1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

MY computer is being EATEN UP!

Discussion in 'Virus & Other Malware Removal' started by uglyamericanV1.5, Jul 14, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    My computer is running very strangly......its a freakin 2000$ monster that used to load up in under 10 sec.....now.....it is taking minutes and every SINGLE THING IS DRRRRRAAAAGIN. my buddy told me it was probably a worm, but i have no idea how to get it off!!! PLEASE HELP PLEASE.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:46:04 PM, on 7/14/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\EzButton\CplBTQ00.EXE
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\Toshiba Controls\CpRmtKey.EXE
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\System32\dllhost.exe
    \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    C:\Documents and Settings\Daniel\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
    O2 - BHO: (no name) - {20E8C267-8B34-5715-D357-619F545714DA} - C:\DOCUME~1\Daniel\APPLIC~1\BASHAM~1\Bib type.exe (file missing)
    O2 - BHO: (no name) - {7B2B37C1-16EA-534D-856E-7A7990828C16} - C:\DOCUME~1\Daniel\APPLIC~1\BASHAM~1\Enc coal.exe (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  2. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    did I leave something out help
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    You have a lop infection.

    Download and unzip the following to a new folder:
    http://metallica.geekstogo.com/findlop.zip


    Inside the folder locate findlop.bat

    Double click it and it will create the file C:\findlop.txt
    Find that file and copy and paste the contents into your next post.


    Open HijackThis.
    Click on Open Misc Tools Section
    Make sure that both boxes beside "Generate StartupList Log" are checked:
    • List all minor sections(Full)
    • List Empty Sections(Complete)
    Click Generate StartupList Log.
    Click Yes at the prompt.
    It will open a text file. Please copy the entire contents of that page and paste it here.

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
     
  4. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    he is that bat file

    [TRACE] Enumerating jobs and queues
    [TRACE] Activating job '01054A8EBB97545A.job'
    [TRACE] Printing all job properties

    ApplicationName: 'c:\docume~1\daniel\applic~1\boneho~1\camp mode tray.exe'
    Parameters: ''
    WorkingDirectory: ''
    Comment: ''
    Creator: 'Daniel'
    Priority: NORMAL
    MaxRunTime: 259200000 (3d 0:00:00)
    IdleWait: 10
    IdleDeadline: 60
    MostRecentRun: 07/15/2006 16:00:00
    NextRun: 07/16/2006 17:00:00
    StartError: S_OK
    ExitCode: 0
    Status: SCHED_S_TASK_READY
    ScheduledWorkItem Flags:
    DeleteWhenDone = 0
    Suspend = 0
    StartOnlyIfIdle = 0
    KillOnIdleEnd = 0
    RestartOnIdleResume = 0
    DontStartIfOnBatteries = 0
    KillIfGoingOnBatteries = 0
    RunOnlyIfLoggedOn = 1
    SystemRequired = 0
    Hidden = 1
    TaskFlags: 0

    1 Trigger

    Trigger 0:
    Type: Daily
    DaysInterval: 1
    StartDate: 06/26/2001
    EndDate: 00/00/0000
    StartTime: 00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0
     
  5. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    here is hijack

    StartupList report, 7/16/2006, 4:14:43 PM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Daniel\Desktop\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\EzButton\CplBTQ00.EXE
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\Toshiba Controls\CpRmtKey.EXE
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\notepad.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Documents and Settings\Daniel\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Daniel\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ehTray = C:\WINDOWS\ehome\ehtray.exe
    ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe
    NDSTray.exe = NDSTray.exe
    CplBTQ00 = C:\Program Files\EzButton\CplBTQ00.EXE
    LtMoh = C:\Program Files\ltmoh\Ltmoh.exe
    CeEPOWER = C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    CpRmtKey = "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
    CeEKEY = C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    TPNF = C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    (Default) =
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    Pinger = c:\toshiba\ivp\ism\pinger.exe /run
    BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    H/PC Connection Agent = "C:\PROGRA~1\MICROS~3\wcescomm.exe"
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{4b218e3e-bc98-4770-93d3-2731b9329278}] *
    StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

