: [:C=e] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [1i3q520j] C:\WINDOWS\System32\1i3q520j.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - Startup: PowerReg Scheduler V3.exe


Delete the following Files and Folders if they still exist.

C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\dlpp4g.exe
C:\Program Files\Viewpoint
C:\WINDOWS\vhzmjcm.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\rnjujiv.exe
C:\WINDOWS\System32\arwlgjbh.exe
C:\WINDOWS\System32\cmqya
C:\PROGRA~1\NEWDOT~1
C:\WINDOWS\System32\mmxp2passion.exe
C:\WINDOWS\System32\medgs1.exe
C:\Program Files\Internet Optimizer
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\exe82.exe
C:\WINDOWS\System32\ubwbxr
C:\WINDOWS\System32\oydwl
C:\WINDOWS\System32\cashplusmedia1.exe
C:\WINDOWS\System32\ykrshim
C:\WINDOWS\System32\1i3q520j.exe
C:\Program Files\SurfSideKick 3
C:\Program Files\CMSystem

Open Spybot and click on ‘Recovery’. Then select all and click ‘Purge

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot back into Safe Mode.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here.

Locate & double-click on TrackQoo1.vbs . Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next post
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

WPFind
Trackqoo
HijackThis
Ewido
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #9 ·
Hi Ried

I have followed the steps mentioned by you and the logs are attached here.

I have not yet connected to the internet as yet. The downloads and zips you mentioned were taken on an external usb drive on a different pc and transferred to this pc for unzip and run.

WinPFind log:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 10/14/2005 12:34:52 PM 218112 C:\HijackThis.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 10/23/2004 9:19:18 PM 1343999 C:\WINDOWS\Bmztzerlpx.qua
PTech 10/23/2004 9:19:18 PM 1343999 C:\WINDOWS\Bmztzerlpx.qua
PTech 10/23/2004 9:19:22 PM 1626626 C:\WINDOWS\Hjvfokuvdbd.cfw
PEC2 9/25/2004 9:17:04 PM 200923 C:\WINDOWS\Jijlgwfyxs.shh
PECompact2 10/14/2005 2:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
qoologic 10/14/2005 2:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
SAHAgent 10/14/2005 2:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
PTech 10/23/2004 9:19:20 PM 483851 C:\WINDOWS\Mtangxshzh.fct
PEC2 10/23/2004 9:19:16 PM 184535 C:\WINDOWS\Muppybxxj.lmy
PEC2 10/23/2004 9:19:24 PM 200923 C:\WINDOWS\Mxeiptano.euy
PTech 10/31/2004 11:12:24 PM 1073501 C:\WINDOWS\Orznnuc.cif
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/14/2005 2:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
qoologic 10/14/2005 2:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
SAHAgent 10/14/2005 2:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
PEC2 10/23/2004 9:19:16 PM 193869 C:\WINDOWS\Wrdtthqdm.hsu

Checking %System% folder...
SAHAgent 10/18/2004 12:01:40 AM 3971 C:\WINDOWS\SYSTEM32\1i3q520j.ini
SAHAgent 9/24/2005 5:29:34 PM 35 C:\WINDOWS\SYSTEM32\a2uj8sgl.ini
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 9/29/2005 9:38:28 AM 374272 C:\WINDOWS\SYSTEM32\ride5.0.exe
SAHAgent 9/24/2005 5:29:34 PM 35 C:\WINDOWS\SYSTEM32\vm9sebch.ini
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/25/2005 6:36:24 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
10/25/2005 3:45:00 PM H 24 C:\WINDOWS\p5cvk
10/13/2005 9:25:08 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
10/25/2005 6:36:16 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
10/25/2005 6:36:36 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
10/25/2005 6:36:26 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
10/25/2005 6:37:34 PM H 81920 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
10/25/2005 6:36:24 PM H 798720 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/7/2005 10:41:38 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\6c75a219-dc94-4cf9-a780-c242f9fdeaff
10/7/2005 10:41:38 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
10/25/2005 3:45:18 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 5/14/2003 8:47:38 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 1/28/2004 12:19:38 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
Apple Computer, Inc. 7/27/2003 12:05:54 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 4/10/2003 12:13:02 AM 81920 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
NETGEAR 3/20/2002 9:01:34 PM R 297028 C:\WINDOWS\SYSTEM32\WLANCFG.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
1/6/2005 3:06:22 PM 1889 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
1/6/2005 3:12:06 PM 879 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
1/28/2004 12:39:20 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
2/6/2005 9:35:58 PM 35982 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 11:00:00 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 10:50:46 AM HS 62 C:\Documents and Settings\Administrator\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qfyytnsg
{d139a096-11d4-4aec-bef4-5482353ecb80} = C:\WINDOWS\System32\bjaao.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= C:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WLANSTA.EXE WLANSTA.EXE START
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
PSof1 C:\WINDOWS\System32\PSof1.exe
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Media Gateway C:\Program Files\Media Gateway\MediaGateway.exe
iRiver Updater C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HostManager C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
dla C:\WINDOWS\system32\dla\tfswctrl.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
DadApp C:\Program Files\Dell\AccessDirect\dadapp.exe
BCMSMMSG BCMSMMSG.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATIModeChange Ati2mdxx.exe
GsAds C:\WINDOWS\System32\gms2.exe
opr C:\WINDOWS\System32\opr.exe
Windows Incontext C:\DOCUME~1\POORNA~1\LOCALS~1\Temp\InSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key Æ—S)îl£4ÁfåQîKØî
Hint enter kalpana
FileName0 C:\WINDOWS\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
v 0
s 0
n 0
l 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/25/2005 6:50:58 PM

TrackQoo log:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLANSTA.EXE"="WLANSTA.EXE START"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PSof1"="C:\\WINDOWS\\System32\\PSof1.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"Media Gateway"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"
"iRiver Updater"="C:\\Program Files\\iRiver\\iRiver Manager\\Updater\\Updater.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1124835599\\ee\\AOLHostManager.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"GsAds"="C:\\WINDOWS\\System32\\gms2.exe"
"opr"="C:\\WINDOWS\\System32\\opr.exe"
"Windows Incontext"="C:\\DOCUME~1\\POORNA~1\\LOCALS~1\\Temp\\InSearch.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- qfyytnsg
{d139a096-11d4-4aec-bef4-5482353ecb80}
C:\WINDOWS\System32\bjaao.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
HP Digital Imaging Monitor.lnk
HP Image Zone Fast Start.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\Poorna Srinivasan\Start Menu\Programs\Startup

DESKTOP.INI
HP Digital Imaging Monitor.lnk
HP Image Zone Fast Start.lnk
Microsoft Office.lnk
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


ACCESS.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
B57exp.cpl Broadcom Corporation
DESK.CPL Microsoft Corporation
HDWWIZ.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
jpicpl32.cpl Sun Microsystems
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NCPA.CPL Microsoft Corporation
NUSRMGR.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
STAC97.cpl SigmaTel Inc.
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
WLANCFG.cpl NETGEAR

HJT scan log:
Logfile of HijackThis v1.99.1
Scan saved at 7:40:56 PM, on 10/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\gms2.exe
C:\WINDOWS\System32\opr.exe
C:\DOCUME~1\POORNA~1\LOCALS~1\Temp\InSearch.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
E:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\POORNA~1\LOCALS~1\Temp\InSearch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0030.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


When I open the startup tab in the system config utility I see one item with no name and no command?

Thanks for your help...
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
You did a great job that last round, we're getting close now.:smile:

All of these look suspicious to me but they are being referenced to a legit program. Before I go yanking them out, I’d like to be certain they are ‘bad’ and don’t belong. Upload the following files to http://virusscan.jotti.org/ and submit them, one at a time. Wait for the analysis.

If any are detected as infected, then enter the full path into Killbox with the others. If you are unsure, post the results in your next reply and I‘ll take a look at them.

C:\WINDOWS\Mtangxshzh.fct
C:\WINDOWS\Muppybxxj.lmy
C:\WINDOWS\Mxeiptano.euy
C:\WINDOWS\Bmztzerlpx.qua
C:\WINDOWS\Hjvfokuvdbd.cfw
C:\WINDOWS\Jijlgwfyxs.shh
C:\WINDOWS\Orznnuc.cif
C:\WINDOWS\Wrdtthqdm.hsu


Reboot into Safe Mode.(tapping F8 or F5)

Click STARTRUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key and delete the file/folder/entry I highlighted in RED

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qf yytnsg
{d139a096-11d4-4aec-bef4-5482353ecb80} = C:\WINDOWS\System32\bjaao.dll

If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\1i3q520j.ini
C:\WINDOWS\SYSTEM32\a2uj8sgl.ini
C:\WINDOWS\SYSTEM32\ride5.0.exe
C:\WINDOWS\SYSTEM32\vm9sebch.ini
C:\WINDOWS\System32\gms2.exe
C:\WINDOWS\System32\opr.exe
C:\WINDOWS\System32\bjaao.dll
C:\DOCUME~1\POORNA~1\LOCALS~1\Temp\InSearch.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
*Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Media Gateway

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\POORNA~1\LOCALS~1\Temp\InSearch.exe


Delete the following Folders if they still exist.

C:\Program Files\Media Gateway
C:\WINDOWS\p5cvk

Reboot back into Safe Mode and run the WinPFind again and post the log here.

Reboot into Normal Mode.

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

Once it has finished save the activescan log, then post that log in your next reply along with a new HijackThis log.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #11 ·
Hi Ried

Been out of town past 10 days....Followed the steps in your last reply.

The site virusscan.jotti.org did not identify the files noted in your mail as infected.
The regedit shows the following key "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qf yytnsg
{d139a096-11d4-4aec-bef4-5482353ecb80}
It did not include " = C:\WINDOWS\System32\bjaao.dll " at the end as mentioned in your steps. I did not want to delete this key without confirmimg with you.
Used the Killbox to delete files mentioned in your mail. Did not get the "Pending Operations..."prompt after the delete prompt ? However the Delete files completed.
Included the WinPFind log below.
Unable to run the Pandasoftware online scan. Gives me the error "current settings prohibit running ActiveX controls....." This is an old problem on my PC and has prevented me from downloading "windows updates". I have both Panda and MS Update sites in the Trusted sites in Internet options.
Ran a scan of Hijackthis. log attached.

When accessing "Pandasoftare.com" the browser started loading adware for cleaning registry and a few other malware pages.

Logfile of HijackThis v1.99.1
Scan saved at 4:17:52 PM, on 11/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
E:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0030.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 10/14/2005 11:34:52 AM 218112 C:\HijackThis.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 10/23/2004 8:19:18 PM 1343999 C:\WINDOWS\Bmztzerlpx.qua
PTech 10/23/2004 8:19:18 PM 1343999 C:\WINDOWS\Bmztzerlpx.qua
PTech 10/23/2004 8:19:22 PM 1626626 C:\WINDOWS\Hjvfokuvdbd.cfw
PEC2 9/25/2004 8:17:04 PM 200923 C:\WINDOWS\Jijlgwfyxs.shh
PECompact2 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
qoologic 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
SAHAgent 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
PTech 10/23/2004 8:19:20 PM 483851 C:\WINDOWS\Mtangxshzh.fct
PEC2 10/23/2004 8:19:16 PM 184535 C:\WINDOWS\Muppybxxj.lmy
PEC2 10/23/2004 8:19:24 PM 200923 C:\WINDOWS\Mxeiptano.euy
PTech 10/31/2004 10:12:24 PM 1073501 C:\WINDOWS\Orznnuc.cif
UPX! 5/3/2005 10:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 3:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
qoologic 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
SAHAgent 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
UPX! 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
PEC2 10/23/2004 8:19:16 PM 193869 C:\WINDOWS\Wrdtthqdm.hsu

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/9/2005 2:50:12 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
11/9/2005 2:16:32 PM H 57 C:\WINDOWS\p5cvk
10/13/2005 8:25:08 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
11/9/2005 2:50:04 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
11/9/2005 2:50:28 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
11/9/2005 2:50:14 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
11/9/2005 2:51:22 PM H 81920 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
11/9/2005 2:50:12 PM H 790528 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/7/2005 9:41:38 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\6c75a219-dc94-4cf9-a780-c242f9fdeaff
10/7/2005 9:41:38 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
11/9/2005 2:37:14 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 5/14/2003 7:47:38 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 1/28/2004 11:19:38 AM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
Apple Computer, Inc. 7/27/2003 11:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 4/9/2003 11:13:02 PM 81920 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
NETGEAR 3/20/2002 8:01:34 PM R 297028 C:\WINDOWS\SYSTEM32\WLANCFG.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
1/6/2005 2:06:22 PM 1889 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
1/6/2005 2:12:06 PM 879 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
1/28/2004 11:39:20 AM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
2/6/2005 8:35:58 PM 35982 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Administrator\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qfyytnsg
{d139a096-11d4-4aec-bef4-5482353ecb80} = C:\WINDOWS\System32\bjaao.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= C:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WLANSTA.EXE WLANSTA.EXE START
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
PSof1 C:\WINDOWS\System32\PSof1.exe
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
iRiver Updater C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HostManager C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
dla C:\WINDOWS\system32\dla\tfswctrl.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
DadApp C:\Program Files\Dell\AccessDirect\dadapp.exe
BCMSMMSG BCMSMMSG.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATIModeChange Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key Æ—S)îl£4ÁfåQîKØî
Hint enter kalpana
FileName0 C:\WINDOWS\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
v 0
s 0
n 0
l 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/9/2005 2:57:32 PM
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run hijackthis and fix the following entry..

O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qfyytnsg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings
Key Æ—S)îl£4ÁfåQîKØî
Hint enter kalpana
FileName0 C:\WINDOWS\System32\RSACi.rat


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings\.Default

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings\PICSRules


*Note* While your in here..lets check a registry key. Please navigate to this key..HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\
WindowsUpdate\Auto Update


In the right window pane look for this setting: AUOptions=1 Make sure thats a 1 (Zero). If it's a 0...let me know. If your unsure or there are more then 3 settings in that key..make sure the AutoUpdate folder is highlighted..click..file...export..and save the key as a TXT file. Then post that file.

Close regedit.

C:\WINDOWS\p5cvk<--delete that folder.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\System32\RSACi.rat
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\bjaao.dll
C:\WINDOWS\Bmztzerlpx.qua
C:\WINDOWS\Hjvfokuvdbd.cfw
C:\WINDOWS\Jijlgwfyxs.shh
C:\WINDOWS\Mtangxshzh.fct
C:\WINDOWS\Muppybxxj.lmy
C:\WINDOWS\Mxeiptano.euy
C:\WINDOWS\Orznnuc.cif
C:\WINDOWS\Wrdtthqdm.hsu


On the reboot...boot directly back to safe mode.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Now run KILLBOX again using the same files and make sure nothing survived. Some will be missing as the scanners should get them but try each.

Once you reboot.....

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log".

I then need you to repeat the same procedure above again... using the TrendMicro scan tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.


Post that log and another WinPFind log.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #13 ·
Hi "MicroBell"...

followed your suggestions. attached the log files below:

Ad-Aware SE after update did not show the VX2 Addon Cleaner. Did a scan and clean without this addon
Ran Regedit as per your notes. Removed the files/folders mentioned. Do I delete the following file . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings..key cb 97 53 29..........I did not as yet delete this file?
Attached autoupdate folder as txt..
Ran ewido folowed by killbox
Ran TrendMicro...First run had a spyware..cleaned and ran again. no log created but the summary said No Spyware Found.
Posted a WinPFind log and Hijackthis logs..

Should I reinstall the McAfee virus scan and firewalls now??
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Class Name: <NO CLASS>
Last Write Time: 11/11/2005 - 9:39 PM
Value 0
Name: AUOptions
Type: REG_DWORD
Data: 0x4

Value 1
Name: AUState
Type: REG_DWORD
Data: 0x2

Value 2
Name: DetectionStartTime
Type: REG_SZ
Data: 2005.11.11 19:57:44

Value 3
Name: ScheduledInstallDay
Type: REG_DWORD
Data: 0x0

Value 4
Name: ScheduledInstallTime
Type: REG_DWORD
Data: 0x3

Value 5
Name: LastWaitTimeout
Type: REG_SZ
Data: 2005.11.13 01:03:45

Logfile of HijackThis v1.99.1
Scan saved at 8:56:05 AM, on 11/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
E:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://housecall60.trendmicro.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0030.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 10/14/2005 11:34:52 AM 218112 C:\HijackThis.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
qoologic 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
SAHAgent 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\LPT$VPN.893
UPX! 5/3/2005 10:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 3:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
qoologic 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
SAHAgent 10/14/2005 1:22:18 AM 16050847 C:\WINDOWS\VPTNFILE.893
UPX! 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/12/2005 8:16:08 AM S 2048 C:\WINDOWS\BOOTSTAT.DAT
11/12/2005 8:52:26 AM H 24 C:\WINDOWS\p5cvk
10/13/2005 8:25:08 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
11/12/2005 8:17:48 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
11/12/2005 8:16:24 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
11/12/2005 8:26:28 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
11/12/2005 8:49:48 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
11/12/2005 8:48:04 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/7/2005 9:41:38 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\6c75a219-dc94-4cf9-a780-c242f9fdeaff
10/7/2005 9:41:38 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
11/12/2005 8:16:20 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 5/14/2003 7:47:38 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 1/28/2004 11:19:38 AM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
Apple Computer, Inc. 7/27/2003 11:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 4/9/2003 11:13:02 PM 81920 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
NETGEAR 3/20/2002 8:01:34 PM R 297028 C:\WINDOWS\SYSTEM32\WLANCFG.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
1/6/2005 2:06:22 PM 1889 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
1/6/2005 2:12:06 PM 879 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
1/28/2004 11:39:20 AM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
2/6/2005 8:35:58 PM 35982 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Poorna Srinivasan\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
2/13/2005 3:06:58 PM 1313 C:\Documents and Settings\Poorna Srinivasan\Application Data\AdobeDLM.log
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Poorna Srinivasan\Application Data\DESKTOP.INI
2/13/2005 3:06:58 PM 0 C:\Documents and Settings\Poorna Srinivasan\Application Data\dm.ini
5/6/2005 4:41:24 PM 82312 C:\Documents and Settings\Poorna Srinivasan\Application Data\GDIPFONTCACHEV1.DAT
9/26/2004 8:23:46 PM 35 C:\Documents and Settings\Poorna Srinivasan\Application Data\tvmcwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= C:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WLANSTA.EXE WLANSTA.EXE START
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
iRiver Updater C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DVDSentry C:\WINDOWS\System32\DSentry.exe
dla C:\WINDOWS\system32\dla\tfswctrl.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
DadApp C:\Program Files\Dell\AccessDirect\dadapp.exe
BCMSMMSG BCMSMMSG.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATIModeChange Ati2mdxx.exe
HostManager C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sonic RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/12/2005 8:52:44 AM
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
C:\WINDOWS\p5cvk<--delete that folder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings<--leave that folder BE!

Yes you can install the firewall now.


Run killbox again using the "Delete on Reboot" instructions for this file...

C:\Documents and Settings\Poorna Srinivasan\Application Data\tvmcwrd.dll

The open IE..click on tools>>>Internet Options>>>Security>>>Custom Level.
On the bottom click reset to Medium-Low. Then highlight the "Restricted Sites" up top..then click on the "Restricted Sites" button. Check that list and make sure NONE of the sites your trying to access is on it. Should only be bad guys in there.

If that doesn't work..try this...

Open regedit and navigate to this key....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

Once in the 0 (Zero) folder look for this name entry on the right pane..
1200 Make sure it's value is set to 0 (Zero). If its a 1..change it.

The whole entry should look like this

Name=1200
Type=Reg_DWORD
Data=0x00000000 (0)

Repeat that whole procedure in the following key....

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0

Reboot the PC for the new settings to take effect. IF neither of those fixes the ActiveX error..I need you to post the EXCATE error message word for word..as there a few ActiveX errors that are slightly worded differently and I need to know which one your getting.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #15 ·
Hi microbell

I have finally removed the C:\WINDOWS\p5cvk and tvmcwrd.dll

I am unable to download the updates and also unable to install Firewall plus from McAfee. As mentioned in your last mail, I checked the following files
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Internet Settings\Zones\0
and the values are set to zero.
I have contacted both McAfee and MS for the ActiveX problem buth not much help....just runaround. The error I get is ""current settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" .....can't download after this message.
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Lets see if one of of these works....

1. Click on View then click Internet Options.
2. Click on the Security tab.
3. Under Internet Zone, choose Customize and then click on the Settings button.
4. Under the Settings, set the following to ENABLE:

* Script ActiveX controls marked safe for scripting
* Run ActiveX controls and plugins

5. Set the following to PROMPT:

* Initialize and script ActiveX controls not marked as safe.
* Download signed ActiveX controls

6. Set ENABLE for ACTIVE SCRIPTING at the bottom of the
selection.

If this still does not work, set your browser security to LOW. Here's how:

1. From the browser, click View | Internet Options.
2. Click on the Security tab.
3. Under Internet Zone, choose LOW.

Let me know
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #17 ·
Hi Microbell

Step 1: went thru steps 1 to 6 on the security tab changing the options as mentioned by you. Windows update gave the same activeX msg.
Step two from your instructions: Tried to change the security setting to LOW from the current medium. It allows me to select from the dropdown but when I OK the window, and close the internet options and shut down the pc and then go back to the security setting it is back to Medium. It does not allow a change in setting to Low.
I have a Dell support icon on my desktop that request me to get IE critical updates. this link takes me to MS IE download KB889293 for IE6 SP1. On trying this download I get the following error:
Setup could not verify the integrity of the file update.inf Make sure the cryptographic service is running on this computer.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #18 ·
Hi

Forgot to mention one more detail in my last mail:
Under the Add/Remove Programs in the control Panel, I see the AOL Explorer but do not have an entry for IE .
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Let me see what else is installed. Run hijackthis..click config..misctools....Uninstall manager. Once that loads click "Save List" and post that log here.
 

·
Registered
Joined
·
12 Posts
Discussion Starter · #20 ·
Hi MicroBell

Attached is the log from uninstall manager. I have also attached a log of startups. How do I kill Dell related startups?

AccessDirect
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
AOL Explorer
AOL Instant Messenger
AOL Toolbar 2.0
ATI Control Panel
ATI Display Driver
BCM V.92 56K Modem
Broadcom Advanced Control Suite
CleanUp!
ClickArt Fonts 3
Dell Digital Jukebox Driver
Dell Media Experience
Dell ResourceCD
Dell Solution Center
Dell Support 5.0.0 (766)
DVDSentry
ewido security suite
Finale NotePad 2005a
Finale Performance Assessment
GerardButler.Net Candid Screensaver #1 Screen Saver
GerardButler.Net Timeline Screensaver Screen Saver
Google Toolbar for Internet Explorer
GsAds
HijackThis 1.99.1
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Internet Explorer Default Page
iRiver Manager
iRiver Updater
Jasc Animation Shop 3
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
LQfix 2.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MUSICMATCH® Jukebox
overland
PowerDVD
QuickSet
QuickTime
RealOne Player
Select CashBack
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Windows Incontext
Yahoo! extras

STARTUP List

StartupList report, 12/18/2005, 8:23:30 PM
StartupList version: 1.52.2
Started from : E:\HJT\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1124835599\ee\AOLServiceHost.exe
c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
E:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WLANSTA.EXE = WLANSTA.EXE START
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
PCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"
MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
iRiver Updater = C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DVDSentry = C:\WINDOWS\System32\DSentry.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
Dell QuickSet = C:\Program Files\Dell\QuickSet\quickset.exe
DadApp = C:\Program Files\Dell\AccessDirect\dadapp.exe
BCMSMMSG = BCMSMMSG.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATIModeChange = Ati2mdxx.exe
HostManager = C:\Program Files\Common Files\AOL\1124835599\ee\AOLHostManager.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sonic RecordNow! =
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
DellSupport = "C:\Program Files\Dell Support\DSAgnt.exe" /startup

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
AOL Toolbar Launcher - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[{26098EA2-C95D-48EA-89B4-63C5A63BD42F}]
CODEBASE = http://www.pacimedia.com/install/pcs_0030.exe

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129308939458

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134705729234

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,711 bytes
Report generated in 0.130 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
1 - 20 of 23 Posts
Status
Not open for further replies.
Top