please help--can't get rid of adware!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
Hi,
I can't get rid of this virus/trojan thing and it is driving me crazy! I tried adware and spybot and can't get anything to go away. Here is my hijack this log. Can someone help me?
Thank you ever so much!

Logfile of HijackThis v1.99.0
Scan saved at 8:56:06 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\haekg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\msupd5.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\vwgurg.exe
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
 
Joined
Jan 29, 2005
Messages
31
Thats a Nice Fresh Version Of VX2!!!

First thing you need to do is download LSPFix:
http://cexx.org/lspfix.htm

1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select c:\windows\system32\dolsp.dll
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.

Now create a folder on your Desktop for anything you may be asked to download!
To create a Folder:
Place the Pointer inside the Desktop,right click and select New>>>Now select Folder>>>Name it whatever you want!

Now Download L2MFix to the New Folder.
Here is that link:
http://www.atribune.org/downloads/l2mfix.exe
Double click l2mfix.exe.
Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until asked to!!
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
Oh thank you so much! Here are the contents of the log:

L2MFIX find log 1.02a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j62q0gf5e62.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C0664D93-6ED1-46C2-B0F2-6A761EAF3F5D}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0EA09DC3-89B7-418A-A10E-5EE22148E75E}"=""
"{12850CA9-1547-4F1D-8809-5EED63F43A33}"=""
"{914A133C-EF1A-41BA-BD9F-D6145781F710}"=""
"{1A4E7718-9A6B-4075-8A34-90A44E496D1D}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{746CF332-5611-4454-A0C0-18ECCE640FEB}"=""
"{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}"=""
"{B8AAEB22-679F-4AB1-BBBB-56183A61E716}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}"=""
"{1402E267-8169-4AC8-BA2C-F6025A4974F6}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}\InprocServer32]
@="C:\\WINDOWS\\system32\\jtbexec.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}\InprocServer32]
@="C:\\WINDOWS\\system32\\svcsccp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}\InprocServer32]
@="C:\\WINDOWS\\system32\\nwtshell.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}\InprocServer32]
@="C:\\WINDOWS\\system32\\kwdkaz.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcvcp60.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}\InprocServer32]
@="C:\\WINDOWS\\system32\\kjdcz1.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is BCFB-2313

Directory of C:\WINDOWS\System32

02/04/2005 08:49 PM 231,465 dn4o01h3e.dll
02/04/2005 03:28 PM 229,784 j62q0gf5e62.dll
02/02/2005 03:18 PM 231,028 stnscfg.dll
01/31/2005 11:52 PM 231,028 p8r4li9q18.dll
01/31/2005 10:45 PM 230,617 lv6m09j1e.dll
01/31/2005 08:31 AM 231,054 no4_disp.dll
01/30/2005 11:03 PM 230,617 dsmsvinn.dLL
01/30/2005 10:50 PM 229,215 f0l02a3mgd.dll
01/30/2005 09:16 PM 230,617 pwlstore.dll
01/30/2005 08:55 PM 230,964 mpw3prt.dll
01/30/2005 07:42 PM 230,897 mohtmler.dll
01/30/2005 06:48 PM 229,947 ptotowiz.dll
01/30/2005 06:05 PM 231,824 dfcqry32.dll
01/30/2005 05:25 PM 230,729 dvmv2clt.dll
01/30/2005 01:39 PM 228,520 pirfts.dll
01/28/2005 06:39 PM 230,866 l24qlch51f4.dll
01/28/2005 05:18 PM <DIR> dllcache
01/28/2005 03:52 PM 230,866 merddm.dll
01/28/2005 03:51 PM 231,302 lt4027hmg.dll
01/28/2005 03:00 PM 231,489 fp2603fse.dll
01/28/2005 02:36 PM 228,931 iqrtprio.dll
01/27/2005 01:36 PM 229,523 q2rq0c95ef.dll
01/27/2005 12:57 PM 229,843 m2ju0c19ef.dll
01/27/2005 10:38 AM 231,610 u8ruli9918.dll
01/27/2005 09:34 AM 228,931 m264lcjq1foe.dll
01/26/2005 09:53 AM 229,874 g8lm0i31e8.dll
01/11/2005 09:10 AM 401,408 ??anregw.exe
11/20/2003 06:56 PM <DIR> Microsoft
26 File(s) 6,162,949 bytes
2 Dir(s) 46,840,713,216 bytes free
 
Joined
Jan 29, 2005
Messages
31
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Download FindIt:
http://lineofire.geekstogo.com/FindIt NT-2K-XP.zip

Unzip the contents of finditnt2000xp.zip to the new folder.

Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.
Copy/paste this output.txt in the next post a,ong with the L2Mfix Log!
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
Thanks again...ok here goes...actually, the output files will be in a second post as it was too long otherwise. the l2mfix and the hijack this are in this one. thanks!!!

l2mfix log:

L2Mfix 1.02a

Running From:
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 208 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dfcqry32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn4o01h3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dsmsvinn.dLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dvmv2clt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f0l02a3mgd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fp2603fse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g8lm0i31e8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iqrtprio.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l24qlch51f4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lt4027hmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv6m09j1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m264lcjq1foe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m2ju0c19ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\merddm.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mohtmler.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mpw3prt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\no4_disp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\p8r4li9q18.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pirfts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ptotowiz.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pwlstore.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q2rq0c95ef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\stnscfg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\u8ruli9918.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dfcqry32.dll
Successfully Deleted: C:\WINDOWS\system32\dfcqry32.dll
deleting: C:\WINDOWS\system32\dn4o01h3e.dll
Successfully Deleted: C:\WINDOWS\system32\dn4o01h3e.dll
deleting: C:\WINDOWS\system32\dsmsvinn.dLL
Successfully Deleted: C:\WINDOWS\system32\dsmsvinn.dLL
deleting: C:\WINDOWS\system32\dvmv2clt.dll
Successfully Deleted: C:\WINDOWS\system32\dvmv2clt.dll
deleting: C:\WINDOWS\system32\f0l02a3mgd.dll
Successfully Deleted: C:\WINDOWS\system32\f0l02a3mgd.dll
deleting: C:\WINDOWS\system32\fp2603fse.dll
Successfully Deleted: C:\WINDOWS\system32\fp2603fse.dll
deleting: C:\WINDOWS\system32\g8lm0i31e8.dll
Successfully Deleted: C:\WINDOWS\system32\g8lm0i31e8.dll
deleting: C:\WINDOWS\system32\iqrtprio.dll
Successfully Deleted: C:\WINDOWS\system32\iqrtprio.dll
deleting: C:\WINDOWS\system32\l24qlch51f4.dll
Successfully Deleted: C:\WINDOWS\system32\l24qlch51f4.dll
deleting: C:\WINDOWS\system32\lt4027hmg.dll
Successfully Deleted: C:\WINDOWS\system32\lt4027hmg.dll
deleting: C:\WINDOWS\system32\lv6m09j1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv6m09j1e.dll
deleting: C:\WINDOWS\system32\m264lcjq1foe.dll
Successfully Deleted: C:\WINDOWS\system32\m264lcjq1foe.dll
deleting: C:\WINDOWS\system32\m2ju0c19ef.dll
Successfully Deleted: C:\WINDOWS\system32\m2ju0c19ef.dll
deleting: C:\WINDOWS\system32\merddm.dll
Successfully Deleted: C:\WINDOWS\system32\merddm.dll
deleting: C:\WINDOWS\system32\mohtmler.dll
Successfully Deleted: C:\WINDOWS\system32\mohtmler.dll
deleting: C:\WINDOWS\system32\mpw3prt.dll
Successfully Deleted: C:\WINDOWS\system32\mpw3prt.dll
deleting: C:\WINDOWS\system32\no4_disp.dll
Successfully Deleted: C:\WINDOWS\system32\no4_disp.dll
deleting: C:\WINDOWS\system32\p8r4li9q18.dll
Successfully Deleted: C:\WINDOWS\system32\p8r4li9q18.dll
deleting: C:\WINDOWS\system32\pirfts.dll
Successfully Deleted: C:\WINDOWS\system32\pirfts.dll
deleting: C:\WINDOWS\system32\ptotowiz.dll
Successfully Deleted: C:\WINDOWS\system32\ptotowiz.dll
deleting: C:\WINDOWS\system32\pwlstore.dll
Successfully Deleted: C:\WINDOWS\system32\pwlstore.dll
deleting: C:\WINDOWS\system32\q2rq0c95ef.dll
Successfully Deleted: C:\WINDOWS\system32\q2rq0c95ef.dll
deleting: C:\WINDOWS\system32\stnscfg.dll
Successfully Deleted: C:\WINDOWS\system32\stnscfg.dll
deleting: C:\WINDOWS\system32\u8ruli9918.dll
Successfully Deleted: C:\WINDOWS\system32\u8ruli9918.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: dfcqry32.dll (164 bytes security) (deflated 6%)
adding: dn4o01h3e.dll (164 bytes security) (deflated 6%)
adding: dsmsvinn.dLL (164 bytes security) (deflated 5%)
adding: dvmv2clt.dll (164 bytes security) (deflated 5%)
adding: f0l02a3mgd.dll (164 bytes security) (deflated 5%)
adding: fp2603fse.dll (164 bytes security) (deflated 5%)
adding: g8lm0i31e8.dll (164 bytes security) (deflated 5%)
adding: iqrtprio.dll (164 bytes security) (deflated 4%)
adding: l24qlch51f4.dll (164 bytes security) (deflated 5%)
adding: lt4027hmg.dll (164 bytes security) (deflated 5%)
adding: lv6m09j1e.dll (164 bytes security) (deflated 5%)
adding: m264lcjq1foe.dll (164 bytes security) (deflated 4%)
adding: m2ju0c19ef.dll (164 bytes security) (deflated 5%)
adding: merddm.dll (164 bytes security) (deflated 5%)
adding: mohtmler.dll (164 bytes security) (deflated 5%)
adding: mpw3prt.dll (164 bytes security) (deflated 5%)
adding: no4_disp.dll (164 bytes security) (deflated 5%)
adding: p8r4li9q18.dll (164 bytes security) (deflated 5%)
adding: pirfts.dll (164 bytes security) (deflated 4%)
adding: ptotowiz.dll (164 bytes security) (deflated 5%)
adding: pwlstore.dll (164 bytes security) (deflated 5%)
adding: q2rq0c95ef.dll (164 bytes security) (deflated 5%)
adding: stnscfg.dll (164 bytes security) (deflated 5%)
adding: u8ruli9918.dll (164 bytes security) (deflated 5%)
adding: guard.tmp (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 63%)
adding: echo.reg (164 bytes security) (deflated 14%)
adding: desktop.ini (164 bytes security) (deflated 13%)
adding: direct.txt (164 bytes security) (deflated 4%)
adding: lo2.txt (164 bytes security) (deflated 83%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 69%)
adding: test.txt (164 bytes security) (deflated 79%)
adding: test2.txt (164 bytes security) (deflated 45%)
adding: test3.txt (164 bytes security) (deflated 45%)
adding: test5.txt (164 bytes security) (deflated 45%)
adding: xfind.txt (164 bytes security) (deflated 73%)
adding: backregs/0EA09DC3-89B7-418A-A10E-5EE22148E75E.reg (164 bytes security) (deflated 70%)
adding: backregs/12850CA9-1547-4F1D-8809-5EED63F43A33.reg (164 bytes security) (deflated 70%)
adding: backregs/1402E267-8169-4AC8-BA2C-F6025A4974F6.reg (164 bytes security) (deflated 70%)
adding: backregs/1A4E7718-9A6B-4075-8A34-90A44E496D1D.reg (164 bytes security) (deflated 70%)
adding: backregs/4ED80B1A-804A-4A2C-A70B-6A281DA53B6E.reg (164 bytes security) (deflated 70%)
adding: backregs/746CF332-5611-4454-A0C0-18ECCE640FEB.reg (164 bytes security) (deflated 70%)
adding: backregs/914A133C-EF1A-41BA-BD9F-D6145781F710.reg (164 bytes security) (deflated 70%)
adding: backregs/B8AAEB22-679F-4AB1-BBBB-56183A61E716.reg (164 bytes security) (deflated 70%)
adding: backregs/EA26FBD2-1F32-4382-BBC1-90AEF756DC6F.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dfcqry32.dll
deleting local copy: dn4o01h3e.dll
deleting local copy: dsmsvinn.dLL
deleting local copy: dvmv2clt.dll
deleting local copy: f0l02a3mgd.dll
deleting local copy: fp2603fse.dll
deleting local copy: g8lm0i31e8.dll
deleting local copy: iqrtprio.dll
deleting local copy: l24qlch51f4.dll
deleting local copy: lt4027hmg.dll
deleting local copy: lv6m09j1e.dll
deleting local copy: m264lcjq1foe.dll
deleting local copy: m2ju0c19ef.dll
deleting local copy: merddm.dll
deleting local copy: mohtmler.dll
deleting local copy: mpw3prt.dll
deleting local copy: no4_disp.dll
deleting local copy: p8r4li9q18.dll
deleting local copy: pirfts.dll
deleting local copy: ptotowiz.dll
deleting local copy: pwlstore.dll
deleting local copy: q2rq0c95ef.dll
deleting local copy: stnscfg.dll
deleting local copy: u8ruli9918.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dfcqry32.dll
C:\WINDOWS\system32\dn4o01h3e.dll
C:\WINDOWS\system32\dsmsvinn.dLL
C:\WINDOWS\system32\dvmv2clt.dll
C:\WINDOWS\system32\f0l02a3mgd.dll
C:\WINDOWS\system32\fp2603fse.dll
C:\WINDOWS\system32\g8lm0i31e8.dll
C:\WINDOWS\system32\iqrtprio.dll
C:\WINDOWS\system32\l24qlch51f4.dll
C:\WINDOWS\system32\lt4027hmg.dll
C:\WINDOWS\system32\lv6m09j1e.dll
C:\WINDOWS\system32\m264lcjq1foe.dll
C:\WINDOWS\system32\m2ju0c19ef.dll
C:\WINDOWS\system32\merddm.dll
C:\WINDOWS\system32\mohtmler.dll
C:\WINDOWS\system32\mpw3prt.dll
C:\WINDOWS\system32\no4_disp.dll
C:\WINDOWS\system32\p8r4li9q18.dll
C:\WINDOWS\system32\pirfts.dll
C:\WINDOWS\system32\ptotowiz.dll
C:\WINDOWS\system32\pwlstore.dll
C:\WINDOWS\system32\q2rq0c95ef.dll
C:\WINDOWS\system32\stnscfg.dll
C:\WINDOWS\system32\u8ruli9918.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{0EA09DC3-89B7-418A-A10E-5EE22148E75E}"=-
"{12850CA9-1547-4F1D-8809-5EED63F43A33}"=-
"{914A133C-EF1A-41BA-BD9F-D6145781F710}"=-
"{1A4E7718-9A6B-4075-8A34-90A44E496D1D}"=-
"{746CF332-5611-4454-A0C0-18ECCE640FEB}"=-
"{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}"=-
"{B8AAEB22-679F-4AB1-BBBB-56183A61E716}"=-
"{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}"=-
"{1402E267-8169-4AC8-BA2C-F6025A4974F6}"=-
[-HKEY_CLASSES_ROOT\CLSID\{0EA09DC3-89B7-418A-A10E-5EE22148E75E}]
[-HKEY_CLASSES_ROOT\CLSID\{12850CA9-1547-4F1D-8809-5EED63F43A33}]
[-HKEY_CLASSES_ROOT\CLSID\{914A133C-EF1A-41BA-BD9F-D6145781F710}]
[-HKEY_CLASSES_ROOT\CLSID\{1A4E7718-9A6B-4075-8A34-90A44E496D1D}]
[-HKEY_CLASSES_ROOT\CLSID\{746CF332-5611-4454-A0C0-18ECCE640FEB}]
[-HKEY_CLASSES_ROOT\CLSID\{4ED80B1A-804A-4A2C-A70B-6A281DA53B6E}]
[-HKEY_CLASSES_ROOT\CLSID\{B8AAEB22-679F-4AB1-BBBB-56183A61E716}]
[-HKEY_CLASSES_ROOT\CLSID\{EA26FBD2-1F32-4382-BBC1-90AEF756DC6F}]
[-HKEY_CLASSES_ROOT\CLSID\{1402E267-8169-4AC8-BA2C-F6025A4974F6}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C0664D93-6ED1-46C2-B0F2-6A761EAF3F5D}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{C0664D93-6ED1-46C2-B0F2-6A761EAF3F5D}</IDone>
<IDtwo>DS4</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

new hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 10:37:21 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\haekg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\khigti.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\msupd5.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
ok here is the output log:

---------------- FindVX2 NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)

********* Date/Time ********

Friday, February 04, 2005 (2/4/2005)
10:40 PM, Eastern Standard Time

*********** Path ***********

FindVX2.bat is running from: C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Desktop\Downloaded help things\FindIt NT-2K-XP\FindIt NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is BCFB-2313

Directory of C:\WINDOWS\System32

01/28/2005 05:18 PM <DIR> dllcache
01/11/2005 09:10 AM 401,408 ??anregw.exe
11/20/2003 06:56 PM <DIR> Microsoft
1 File(s) 401,408 bytes
2 Dir(s) 46,836,486,144 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is BCFB-2313

Directory of C:\WINDOWS\System32

02/04/2005 04:59 AM <DIR> vmss
02/04/2005 04:59 AM <DIR> wsxsvc
01/28/2005 05:18 PM <DIR> dllcache
01/25/2005 01:54 PM 53,248 haekg.exe
01/11/2005 09:10 AM 401,408 ??anregw.exe
04/21/2004 10:23 AM 488 WindowsLogon.manifest
04/21/2004 10:23 AM 488 logonui.exe.manifest
04/21/2004 10:23 AM 749 sapi.cpl.manifest
04/21/2004 10:23 AM 749 nwc.cpl.manifest
04/21/2004 10:23 AM 749 wuaucpl.cpl.manifest
04/21/2004 10:23 AM 749 cdplayer.exe.manifest
04/21/2004 10:23 AM 749 ncpa.cpl.manifest
9 File(s) 459,377 bytes
3 Dir(s) 46,836,482,048 bytes free

--------------- Files Named "Guard" --------------

Volume in drive C has no label.
Volume Serial Number is BCFB-2313

Directory of C:\WINDOWS\System32


-------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is BCFB-2313

Directory of C:\WINDOWS\System32

03/08/2004 11:00 PM 132,880 nsw42.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
2 File(s) 135,457 bytes
0 Dir(s) 46,836,482,048 bytes free

------------------- User Agent -------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

--------------- Keys Under Notify ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------ Shell Extensions Approved -----------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}"="Novell Connections"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

--------------- Locate.com Results ---------------

 
Joined
Jan 29, 2005
Messages
31
Some more Downloads:

Pocket KillBox:
http://www.bleepingcomputer.com/files/killbox.php
Inside this page is a direct download plus a brief description of what the progrma does!

Download VX2Finder from:
http://www.downloads.subratam.org/VX2Finder.exe

Just hang on to it,we will use it in a bit!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)

O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB

O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d..._MARKETING2.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Unregister this DLL
Click Start>>Click Run>>Type in regsvr32 /u C:\WINDOWS\isrvs\mfiltis.dll and hit OK!
If you get an error message,try this:
Click Start>>Click Run>>Type in regsvr32 /u mfiltis.dll

Open KillBox,Select Standard File Delete and select End explorer shell while Killing file.

Copy&Paste these into KillBox one at a time,after each entry,click the Red StopSign with The White X in the middle!

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\khigti.exe

C:\WINDOWS\system32\nsw42.tmp

C:\WINDOWS\system32\haekg.exe

C:\WINDOWS\System32\msupd5.exe

If any of the above will not delete,make a note of which do not,open KillBox again and select Delete on Reboot,paste those entries into KillBox,decline the option to reboot until you have entered the last file!

When Prompted to reboot,do so,select Safe Mode:

Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=62
Please Make sure this Config is done in Safe Mode!

Now I need you to locate and delete a few folders:

C:\WINDOWS\isrvs<<< The Entire isrvs folder!

C:\WINDOWS\System32\wsxsvc<<< The Entire wsxsvc folder!

C:\WINDOWS\System32\vmss<<< The Entire vmss folder!

When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:

http://netsquirrel.com/msconfig/

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
http://members.aol.com/toadbee/hoster.zip

Once Restarted,download this program:

Download VX2Finder from:
http://www.downloads.subratam.org/VX2Finder.exe
Click on these buttons in the right pane unless they are "greyed" out:
In this order please,
Guardian.reg
User Agent$
Restore Policy

You will be prompted to reboot,do so!

Once restarted,post a fresh HijackThis log and lets have a look!
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
Thank you ever so much!
here is the first hijack this log (after enabling all the startup stuff); more to come...:

Logfile of HijackThis v1.99.0
Scan saved at 12:20:46 AM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vwgurg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [wdecma] c:\windows\system32\wdecma.exe
O4 - HKLM\..\Run: [vyjuic] C:\WINDOWS\System32\vyjuic.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\adl_dh.exe
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [of9r6mmd] C:\Program Files\of9r6mmd\of9r6mmd.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [igvcoc] C:\WINDOWS\System32\igvcoc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [App32dll] C:\WINDOWS\system32\msnav32.exe dvd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [3soj39V] vgaompos.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Sesr] C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [IB7tRVZ6V] uxttcprx.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe (file missing)
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
i'm glad you know what you are doing. here is the new hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 12:27:56 AM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vwgurg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wintask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\dlsmgr\dlsmgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\msnav32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [wdecma] c:\windows\system32\wdecma.exe
O4 - HKLM\..\Run: [vyjuic] C:\WINDOWS\System32\vyjuic.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\adl_dh.exe
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [of9r6mmd] C:\Program Files\of9r6mmd\of9r6mmd.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [igvcoc] C:\WINDOWS\System32\igvcoc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [App32dll] C:\WINDOWS\system32\msnav32.exe dvd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [3soj39V] vgaompos.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Sesr] C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [IB7tRVZ6V] uxttcprx.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe (file missing)
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
Joined
Jan 29, 2005
Messages
31
Have Faith,we are getting there!!!

Go to Add/remove programs and remove:
AdStatus Service

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)

O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [haekg] C:\WINDOWS\system32\haekg.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe

O4 - HKLM\..\Run: [wdecma] c:\windows\system32\wdecma.exe

O4 - HKLM\..\Run: [vyjuic] C:\WINDOWS\System32\vyjuic.exe

O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\adl_dh.exe

O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe

O4 - HKLM\..\Run: [of9r6mmd] C:\Program Files\of9r6mmd\of9r6mmd.exe

O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe

O4 - HKLM\..\Run: [igvcoc] C:\WINDOWS\System32\igvcoc.exe

O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe

O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe

O4 - HKLM\..\Run: [App32dll] C:\WINDOWS\system32\msnav32.exe dvd

O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

O4 - HKCU\..\Run: [Sesr] C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe

O4 - HKCU\..\Run: [IB7tRVZ6V] uxttcprx.exe


O4 - HKLM\..\Run: [3soj39V] vgaompos.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe (file missing

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(F5 or F8 when restarting)

Locate and delete:

C:\WINDOWS\system32\haekg.exe<<< Just the EXE!

C:\WINDOWS\system32\wintask.exe<<< Just the EXE!

C:\windows\system32\wdecma.exe<<< Just the EXE!

C:\WINDOWS\System32\vyjuic.exe<<< Just the EXE!

C:\WINDOWS\System32\adl_dh.exe<<< Just the EXE!

C:\WINDOWS\system32\n20050308.exe<<< Just the EXE!

C:\WINDOWS\System32\igvcoc.exe<<< Just the EXE!

C:\WINDOWS\system32\msnav32.exe<<< Just the EXE!

C:\windows\bundles\adl_mteststub.exe<<< Just the EXE!

C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\Application Data\ioub.exe<<< Just the EXE!

C:\WINDOWS\isrvs<<< The entre isrvs folder!

C:\WINDOWS\System32\vmss<<< The entre vmss folder!

C:\WINDOWS\System32\wsxsvc<<< The entre wsxsvc folder!

C:\Program Files\dlsmgr<<< The entre dlsmgr folder!

C:\Program Files\CSBB<<< The entre CSBB folder!

C:\Program Files\of9r6mmd<<< The entre of9r6mmd folder!

C:\Program Files\AdStatus Service<<< The entre AdStatus Service folder!

uxttcprx.exe<<< Unsure of exact location!

vgaompos.exe<<< Unsure of exact location!

Once completed,post a fresh HijackThis log and lets hear how the PC is running?
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
I didn't see adstatus service when i went to add/remove programs. am i doing something wrong?
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
hmm. am afraid i did something wrong. the only files i found to delete when i was in safemode were wintask.exe, msnav32.exe, dlsmgr, of9r6mmd, AdStatus Service. i didn't see any of the others. have i thanked you recently for all your help? well i will again...thank you!!! and the ole computer seems to be doing pretty well. the demonic flashy pop up toolbar over my clock has disappeared, and (holding my breath) i haven't seen any pesky pop-ups recently.
so here is my new hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 1:44:56 AM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vwgurg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
Joined
Jan 29, 2005
Messages
31
I gotta get a new Internet Provider,mine is upgrading the lines to fiber Optic and wham,I have no Internet Connection!

OK,we still have some bugs running around in there!!

Open KillBox,Select Standard File Delete and End Explorer SHell while Killing File!

Look to the bottom right,under processes,locate this one vwgurg.exe,select to end or kill it!

Now Copy&Paste this into the Text Box:
C:\WINDOWS\system32\vwgurg.exe
Hit the Stop Sign With the white X in the middle!

Now go back and make sure Windows is properly configured to show ALL Hidden Files and Folders!
This is a must for whatever Mode you are in!
Might be why you didnt see some of those files last round!
The Config for Hidden Files has to be done per user>>>Per mode!

Once thats completed,lcoate and delete this folder:

C:\WINDOWS\isrvs

If it wont delete in Normal Mode,go back to Safe Mode and kill it!

Make sure to Check the Recycle Bin to see if its there,if not,let me know,if so empty the Recycle Bin!

Once Completed,Open HijackThis,put a check by these but Do Not Hit the Fix Checked Button yet!

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)

O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

Now Close ALL Windows and Browsers and Hit the Fix Checked Button!

I will need you to restart the PC once more,and Scan with HijackThis,save that log!

Download Install and Scan with eScan:
http://www.mwti.net/antivirus/free_utilities.asp
Extract All Files,Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, Copy and paste it in your next reply.
All I need to see is whats in the Bottom Window!

Place those 2 logs in the next post and we will go from there!
 

kulrich

Thread Starter
Joined
Feb 3, 2005
Messages
12
all right. here is what i got. when i tried to get C:\WINDOWS\system32\vwgurg.exe, it claimed the file didn't exist. i then went to try and kill C:\WINDOWS\isrvs, and i had it all configed for showing hidden files, but it still wasn't there. i checked my recycling bin, and it WAS there, so I emptyed the recycling bin.
thanks again for putting up with me...

here is my hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 12:14:57 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\khigti.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kristin Ulrich.HOME-STKA724BQB\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.umich.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {5D538DA4-F637-25A7-F39F-01B2D0EBCC31} - (no file)
O2 - BHO: (no name) - {823E8159-A3EA-1119-070B-BCB6FA2C32E3} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF600A33-85DF-4EFB-9BA0-3AB7B6BE04AB}: NameServer = 206.141.193.55 66.73.20.40
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

and here is my eScan log:

File C:\WINDOWS\system32\ienpbn.dll infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\khigti.exe infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lhauwa.exe infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\drivers\phqghume.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\exdl.exe infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\adupdater.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\CP18.exe infected by "Trojan-Downloader.Win32.Small.ahx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\docore.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dolsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dosync.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\exp.exe infected by "Trojan-Downloader.Win32.Small.abd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\hszvg.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\hynek.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\igvco.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\instsrv.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\WINDOWS\system32\ivluh.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ivluhd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ivluhf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\javex80.vxd infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\kthocgto.exe infected by "Trojan-Proxy.Win32.Agent.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lcquoq.dll infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lukky.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lukkyd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\pgnzc.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vyjui.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wpkubk.dat infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\yfutm.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ymxyl.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\yzrst.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\ICD1.tmp\installer_MEDIAWHIZ8.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr088D infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr5297 infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr60EB infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr7E47 infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr884A infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.fr8BFE infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.frAE5E infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.frEE76 infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\temp.frF964 infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CFF2C6RA\installer_MEDIAWHIZ8[1].cab infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\Temp\vmstmp\vmstmp.exe infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\IHP6ZQXW\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\KPGFSN8J\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.of" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\QTCZMPM5\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\S5638X6N\AppWrap[2].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\T8W3LH8L\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.ru" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\KRISTI~1.HOM\LOCALS~1\TEMPOR~1\Content.IE5\YL30PS3M\AppWrap[1].exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
 
Joined
Jan 29, 2005
Messages
31
Tell ya what,Kaspersky offers a 30 day trial of thier AV!

Download it and Update it!
http://www.kaspersky.com/trials

Scan the System twice!

Remove all it finds,it should remove everything in the eScan log for us!

You can remove this program once all is clear!

Post a fresh HijackThis Log once completed!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top