    [{8b15971b-5355-4c82-8c07-7e181ea07608}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll - {0F660F64-F4C9-477F-8529-44181B717472}
    (no name) - C:\DOCUME~1\Daniel\APPLIC~1\BASHAM~1\Bib type.exe (file missing) - {20E8C267-8B34-5715-D357-619F545714DA}
    (no name) - C:\DOCUME~1\Daniel\APPLIC~1\BASHAM~1\Enc coal.exe (file missing) - {7B2B37C1-16EA-534D-856E-7A7990828C16}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    01054A8EBB97545A.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\FLASH.OCX
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\mswsock.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
    Protocol #14: C:\WINDOWS\system32\mswsock.dll
    Protocol #15: C:\WINDOWS\system32\mswsock.dll
    Protocol #16: C:\WINDOWS\system32\mswsock.dll
    Protocol #17: C:\WINDOWS\system32\mswsock.dll
    Protocol #18: C:\WINDOWS\system32\mswsock.dll
    Protocol #19: C:\WINDOWS\system32\mswsock.dll
    Protocol #20: C:\WINDOWS\system32\mswsock.dll
    Protocol #21: C:\WINDOWS\system32\mswsock.dll
    Protocol #22: C:\WINDOWS\system32\mswsock.dll
    Protocol #23: C:\WINDOWS\system32\mswsock.dll
    Protocol #24: C:\WINDOWS\system32\mswsock.dll
    Protocol #25: C:\WINDOWS\system32\mswsock.dll
    Protocol #26: C:\WINDOWS\system32\mswsock.dll
    Protocol #27: C:\WINDOWS\system32\mswsock.dll
    Protocol #28: C:\WINDOWS\system32\mswsock.dll
    Protocol #29: C:\WINDOWS\system32\mswsock.dll
    Protocol #30: C:\WINDOWS\system32\mswsock.dll
    Protocol #31: C:\WINDOWS\system32\mswsock.dll
    Protocol #32: C:\WINDOWS\system32\mswsock.dll
    Protocol #33: C:\WINDOWS\system32\mswsock.dll
    Protocol #34: C:\WINDOWS\system32\mswsock.dll
    Protocol #35: C:\WINDOWS\system32\mswsock.dll
    Protocol #36: C:\WINDOWS\system32\mswsock.dll
    Protocol #37: C:\WINDOWS\system32\mswsock.dll
    Protocol #38: C:\WINDOWS\system32\mswsock.dll
    Protocol #39: C:\WINDOWS\system32\mswsock.dll
    Protocol #40: C:\WINDOWS\system32\mswsock.dll
    Protocol #41: C:\WINDOWS\system32\mswsock.dll
    Protocol #42: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------
     
  6. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    here is the rest (it wouldnt let me post all of the hijack)

    Enumerating Windows NT/2000/XP services

    IPv6 Helper Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
    TOSHIBA V92 Software Modem: System32\DRIVERS\AGRSM.sys (manual start)
    Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
    Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
    Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Alps Pointing-device Filter Driver: System32\DRIVERS\Apfiltr.sys (manual start)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    Atheros Wireless Network Adapter Service: System32\DRIVERS\ar5211.sys (manual start)
    1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
    AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
    AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
    AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
    AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
    AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
    AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
    TOSHIBA Style Bay TV Tuner KiT Device: System32\DRIVERS\BayTvKit.sys (manual start)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
    MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Bluetooth Port Driver: System32\Drivers\BTHport.sys (manual start)
    Bluetooth Support Service: %SystemRoot%\system32\svchost.exe -k bthsvcs (autostart)
    Bluetooth Radio USB Driver: System32\Drivers\BTHUSB.sys (manual start)
    C-Dilla: \??\C:\WINDOWS\System32\drivers\CDANT.SYS (manual start)
    C-DillaSrv: C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (autostart)
    Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
    Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
    COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Dritek HotKey Keyboard Filter Driver: System32\Drivers\DKbFltr.sys (manual start)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    DVD-RAM_Service: C:\WINDOWS\System32\DVDRAMSV.exe (autostart)
    Media Center Scheduler Service: C:\WINDOWS\ehome\ehSched.exe (autostart)
    Compal E-POWER Driver: System32\Drivers\hkdrv.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Fax: %systemroot%\system32\fxssvc.exe (autostart)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    FltMgr: system32\drivers\fltmgr.sys (system)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
    IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
    Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
    USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
    Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
    IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (manual start)
    meiudf: System32\Drivers\meiudf.sys (system)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBT: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Network Monitor Driver: System32\DRIVERS\NMnt.sys (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Client Service for NetWare: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
    NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
    NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
    NetWare Rdr: System32\DRIVERS\nwrdr.sys (manual start)
    SAP Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
    Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (system)
    pciSd: System32\DRIVERS\tossdpci.sys (manual start)
    Pcmcia: System32\DRIVERS\pcmcia.sys (system)
    Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    SMC IrCC Miniport Device Driver: System32\DRIVERS\smcirda.sys (manual start)
    SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
    SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SrvcEKIOMngr: System32\Drivers\EKIoMngr.sys (system)
    SrvcEPIOMngr: System32\Drivers\EPIoMngr.sys (system)
    SrvcSSIOMngr: System32\Drivers\SSIoMngr.sys (system)
    SrvcTPIOMngr: System32\Drivers\TPIoMngr.sys (system)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Still Serial Digital Camera Driver: System32\DRIVERS\serscan.sys (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{79935D11-ED2D-4CDC-BA34-DD5A9EA2CA98} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TBiosDrv: \??\C:\WINDOWS\System32\Drivers\Tbiosdrv.sys (manual start)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Microsoft IPv6 Protocol Driver: System32\DRIVERS\tcpip6.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
    Bluetooth Port Driver from Toshiba: System32\DRIVERS\tosporte.sys (manual start)
    Bluetooth RFBUS from TOSHIBA: System32\Drivers\tosrfbd.sys (manual start)
    Bluetooth RFCOMM from TOSHIBA: System32\Drivers\tosrfcom.sys (system)
    Bluetooth ACPI from TOSHIBA: System32\DRIVERS\tosrfec.sys (manual start)
    Bluetooth RFHID from TOSHIBA: System32\DRIVERS\Tosrfhid.sys (manual start)
    Bluetooth USB Controller: System32\Drivers\tosrfusb.sys (manual start)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TOSHIBA SD Card Host Controller Driver: System32\DRIVERS\tsdhd.sys (manual start)
    Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
    Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
    Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
    WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
    Windows CE USB Serial Host Driver: System32\DRIVERS\wceusbsh.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless LAN PCCard Driver: System32\DRIVERS\wlags48b.sys (manual start)
    Wireless LAN PC Card Driver: System32\DRIVERS\wlluc48.sys (manual start)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 38,678 bytes
    Report generated in 0.359 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  7. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    and here is the active scan

