Welcome Guest ( Log In | Register )

      
Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
2 Pages V   1 2 >  
 Closed TopicStart new topic
please help! Spyware is not working! [RESOLVED], cant identify virus/spyware/trojan
peachywilds18
post Aug 17 2005, 10:59 AM
Post #1


Member
**
Posts: 13
OS: Windows ME
Help!! I have followed all the steps to removing spyware/viruses/trojans from my computer and nothing is working. First, I started out with AdAware, ran that and it came up with 800 critical objects! THen my computer crashed after trying to remove the objects. Finally when the office manager helped to get it started again, I ran adaware, and slowly, each time, there were less and less critical objects. Finally, when it got down to like 26 objects, it would tell me that the c:_RESTORE\ARCHIVE\23455.CAB could not be removed. I cant find these items in my c_RESTORE folder, nor is it letting me remove anything from that folder. Today, I downloaded Trojan Hunter, CWshredder, and Vx2 cleaner plug in. I ran each of these. I also disable my system restore, and ran programs. After I reboot, I ran AdAware again, and it still shows almost 10 critical objects. THe VX2 is gone and the Bargain Buddy is gone, but the BookSpace and Tracking cookie are still there. I deleted all my temp files and temp internet files. Now when i delete the critical objects, it does it, but then as soon as I reboot again, those objects are still there. So, i guess they are not really getting deleted?? I know this, becuase I am still getting pop ups. I have been dealing with this for three days, and this is my work computer, I really need help!! I do not know too too much about the inner workings of an operating system, only what I read and learn, so excuse me if I sound like a complete idiot!! What do i do next!!!???
Go to the top of the page
 
+Quote Post
Snickets
post Aug 17 2005, 11:04 AM
Post #2


Visiting Staff
Group Icon
Posts: 425
OS: XP
Hello peachywilds18,

Welcome to GeekstoGo my name is Snickets and I will be helping you today!!!

1.Set up a folder by doing the following.
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.

2. Then go here to download the latest version of hijack this 1.99.1 and save this into the folder you created for hijackthis.

3. Double-click on the hijackthis.exe to scan.
Select "Scan and Save Log".
After the scan save the log somewhere where you will remember.
Then go to the location where you saved the hijack this log and open it up, then hit CTRL A to highlight all the text inside, then right click and hit the copy option then paste the contents back into this thread.

Thank you,

Snickets

ohmy.gif
Go to the top of the page
 
+Quote Post
peachywilds18
post Aug 17 2005, 11:31 AM
Post #3


Member
**
Posts: 13
OS: Windows ME
Thank you so much!! Ok, so I hope I did this right, here is the log I copied:

Logfile of HijackThis v1.99.1
Scan saved at 1:29:46 PM, on 8/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\UTHM\AREA.EXE
C:\GLEH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\4SDDDX.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL (file missing)
O2 - BHO: (no name) - {7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD} - C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sdddx.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [ACTADM] C:\WINDOWS\SYSTEM\ACTADM.exe
O4 - HKCU\..\Run: [Uate] C:\Program Files\uthm\area.exe
O4 - Startup: prct.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...om_bedroom1.xml

ok, let me know what to do next!! THanks again!
Go to the top of the page
 
+Quote Post
Snickets
post Aug 18 2005, 09:28 AM
Post #4


Visiting Staff
Group Icon
Posts: 425
OS: XP
Hello peachywilds18,

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    1. Go to the WinPFind folder
    2. Locate WinPFind.txt
    3. Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Thank you,

Snickets

ohmy.gif
Go to the top of the page
 
+Quote Post
peachywilds18
post Aug 18 2005, 10:17 AM
Post #5


Member
**
Posts: 13
OS: Windows ME
hey snickets!

Ok, so I did that. I will post the results below. First, i wanted to tell you that I have been running my spyware detector programs, and the only thing that is coming up now is the tracking cookie. Even though it is not showing any virus or trojan or major problem, I still am getting popups like crazy. Is that really just from a tracking cookie?? Or is it possible there is an infection deeply embedded in my computer that these programs arent catching??