    Incident Status Location

    Spyware:spyware/new.net Not disinfected c:\windows\NDNuninstall7_22.exe
    Adware:adware program Not disinfected c:\windows\ss3unstl.exe
    Potentially unwanted tool:application/regclean32 Not disinfected c:\program files\Registry Cleaner Trial
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Application Data\BoneHoldVga\camp mode tray.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Application Data\BoneHoldVga\Corn Draw.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Application Data\BoneHoldVga\vcfywhvf.exe
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Daniel\Cookies\[email protected][2].txt
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Local Settings\Temp\528c9cde.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Local Settings\Temp\90d601c6.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Local Settings\Temp\914fc499.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Local Settings\Temp\bis202.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Local Settings\Temp\sta2.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\Daniel\Local Settings\Temp\sta2A7.exe
     
  8. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    I was on road call (im a mechanic) and couldnt get back to you...
    so much thank yous for the help
     
  9. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    Do i need to add any more information??
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    Copy the part in bold below into notepad and save it as direxie.bat
    Set File type to "All files"


    cd\
    cd C:\Documents and Settings\Daniel\Application Data
    dir /x > C:\directory.txt
    cd C:\Documents and Settings\All Users\Application Data
    dir /x >> C:\directory.txt
    cd C:\Program Files
    dir /x >> C:\directory.txt
    start notepad C:\directory.txt



    Start the file by double clicking direxie.bat
    That will open a file called directory.txt. Post the content of that file.
     
  11. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    Volume in drive C has no label.
    Volume Serial Number is 70AE-A473

    Directory of C:\Documents and Settings\Daniel\Application Data

    03/06/2006 06:28 AM 2,508 $_hpcst$.hpc
    04/05/2006 10:27 PM <DIR> BITTOR~1 .bittorrent
    04/29/2003 12:51 PM <DIR> Adobe
    07/11/2006 08:10 AM <DIR> AVG7
    07/11/2006 08:42 AM <DIR> BASHAM~1 Bash Amen
    07/14/2006 06:42 PM <DIR> BONEHO~1 BoneHoldVga
    04/29/2003 06:39 PM <DIR> DRAG'N~1 Drag'n Drop CD+DVD
    05/08/2006 05:07 AM <DIR> Help
    04/28/2003 06:57 PM <DIR> IDENTI~1 Identities
    04/29/2003 12:51 PM <DIR> INTERT~1 InterTrust
    01/01/2002 03:34 AM <DIR> INTERV~1 InterVideo
    07/11/2006 08:13 AM <DIR> Lavasoft
    03/06/2006 07:23 AM <DIR> MACROM~1 Macromedia
    07/14/2006 12:08 PM <DIR> MICROS~2 Microsoft Web Folders
    03/04/2006 05:28 PM <DIR> MSN6
    05/15/2003 05:56 PM <DIR> PANASO~1 Panasonic
    04/07/2006 11:20 AM <DIR> REGIST~1 Registry Cleaner
    04/29/2003 06:57 PM <DIR> Symantec
    03/14/2006 08:57 PM <DIR> Template
    04/29/2003 03:25 PM <DIR> Toshiba
    07/02/2006 05:18 PM <DIR> warez
    1 File(s) 2,508 bytes
    20 Dir(s) 48,604,020,736 bytes free
    Volume in drive C has no label.
    Volume Serial Number is 70AE-A473

    Directory of C:\Documents and Settings\All Users\Application Data

    07/14/2006 06:53 PM <DIR> avg7
    07/11/2006 08:10 AM <DIR> Grisoft
    04/29/2006 03:39 PM 354 HPZINS~1.LOG hpzinstall.log
    07/11/2006 08:13 AM <DIR> MEETEX~1 meetexitobjvc
    02/17/2006 10:30 AM <DIR> MSN6
    04/28/2003 07:01 PM <DIR> SBSI
    07/11/2006 07:58 AM <DIR> Symantec
    07/11/2006 08:33 AM <DIR> WINDOW~1 Windows Genuine Advantage
    07/14/2006 06:42 PM <DIR> WMAIDO~1 Wma Idol Poll More
    03/10/2006 05:47 PM <DIR> YAHOO!~1 Yahoo! Companion
    1 File(s) 354 bytes
    9 Dir(s) 48,604,020,736 bytes free
    Volume in drive C has no label.
    Volume Serial Number is 70AE-A473

    Directory of C:\Program Files

    07/15/2006 02:54 PM <DIR> .
    07/15/2006 02:54 PM <DIR> ..
    04/29/2003 12:51 PM <DIR> Adobe
    04/02/2006 02:15 AM <DIR> AMERIC~1.0 America Online 8.0
    04/29/2003 01:29 PM <DIR> AOLCOM~1 AOL Companion
    05/05/2003 07:04 PM <DIR> ArcSoft
    04/29/2003 05:22 PM <DIR> AT&T
    06/02/2003 05:06 PM <DIR> Atheros
    05/20/2006 01:12 PM <DIR> BONEHO~1 BoneHoldVga
    04/06/2006 01:29 AM <DIR> Canon
    03/10/2006 05:47 PM <DIR> Common
    07/14/2006 12:11 PM <DIR> COMMON~1 Common Files
    04/28/2003 06:52 PM <DIR> COMPLU~1 ComPlus Applications
    04/29/2003 03:52 PM <DIR> DataLode
    04/29/2003 06:37 PM <DIR> DRAG'N~1 Drag'n Drop CD+DVD
    04/29/2003 07:04 PM <DIR> DVD-RAM
    07/16/2006 04:26 PM <DIR> EzButton
    07/11/2006 08:10 AM <DIR> Grisoft
    04/29/2006 03:38 PM <DIR> HP
    04/29/2003 04:41 PM <DIR> Intel
    07/16/2006 04:26 PM <DIR> INTERN~1 Internet Explorer
    04/29/2003 06:51 PM <DIR> INTERV~1 InterVideo
    03/21/2006 05:26 PM <DIR> iPhox
    07/11/2006 08:12 AM <DIR> Lavasoft
    07/16/2006 04:26 PM <DIR> ltmoh
    04/29/2003 11:38 AM <DIR> MANAGE~1 Managed DirectX (0900)
    07/16/2006 04:26 PM <DIR> MESSEN~1 Messenger
    07/16/2006 04:26 PM <DIR> MICROS~3 Microsoft ActiveSync
    07/14/2006 12:08 PM <DIR> MICROS~1 microsoft frontpage
    07/15/2006 02:55 PM <DIR> MICROS~4 Microsoft Office
    03/14/2006 09:02 PM <DIR> MICROS~2 Microsoft Works
    07/15/2006 02:54 PM <DIR> MICROS~1.NET Microsoft.NET
    04/06/2006 10:14 PM <DIR> MOVIEM~1 Movie Maker
    04/28/2003 06:50 PM <DIR> MSNGAM~1 MSN Gaming Zone
    03/10/2006 06:24 PM <DIR> MsnMusic
    03/16/2006 01:33 PM <DIR> NANNYP~1 NannyPay 2006
    04/06/2006 10:03 PM <DIR> NETMEE~1 NetMeeting
    05/02/2006 10:28 PM <DIR> NOTEBO~1 Notebook Maximizer
    04/02/2006 02:18 AM <DIR> ONLINE~1 Online Services
    04/21/2006 03:02 AM <DIR> OUTLOO~1 Outlook Express
    05/15/2003 06:39 PM <DIR> PANASO~1 Panasonic
    03/06/2006 06:18 AM <DIR> PRINTS~1 Print Server
    04/21/2006 09:20 PM <DIR> PROVEN~1 ProVenture
    04/29/2003 01:17 PM <DIR> Quicken
    04/29/2003 01:28 PM <DIR> Real
    04/07/2006 11:17 AM <DIR> REGIST~1 Registry Cleaner Trial
    01/01/2002 02:18 AM <DIR> Sonic
    07/11/2006 08:03 AM <DIR> Symantec
    07/15/2006 03:17 PM <DIR> TATEMS~1 TATEMS 2005
    06/19/2003 11:48 AM <DIR> Toshiba
    04/29/2003 12:46 PM <DIR> TOSHIB~1 TOSHIBA Access Files
    07/16/2006 04:26 PM <DIR> TOSHIB~2 Toshiba Controls
    04/29/2003 01:29 PM <DIR> VIEWPO~1 Viewpoint
    04/06/2006 10:14 PM <DIR> WINDOW~2 Windows Media Player
    04/06/2006 10:03 PM <DIR> WINDOW~1 Windows NT
    04/28/2003 06:57 PM <DIR> xerox
    03/10/2006 05:47 PM <DIR> Yahoo!
    0 File(s) 0 bytes
    57 Dir(s) 48,604,016,640 bytes free