Here is the Trackqoo report:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Keyboard Manager"="C:\\Program Files\\Netropa\\One-touch Multimedia Keyboard\\MMKeybd.exe"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"winsync"="C:\\WINDOWS\\4sdddx.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\SYSTEM\DOCPROP2.DLL

==============================
C:\WINDOWS\All Users\Start Menu\Programs\StartUp

==============================
C:\WINDOWS\Start Menu\Programs\StartUp

prct.exe
==============================
C:\WINDOWS\SYSTEM cpl files


INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
WUAUCPL.CPL Microsoft Corporation
ACCESS.CPL Microsoft Corporation
THEMES.CPL Microsoft Corporation
igfxcpl.cpl Intel Corporation
FINDFAST.CPL Microsoft Corporation
conres.cpl


And here is the winpfind.txt report:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 5.50.4134.0600

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PTech 8/18/2005 11:45:50 AM 831520 C:\WINDOWS\USER.DAT
KavSvc 8/18/2005 11:45:50 AM 2687008 C:\WINDOWS\SYSTEM.DAT
winsync 8/18/2005 11:45:50 AM 2687008 C:\WINDOWS\SYSTEM.DAT
69.59.186.63 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll
209.66.67.134 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll
web-nex 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll
winsync 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll

Items found in C:\WINDOWS\hosts

69.59.186.63 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
209.66.67.134 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
web-nex 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
winsync 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
UPX! 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\ru.exe
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
PTech 8/18/2005 11:38:50 AM 5632 C:\WINDOWS\VSX1.1.exe
web-nex 8/15/2005 6:07:28 PM 3943 C:\WINDOWS\hmvkk.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe

Checking %System% folder...
PTech 11/9/1999 10:55:54 PM 88571 C:\WINDOWS\SYSTEM\MDACRDME.HTM
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\VDAJET32.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\HUZFLT04.DLL
69.59.186.63 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
209.66.67.134 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
66.63.167.97 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
66.63.167.77 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
web-nex 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
winsync 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
rec2_run 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
PEC2 8/3/2005 6:27:14 AM 50176 C:\WINDOWS\SYSTEM\ba7_ni.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IX41_QCX.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SJDPAPI.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MARD2X40.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MKAPSSPC.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOLOR.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SGSTHUNK.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MADOCS.DLL
UPX! 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\SYSTEM\area.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOMPOS.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IPWDIAL.DLL
UPX! 8/15/2005 3:37:50 PM 24576 C:\WINDOWS\SYSTEM\AUNPS2.dll.tcf
UPX! 8/16/2005 5:39:50 PM 67072 C:\WINDOWS\SYSTEM\actadm.exe.tcf
UPX! 8/16/2005 2:55:06 PM 29696 C:\WINDOWS\SYSTEM\PSof1.exe.tcf
UPX! 8/18/2005 11:27:02 AM 68096 C:\WINDOWS\SYSTEM\msigag.exe
UPX! 8/18/2005 11:32:52 AM 68096 C:\WINDOWS\SYSTEM\rnadnu.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MUJDBC10.DLL
UPX! 8/18/2005 11:38:52 AM 68096 C:\WINDOWS\SYSTEM\whlraw.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\owhlp30e.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mwiosd32.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\UFDMXFRM.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RWCLTS3.DLL
aspack 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
KavSvc 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
69.59.186.63 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
209.66.67.134 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
66.63.167.97 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
66.63.167.77 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
web-nex 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
yourkey 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
rec2_run 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mamdvdif.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\JEEG2X32.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TjxDlgUtil.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RNAENH.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mgikbdsw.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TIP3216S.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TEP3216S.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/18/2005 11:46:56 AM 847904 C:\WINDOWS\USER.DAT
H 8/18/2005 11:45:50 AM 2687008 C:\WINDOWS\SYSTEM.DAT
H 8/18/2005 11:43:56 AM 11560 C:\WINDOWS\ttfCache
H 8/18/2005 11:38:56 AM 5087264 C:\WINDOWS\CLASSES.DAT
SH 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\ru.exe
H 8/18/2005 11:08:28 AM 6 C:\WINDOWS\TASKS\SA.DAT
SH 8/18/2005 11:08:36 AM 182 C:\WINDOWS\TASKS\RUTASK.job
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\8RC3AN2J\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\1W6SJZCA\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\3R15TV7Y\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\GCOT7A6K\desktop.ini
SH 8/18/2005 9:21:06 AM 3584 C:\WINDOWS\DRM\drmv2.sst
SH 8/18/2005 9:21:06 AM 48 C:\WINDOWS\DRM\v2ks.sec
SH 8/18/2005 9:21:06 AM 312 C:\WINDOWS\DRM\v2ks.bla
H 8/18/2005 11:45:18 AM 344064 C:\WINDOWS\Cookies\index.dat
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IDSCONFG.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\VDAJET32.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\HUZFLT04.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\BGACKBOX.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SJDPAPI.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MARD2X40.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MKAPSSPC.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOLOR.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SGSTHUNK.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MADOCS.DLL
SH 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\SYSTEM\area.exe
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOMPOS.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IPWDIAL.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MUJDBC10.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\owhlp30e.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mwiosd32.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\UFDMXFRM.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RWCLTS3.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mamdvdif.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\JEEG2X32.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TjxDlgUtil.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RNAENH.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mgikbdsw.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TIP3216S.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TEP3216S.DLL
H 8/18/2005 11:45:40 AM 668 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
SH 8/18/2005 11:35:52 AM 2580 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
SH 8/15/2005 4:01:02 PM 788 C:\WINDOWS\Temporary Internet Files\Ssk.log
SH 8/17/2005 3:48:18 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
SH 8/17/2005 3:56:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GLARKXAZ\desktop.ini
SH 8/17/2005 3:56:40 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8LIJC563\desktop.ini
SH 8/17/2005 3:56:56 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GLUV09QR\desktop.ini

Checking for CPL files...
Microsoft Corporation 6/6/2000 4:21:34 PM 259344 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 62464 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 104368 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 250128 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 111616 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 389872 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 5/31/2000 1:17:14 PM 15152 C:\WINDOWS\SYSTEM\WUAUCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\THEMES.CPL
Intel Corporation 8/8/2000 3:09:26 PM 84480 C:\WINDOWS\SYSTEM\igfxcpl.cpl
Microsoft Corporation 2/10/1999 11:48:46 AM 40960 C:\WINDOWS\SYSTEM\FINDFAST.CPL
8/17/2005 1:13:42 PM 31232 C:\WINDOWS\SYSTEM\conres.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
8/18/2005 11:08:40 AM 92160 C:\WINDOWS\Start Menu\Programs\StartUp\prct.exe

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SharingMenu
{6D78EC20-5AA6-101B-8681-366FBD64CEB9} = msshrui.dll

<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD}
= C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
Band Class = C:\WINDOWS\DSR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
CControl Object = C:\Program Files\E2G\IeBHOs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
PCHealth C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Keyboard Manager C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
MMTray
hpsysdrv c:\windows\system\hpsysdrv.exe
Delay C:\WINDOWS\delayrun.exe
Adaptec DirectCD C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
winsync C:\WINDOWS\4sdddx.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent mstask.exe
*StateMgr C:\WINDOWS\System\Restore\StateMgr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NETAPI C:\WINDOWS\SYSTEM\NETAPI.EXE
Uate C:\Program Files\uthm\area.exe
WHLRAW C:\WINDOWS\SYSTEM\WHLRAW.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
WHLRAW C:\WINDOWS\SYSTEM\WHLRAW.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HideSharePwds 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ACTADM C:\WINDOWS\SYSTEM\ACTADM.exe
WHLRAW C:\WINDOWS\SYSTEM\WHLRAW.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook {BCBCD383-3E06-11D3-91A9-00C04F68105C} = C:\WINDOWS\SYSTEM\AUHOOK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/18/2005 11:50:12 AM


ok thanks again!
Go to the top of the page
 
+Quote Post
Snickets
post Aug 19 2005, 07:57 AM
Post #6


Visiting Staff
Group Icon
Posts: 425
OS: XP
Hello peachywilds,

Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

QUOTE
REGEDIT4

[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD}
= C:\WINDOWS\SYSTEM\TLRFAVDE.DLL]

[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
Band Class = C:\WINDOWS\DSR.DLL]

[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
CControl Object = C:\Program Files\E2G\IeBHOs.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uate"=-
"WHLRAW"=-


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\Start Menu\Programs\StartUp\prct.exe
C:\WINDOWS\SYSTEM\conres.cpl
C:\WINDOWS\kfdggfj.dll
C:\WINDOWS\oekbb.dll
C:\WINDOWS\ru.exe
C:\WINDOWS\RMAgentOutput.dll
C:\WINDOWS\VSX1.1.exe
C:\WINDOWS\hmvkk.dll
C:\WINDOWS\SYSTEM\AUNPS2.dll.tcf
C:\WINDOWS\SYSTEM\area.exe
C:\WINDOWS\SYSTEM\DICOMPOS.DLL
C:\WINDOWS\SYSTEM\IPWDIAL.DLL
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\owhlp30e.dll
C:\WINDOWS\SYSTEM\mwiosd32.dll
C:\WINDOWS\SYSTEM\whlraw.exe
C:\GLEH.EXE
C:\PROGRAM FILES\UTHM\AREA.EXE
C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\SYSTEM\DATADX.DLL

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL (file missing)
O2 - BHO: (no name) - {7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD} - C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sdddx.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKCU\..\Run: [Uate] C:\Program Files\uthm\area.exe
O4 - Startup: prct.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Restart back in Normal Mode and Post a fresh HijackThis log!

Thank you,

Snickets

ohmy.gif
Go to the top of the page
 
+Quote Post
peachywilds18
post Aug 19 2005, 09:18 AM
Post #7


Member
**
Posts: 13
OS: Windows ME
Hey Snickets,

Ok, I did everything you said. The only thing is, when started to do Killbox in Safe Mode, all the icons disappeared. So after I finished running the files in Killbox, I had to reboot again into Safe Mode to run HiJackThis. So when I ran it, only one of the 7 entries showed up on HiJackThis. Of course, I clicked it and fixed it, but i just wanted you to know that the others werent even on the list. Then, as soon as i rebooted into Normal mode, a popup came up. Only one, so that is better, but I don't know if that is normal, or if my machine still has something going on. ANyways, I an hijackthis in normal again and saved the log file. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 11:15:52 AM, on 8/19/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\ETB\POKAPOKA63.EXE
C:\WINDOWS\SYSTEM\MSWUMB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSWUMB.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [MSWUMB] C:\WINDOWS\SYSTEM\MSWUMB.exe
O4 - HKCU\..\RunOnce: [MSWUMB] C:\WINDOWS\SYSTEM\MSWUMB.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...om_bedroom1.xml
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Thanks Again!!!
Go to the top of the page
 
+Quote Post
Snickets
post Aug 19 2005, 09:36 AM
Post #8


Visiting Staff
Group Icon
Posts: 425
OS: XP
Hello peachywilds18,

1. Download this tool: LQfix.zip
Unzip it to your Desktop.
Don't use it yet!

IMPORTANT! Reboot the computer into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').

2. Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, that is normal.

3. Reboot into normal mode and scan with HijackThis. Post the new log as a reply to this thread.

Thank you,

Snickets

ohmy.gif
Go to the top of the page
 
+Quote Post
peachywilds18
post Aug 22 2005, 08:50 AM
Post #9


Member
**
Posts: 13
OS: Windows ME
hey snickets,

sorry for the delay, don't have access to the computer over the weekend! So i did the last step, and here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:48:46 AM, on 8/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\JAVNPU.EXE
C:\WINDOWS\SYSTEM\JAVNPU.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O4 - HKCU\..\RunOnce: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...om_bedroom1.xml
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

THanks again!! What next??
Go to the top of the page
 
+Quote Post
Snickets
post Aug 22 2005, 01:03 PM
Post #10


Visiting Staff
Group Icon
Posts: 425
OS: XP
Hello peachywilds18,

Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1.Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\SYSTEM\NETAPI.EXE
C:\WINDOWS\SYSTEM\JAVNPU.exe
C:\Program Files\E2G\IeBHOs.dll

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes and boot into safe mode at this time.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

2.Once in safe mode please run HijackThis and place a check next to the following items.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O4 - HKCU\..\RunOnce: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...om_bedroom1.xml

After checking these entries CLOSE ALL open windows [browsers and programs] EXCEPT HijackThis and click "Fix Checked."
===================================================

3.Please remove these entries from Add/Remove Programs in the Control Panel(if present).
Delfin
AlwaysUpdateNews
E2Give
Please note any other programs that you dont recognize in that list in your next response

4.Please delete these files and folders using Windows Explorer(if present):
files=blue
folders=red

C:\Program Files\E2G\
C:\WINDOWS\SYSTEM\nsvsvc\
:\WINDOWS\SYSTEM\VIDCTRL\
C:\WINDOWS\SYSTEM\NETAPI.EXE
C:\WINDOWS\SYSTEM\JAVNPU.exe

5.Please Search for these files below seperately and delete if present using the following instructions:
Go to Start>Run>Search for Files and Folders>and type in the following files:
AUNPS2.DLL

6. Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

7.Reboot into normal windows.

8.Please rescan with HijackThis and post the new results in this thread along with the ewido scan results. At this time please let me know how your system is running.

Thank you,

Snickets

ohmy.gif

This post has been edited by Snickets: Aug 24 2005, 09:08 AM
Go to the top of the page
 
+