    Thanks a mill
    now what?
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    Copy everything inside the quote box below (starting with @)and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as remlop.bat on your desktop.

    Double-click remlop.bat A window will open a close quickly, this is normal.


    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    O2 - BHO: (no name) - {20E8C267-8B34-5715-D357-619F545714DA} - C:\DOCUME~1\Daniel\APPLIC~1\BASHAM~1\Bib type.exe (file missing)

    O2 - BHO: (no name) - {7B2B37C1-16EA-534D-856E-7A7990828C16} - C:\DOCUME~1\Daniel\APPLIC~1\BASHAM~1\Enc coal.exe (file missing)


    Then boot to safe mode:


    How to restart to safe mode


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:


      c:\windows\NDNuninstall7_22.exe

      c:\windows\ss3unstl.exe

      c:\program files\Registry Cleaner Trial

      C:\Documents and Settings\All Users\Application Data\Wma Idol Poll More

      C:\Documents and Settings\Daniel\Application Data\BoneHoldVga\camp mode tray.exe

      C:\Documents and Settings\Daniel\Application Data\BoneHoldVga\Corn Draw.exe

      C:\Documents and Settings\Daniel\Application Data\BoneHoldVga

      C:\Documents and Settings\Daniel\Application Data\BoneHoldVga\vcfywhvf.exe

      C:\DOCUMENTS AND SETTINGS\Daniel\APPLICATION DATA\Bash Amen
      \Bib type.exe

      C:\DOCUMENTS AND SETTINGS\Daniel\APPLICATION DATA\Bash Amen
      \Enc coal.exe

      C:\Documents and Settings\All Users\Application Data\meetexitobjvc

      C:\Documents and Settings\Daniel\Local Settings\Temp\528c9cde.exe

      C:\Documents and Settings\Daniel\Local Settings\Temp\90d601c6.exe

      C:\Documents and Settings\Daniel\Local Settings\Temp\914fc499.exe

      C:\Documents and Settings\Daniel\Local Settings\Temp\bis202.exe

      C:\Documents and Settings\Daniel\Local Settings\Temp\sta2.exe

      C:\Documents and Settings\Daniel\Local Settings\Temp\sta2A7.exe

      C:\Program Files\BoneHoldVga


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Boot back to Windows normally and post another HijackThis log please.
     
  13. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    dang that is a cool little tool

    Logfile of HijackThis v1.99.1
    Scan saved at 9:41:15 PM, on 7/16/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\Program Files\EzButton\CplBTQ00.EXE
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\Toshiba Controls\CpRmtKey.EXE
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Daniel\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    what now
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    The log looks fine. How are things running now?
     
  15. uglyamericanV1.5

    uglyamericanV1.5 Thread Starter

    Joined:
    May 15, 2006
    Messages:
    43
    BOOM THANKS

    good job, and i really appreciate it!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/483304

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice