Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Reappearing nasties and constant rundll32 loading


  • This topic is locked This topic is locked

#1
KarenA

KarenA

    Member

  • Member
  • PipPip
  • 17 posts
Update to the problem originally posted here http://www.geekstogo...ing-t12445.html

- IE locked out from Internet access by manually altering Zone Alarm entry
- CWshredder downloaded
- HJT updated


Booted into safe mode
- rundll32 still starts up
- Ad-Aware run, 1 problem found and fixed
- Spybot SD run x2 :: first run rundll32 interfered with operation and received an error message. Shut down rundll32, re-ran Spybot and received clean results
- CW Shredder run and removed two entries - bootconf and svshost32
- manually altered host file and deleted all backups of host file
- Stinger run, no problems found
- HJK run, here's the log

Logfile of HijackThis v1.99.1
Scan saved at 9:49:06 PM, on 3/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - HKCU\..\RunServices: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\RunServices: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Access2000\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab

Rebooted into normal mode
- rundll32 shows up, manually shut down, reappears (this goes on forever)
- host file has been altered, shows deleted entries once again. Manually alter host file and have WinPatrol 'lock' the file
- CW shredder run, finds bootconf and svshost32 again. Fixed and rebooted machine
- WinPatrol lock on host file is gone, host file altered again. Edit host file, lock it again, two minutes later the lock is gone and deleted entries back
- CW shredder run, both bootconf and svshost32 have reappeared
-Spybot SD run, IGetNet is back again, despite being removed previously (yesterday) three times.
- HJT run, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:36 PM, on 3/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - HKCU\..\RunServices: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\RunServices: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab

What do I do now? Why are these nasties coming back, and why is rundll32 reloading itself every two minutes (approximately)? I cannot figure out what is calling for this.

Any help would be greatly appreciated.
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

Please download Ad-aware Se

vx2 cleaner add on tool run the vx2 tool.

1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarrantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)

kc :tazz:
  • 0

#3
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks for the response, thatman.

Have previously run the current build of Ad-Aware with the vx2 cleaner and only a couple differences in the settings. Reconfigured to your settings, but was not permitted to select the 'During removal, unload explorer and IE if necessary' in the "Cleaning Engine" section.

Ad-Aware found 3 critical objects (redirects in the host file) and 6 MRU entries - all items deleted. Reboot did not cause Ad-Aware to run. During the scan, NAV did pop up with 4 'access denied' warnings for (all have the same path) windows\temp\aaw\c3471836\icbe24) beyond.class, nudebox.class, worker.class and verifierbug.class. As I understand it, these are trojans yet previous scans have not detected them, nor can I find these files on the system (or that directory).

The host file, despite the setting indicated in Ad-Aware, was again altered at boot-up. The removed entries reappeared (as shown in the HJK log). It does not seem possible to lock this file, no matter what I've tried.

As requested, here is the latest HJK log:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:21 AM, on 3/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Access2000\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab

Any thoughts on what to try next? Nuke and pave is looking really good.
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

We will try this http://main.thatcomp...php?cid=5&lid=3

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Kc :tazz:
  • 0

#5
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
LOL - patience is not a problem!

Here's the log Findit generated:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

RYAUI DLL 224,152 03-17-05 8:12p RYAUI.DLL
EFIUIABD DLL 224,152 03-17-05 8:12p EFIUIABD.DLL
MZRD3X40 DLL 224,152 03-17-05 8:12p MZRD3X40.DLL
MSG202 DLL 224,152 03-17-05 8:12p msg202.dll
4 file(s) 896,608 bytes
0 dir(s) 11,990.34 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 23,909 03-19-05 10:42a ffastlog.txt
VSCONFIG XML 889 03-19-05 10:42a vsconfig.xml
ZLLICTBL DAT 4,212 03-17-05 8:14p zllictbl.dat
ATI98DEF GID 10,844 12-09-01 5:02p ati98def.GID
FOLDER HTT 13,122 12-09-01 3:57p folder.htt
DESKTOP INI 266 12-09-01 3:57p desktop.ini
6 file(s) 53,242 bytes
0 dir(s) 11,990.31 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{45690220-3BEF-A05F-3BA2-2E89A2ABDDCB}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ryaui.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
efiuiabd.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
mzrd3x40.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
vsconfig.xml Sat Mar 19 2005 10:42:08a A..H. 889 0.87 K
ffastlog.txt Sat Mar 19 2005 10:42:40a A..H. 23,909 23.35 K
msg202.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
zllictbl.dat Thu Mar 17 2005 8:14:04p ...H. 4,212 4.11 K

7 items found: 7 files, 0 directories.
Total of file sizes: 925,618 bytes 903.92 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"AtiCwd32"="Aticwd32.exe"
"AtiQiPcl"="AtiQiPcl.exe"
"AtiKey"="Atitask.exe"
"EPSON Stylus C84 Series"="C:\\WINDOWS\\SYSTEM\\E_S4I2D1.EXE /P23 \"EPSON Stylus C84 Series\" /O5 \"LPT1:\" /M \"Stylus C84\""
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="C:\\Program Files\\Creative\\Launcher\\CTLauncher.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#6
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Follow-up post to this one http://www.geekstogo...ing-t12533.html
(see that post for what has occurred and been tried previously)

After posting FindIt log, and transfering important data off the computer, Panda's online scan was run.

Where Housecall found nothing, Panda found plenty. Here's the log of what was not disinfected:
-----
Incident Status Location

Adware:Adware/Xupiter No disinfected Windows Registry
Adware:Adware/ILookup No disinfected C:\WINDOWS\Favorites\Gambling
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\TEMP\nsdtmp??.dll
Spyware:Spyware/Overpro No disinfected C:\WINDOWS\TEMP\nsdtmp09.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.inf
-----

Most of these, Gator in particular, were supposed to have been taken care of. No other AV scans (norton is resident on the machine) nor SpyBot or Ad-Aware have alerted me these were still present.

Per thatman's instructions, the computer has not been powered down (or logged out) but it's not behaving very stable any more. So, is it worthwhile to disinfect the computer, or just nuke and pave and start afresh?
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

This is a new vx2 infection, I have ask the experts to take a look will post back a.s.ap

Kc :tazz:
  • 0

#8
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi thatman,

Thanks for the info. Unfortunately, I had to reboot so let me know if/when you want a new log posted.
  • 0

#9
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Since I have nothing to lose by poking and proding, I came across this in the Windows\Downloaded Program Files directory:
BHO Class, Installed, 96KB, version 1,0,0,1

It's an Active X control and the code base is plugin.secureservicepack.com/secureservicepack.cab. It looks like a dll file was installed (secureservicepack.dll). Searching the drive yields nothing. There is no functional web page, or any information availble via a 'Net search. I cannot recollect consciously downloading anything of this nature, and no BHO's show up in a HJK run.

Here's what I found searching the registry:

HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9}

HKEY_CLASSES_ROOT\SecureServicePack.BHO

HKEY_CLASSES_ROOT\SecureServicePack.BHO.1

HKEY_CLASSES_ROOT\TypeLib\{90BB6171-83D8-43DE-94D4-6C0078DD7896}

HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9}

HKEY_LOCAL_MACHINE\Software\CLASSES\SecureServicePack.BHO

HKEY_LOCAL_MACHINE\Software\CLASSES\SecureServicePack.BHO.1

HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{90BB6171-83D8-43DE-94D4-6C0078DD7896}

HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SecureServicePack.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs
--- C:\WINDOWS\Downloaded Program Files\SecureServicePack.dll 0x00000001 (1)

Is this crud-ware? Should it be removed? With all the problems I've been having (potential new variant on the vx2 infection) I'm wondering if this could be part of it.

Oh, and this one is unrelated to the above, just something that tweaked me as possibly crud-ware:

HKEY_LOCAL_MACHINE\Software\CLASSES\SearchAssistantOC.SearchAssistantOC

HKEY_LOCAL_MACHINE\Software\CLASSES\SearchAssistantOC.SearchAssistantOC.1
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

Do both scans both panda and trendmicro now run with malware removal tools.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

Advertisements


#11
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
As requested, here are the log files:

From Panda -
-----
Adware:Adware/Xupiter No disinfected Windows Registry
Adware:Adware/ILookup No disinfected C:\WINDOWS\Favorites\Gambling
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.inf
-------

I've searched the registry for xupiter and it doesn't exist. Searched for these other files too and they do not exist on the drive. The Gator entries were present in the registry, but I'd already hacked them out earlier today.

There is no log for Housecall because it found nothing, not one thing wrong.

Here is the HJK log -
-----------
Logfile of HijackThis v1.99.1
Scan saved at 11:00:32 PM, on 3/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Access2000\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\INTERNET\YAHOOMESSENGER\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
-------

There is one thing here that catches my eye - 016 entry, secureservicepack. I've found absolutely nothing online about this and it is newly installed on my system. Except for Spybot's Immunization and Browser Helper for IE (which it says is not installed, though I know it was at some point) and a Google Toolbar, I've not willingly installed any BHO's that I know of.

For kicks, here's what Spybot found -
----
IGetNet - Redirected host ieautosearch=69.20.16.183
Common Hijacker - Redirected host search.netscape.com=69.20.16.183
Common Hijacker - Redirected host auto.search.msn.com=69.20.16.183
-----

I did not 'fix' these entries, and the problems match what keeps appearing over and over in the host file. I change the IP to point internally and they're 'fixed' a minute later to the old IP.

Ad-Aware log (just for fun) -
---------

Ad-Aware SE Build 1.05
Logfile Created on:Sunday, March 20, 2005 11:19:14 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R33 16.03.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):10 total references
Redirected hostfile entry(TAC index:4):3 total references
Tracking Cookie(TAC index:3):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R33 16.03.2005
Internal build : 38
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 431409 Bytes
Total size : 1357573 Bytes
Signature data size : 1327668 Bytes
Reference data size : 29393 Bytes
Signatures total : 37814
Fingerprints total : 720
Fingerprints size : 26761 Bytes
Target categories : 15
Target families : 641


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:17 %
Total physical memory:195872 kb
Available physical memory:5096 kb
Total page file size:1901276 kb
Available on page file:1772932 kb
Total virtual memory:2093056 kb
Available virtual memory:2042240 kb
OS:Microsoft Windows 98 SE

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include module list in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


3-20-05 11:19:14 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293860667
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL
Scanning Module:C:\WINDOWS\SYSTEM\USER32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\GDI32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ADVAPI32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\KERNEL32.DLL...

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294912687
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE
Scanning Module:C:\WINDOWS\SYSTEM\SFMAN32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\DEVCON32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WINMM.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\VERSION.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\OLEAUT32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\OLE32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MPR.DLL...

#:3 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294958559
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE
Scanning Module:C:\WINDOWS\SYSTEM\MSNP32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSNET32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MPREXE.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\MPRSERV.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSPWL32.DLL...

#:4 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294965123
Threads : 2
Priority : Normal
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe
Scanning Module:C:\WINDOWS\SYSTEM\MSIDLE.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSTASK.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\SHELL32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\COMCTL32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SHLWAPI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSVCRT.DLL...

#:5 [VSMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
Command Line : C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
ProcessID : 4294946567
Threads : 17
Priority : Normal
FileVersion : 5.5.062.011
ProductVersion : 5.5.062.011
ProductName : TrueVector Service
CompanyName : Zone Labs LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2005, Zone Labs LLC
OriginalFilename : vsmon.exe
Scanning Module:C:\WINDOWS\SYSTEM\NETAPI32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\NETBIOS.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZONELABS\VSAVPRO.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\RNR20.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SHFOLDER.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZONELABS\CAMUPD.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSAFD.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZONELABS\VSVAULT.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZONELABS\VSDB.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZONELABS\VSRULEDB.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\VSXML.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZLCOMMDB.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZLCOMM.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\VSDATA.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\ZONELABS\SSLEAY32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\VSUTIL.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\VSINIT.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\RSABASE.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WSOCK32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSWSOCK.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WS2_32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WININET.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\CRYPT32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\RPCRT4.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSOSS.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WS2HELP.DLL...

#:6 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294881571
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk

#:7 [DDHELP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE
Command Line : ddhelp.exe
ProcessID : 4294890367
Threads : 3
Priority : Realtime
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2001
OriginalFilename : DDHelp.exe
Scanning Module:C:\WINDOWS\SYSTEM\DSOUND.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\DDHELP.EXE...

#:8 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4294789723
Threads : 13
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE
Scanning Module:C:\WINDOWS\SYSTEM\SETUPAPI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\CFGMGR32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\LZ32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\NTDLL.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WEBCHECK.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\LINKINFO.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MYDOCS.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SHD401LC.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSG202.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WINSPOOL.DRV...
Scanning Module:C:\WINDOWS\SYSTEM\URLMON.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\OLEDLG.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSVCRT20.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\IPHLPAPI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\IPCFGDLL.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\DHCPCSVC.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ICMP.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\COMDLG32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\BROWSEUI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SHDOC401.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SHDOCVW.DLL...
Scanning Module:C:\WINDOWS\EXPLORER.EXE...

#:9 [TASKMON.EXE]
ModuleName : C:\WINDOWS\TASKMON.EXE
Command Line : "C:\WINDOWS\taskmon.exe"
ProcessID : 4294737347
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE
Scanning Module:C:\WINDOWS\TASKMON.EXE...

#:10 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4294733071
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE
Scanning Module:C:\WINDOWS\SYSTEM\USBUI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WMI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SYSTRAY.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\BATMETER.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\POWRPROF.DLL...

#:11 [ATICWD32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ATICWD32.EXE
Command Line : "C:\WINDOWS\SYSTEM\Aticwd32.exe"
ProcessID : 4294706083
Threads : 2
Priority : Normal
FileVersion : 4.11.2559
ProductVersion : 4.11.2559
ProductName : ATI Technologies Inc.
CompanyName : ATI Technologies Inc.
FileDescription : ATI Common Windows Display Driver Extension
InternalName : ATICWD32
LegalCopyright : Copyright © ATI Technologies Inc., 1998
OriginalFilename : ATICWD32.EXE
Scanning Module:C:\WINDOWS\SYSTEM\ATIMPPIF.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ATICWD32.EXE...

#:12 [ATITASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ATITASK.EXE
Command Line : "C:\WINDOWS\SYSTEM\Atitask.exe"
ProcessID : 4294718959
Threads : 1
Priority : Normal
FileVersion : 4.11.2315
ProductVersion : 4.11.2315
ProductName : ATI Technologies, Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Task Application
InternalName : AtiTask
LegalCopyright : Copyright © ATI Technologies Inc. 1998
OriginalFilename : AtiTask
Scanning Module:C:\WINDOWS\SYSTEM\ATITADEF.RSC...
Scanning Module:C:\WINDOWS\SYSTEM\ATITASK.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\ATICWDDE.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ATIHT.DLL...

#:13 [NAVAPW32.EXE]
ModuleName : C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
Command Line : "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE"
ProcessID : 4294756087
Threads : 18
Priority : Normal
FileVersion : 8.00.6
ProductVersion : 8.00.6
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
LegalCopyright : Copyright © 2000-2001 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPW32.EXE
Scanning Module:C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFALERT.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\ATL.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SOFTPUB.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\WINTRUST.DLL...
Scanning Module:C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVPROXY.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\MSVCP60.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SYMREDIR.DLL...
Scanning Module:C:\PROGRAM FILES\NORTON ANTIVIRUS\APWCMD9X.DLL...
Scanning Module:C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE...
Scanning Module:C:\PROGRAM FILES\NORTON ANTIVIRUS\APWUTIL.DLL...

#:14 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4294767739
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe
Scanning Module:C:\WINDOWS\SYSTEM\MSPP32.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\EPIPPJ70.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\EBPMON.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\SPOOL32.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\SPOOLSS.DLL...

#:15 [ZLCLIENT.EXE]
ModuleName : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
Command Line : "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
ProcessID : 4294737479
Threads : 6
Priority : Normal
FileVersion : 5.5.062.011
ProductVersion : 5.5.062.011
ProductName : Zone Labs Client
CompanyName : Zone Labs LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2005, Zone Labs LLC
OriginalFilename : zlclient.exe
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAV.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\IDLOCK.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\PRIVACY.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\FILTER.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\FIREWALL.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\EMAIL.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ALERT.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\SECURITY.ZAP...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\PROGRAMS.ZAP...
Scanning Module:C:\WINDOWS\SYSTEM\VSMONAPI.DLL...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE...
Scanning Module:C:\PROGRAM FILES\ZONE LABS\ZONEALARM\FRAMEWRK.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\VSPUBAPI.DLL...

#:16 [AHQTB.EXE]
ModuleName : C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
Command Line : "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE"
ProcessID : 4294671207
Threads : 1
Priority : Normal
FileVersion : 1.0.185
ProductVersion : 1.0.185
ProductName : AudioHQ
CompanyName : Creative Technology Ltd.
FileDescription : Creative AudioHQ
InternalName : AHQTaskBar
LegalCopyright : Copyright © Creative Technology Ltd. 1997-1999
OriginalFilename : AHQTb.exe
Comments : Creative AudioHQ
Scanning Module:C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQMAN.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTBRES.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE...

#:17 [CTLAUNCHER.EXE]
ModuleName : C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
Command Line : "C:\Program Files\Creative\Launcher\CTLauncher.exe"
ProcessID : 4294647671
Threads : 1
Priority : Normal
FileVersion : 1.51.1.0
ProductVersion : 1.0
ProductName : Creative Launcher
CompanyName : Creative Technology Ltd
FileDescription : Creative Launcher
InternalName : Launcher
LegalCopyright : Copyright © Creative Technology Ltd 1999
OriginalFilename : Launcher
Scanning Module:C:\PROGRAM FILES\CREATIVE\LAUNCHER\PLUGINS\CTPILIVE.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\LAUNCHER\PLUGINS\LIVERES.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\LAUNCHER\PLUGINS\CTPILOGO.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\LAUNCHER\PLUGINS\LOGORES.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCH.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHRES.DLL...
Scanning Module:C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\MFC42.DLL...

#:18 [WINPATROL.EXE]
ModuleName : C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
Command Line : "C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe"
ProcessID : 4294693283
Threads : 2
Priority : Normal
FileVersion : 9, 0, 0, 2
ProductVersion : 9.0.0.2
ProductName : WinPatrol Monitor
CompanyName : BillP Studios
FileDescription : WinPatrol System Monitor
InternalName : WinPatrol Monitor
LegalCopyright : Copyright © 1997- 2005 BillP Studios
OriginalFilename : Scotty Classic
Comments : Let Scotty the Windows Watchdog patrol your system.
Scanning Module:C:\WINDOWS\SYSTEM\MSTASK.DLL...
Scanning Module:C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE...

#:19 [E_S4I2D1.EXE]
ModuleName : C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
Command Line : "C:\WINDOWS\SYSTEM\E_S4I2D1.EXE" /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
ProcessID : 4294701883
Threads : 1
Priority : Normal
FileVersion : 3.00
ProductVersion : 3.00
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S4I2D1
LegalCopyright : Copyright © SEIKO EPSON CORP. 2003
OriginalFilename : E_S4I2D1.EXE
Scanning Module:C:\WINDOWS\SYSTEM\E_S4I2D1.EXE...

#:20 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe 52
ProcessID : 4294624131
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe
Scanning Module:C:\WINDOWS\SYSTEM\WMIEXE.EXE...
Scanning Module:C:\WINDOWS\SYSTEM\WMICORE.DLL...

#:21 [OSA.EXE]
ModuleName : C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
Command Line : "C:\Program Files\Microsoft Office\Office\OSA.EXE" -b
ProcessID : 4294676915
Threads : 1
Priority : Normal

Scanning Module:C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE...
Scanning Module:C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSAINTL.DLL...
Scanning Module:C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSO97.DLL...

#:22 [FIREFOX.EXE]
ModuleName : C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
Command Line : "C:\Program Files\Mozilla Firefox\firefox.exe"
ProcessID : 4294508915
Threads : 4
Priority : Normal

Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\NSSCKBI.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS\JAR50.DLL...
Scanning Module:C:\PROGRAM FILES\JAVA\JRE1.5.0_01\BIN\JPINSCP.DLL...
Scanning Module:C:\PROGRAM FILES\JAVA\JRE1.5.0_01\BIN\JPISHARE.DLL...
Scanning Module:C:\PROGRAM FILES\JAVA\JRE1.5.0_01\BIN\JPIOJI.DLL...
Scanning Module:C:\PROGRAM FILES\JAVA\JRE1.5.0_01\BIN\NPOJI610.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\OLEPRO32.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\XPCOM_COMPAT.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\SSL3.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\SMIME3.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\NSS3.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\SOFTOKN3.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\XPCOM.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\PLDS4.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\PLC4.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\JS3250.DLL...
Scanning Module:C:\PROGRAM FILES\MOZILLA FIREFOX\NSPR4.DLL...

#:23 [RUNDLL32.EXE]
ModuleName : C:\WINDOWS\RUNDLL32.EXE
Command Line : rundll32.exe
ProcessID : 4294314151
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE
Scanning Module:C:\WINDOWS\SYSTEM\DJVENUM.DLL...
Scanning Module:C:\WINDOWS\RUNDLL32.EXE...

#:24 [WORDPAD.EXE]
ModuleName : C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
Command Line : "C:\Program Files\Accessories\WORDPAD.EXE"
ProcessID : 4294474275
Threads : 2
Priority : Normal
FileVersion : 5.00.1691.1
ProductVersion : 5.00.1691.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : WordPad MFC Application
InternalName : wordpad
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : wordpad
Scanning Module:C:\WINDOWS\SYSTEM\RICHED20.DLL...
Scanning Module:C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE...

#:25 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4294372403
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Scanning Module:C:\WINDOWS\SYSTEM\SVRAPI.DLL...
Scanning Module:C:\WINDOWS\SYSTEM\RICHED32.DLL...
Scanning Module:C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE...

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@overture[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:karen@overture.com/
Expires : 3-18-15 9:56:48 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@realmedia[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:karen@realmedia.com/
Expires : 3-20-06 3:42:40 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@www6.paypopup[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:karen@www6.paypopup.com/
Expires : 3-21-05 3:22:32 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@findwhat[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:karen@findwhat.com/
Expires : 12-31-19 4:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@www1.paypopup[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:karen@www1.paypopup.com/
Expires : 3-21-05 3:27:08 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@www7.paypopup[1].txt
Category : Data Miner
Comment : Hits:9
Value : Cookie:karen@www7.paypopup.com/
Expires : 3-21-05 8:36:12 PM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@cgi-bin[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:karen@www5.addfreestats.com/cgi-bin
Expires : 2-27-15 3:59:58 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@www4.paypopup[1].txt
Category : Data Miner
Comment : Hits:9
Value : Cookie:karen@www4.paypopup.com/
Expires : 3-21-05 6:27:06 PM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : karen@0[1].txt
Category : Data Miner
Comment : Hits:6
Value : Cookie:karen@jtrafficwave.cjt1.net/HTM/518/0
Expires : 3-20-06 8:13:00 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 9
Objects found so far: 19



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\downloads\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\DreamWeaver\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\General_Burn\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\HOLIDAY\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\Maxis\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\My Documents\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\My Download Files\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\My Music\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\Program Files\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\RECYCLED\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\SC2K4WIN\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Disk Scan Result for F:\Unknown\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
16 entries scanned.
New critical objects:3
Objects found so far: 22


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

11:33:08 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:13:54.260
Objects scanned:106186
Objects identified:12
Objects ignored:0
New critical objects:12
------

The entries were not 'fixed' since correcting the host file makes no difference.

CWShredder has also been run and it 'removed' bootconf and svhost32 a number of times. They don't stay 'removed' though.

If this is a variant on the vx2 infection, I'd act as a test subject if necessary. Everything important has been archived or copied elsewhere (after scanning the h*** out of it) so there's no worry about losing data.

Good luck deciphering all this!
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

Look at the files below I believe they are all connected to the infection on your pc VX2.

The date and time the file where downloaded, take a look at the properties off each file?

C:\WINDOWS\SYSTEM\
ryaui.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
efiuiabd.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
mzrd3x40.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
vsconfig.xml Sat Mar 19 2005 10:42:08a A..H. 889 0.87 K
ffastlog.txt Sat Mar 19 2005 10:42:40a A..H. 23,909 23.35 K
msg202.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
zllictbl.dat Thu Mar 17 2005 8:14:04p ...H. 4,212 4.11 K

Your search - ryaui.dll - did not match any documents.
Your search - efiuiabd.dll - did not match any documents.
mzrd3x40.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K VX2
vsconfig.xml Sat Mar 19 2005 10:42:08a A..H. 889 0.87 K VX2
ffastlog.txt Sat Mar 19 2005 10:42:40a A..H. 23,909 23.35 K VX2
Your search - msg202.dll - did not match any documents.
zllictbl.dat Thu Mar 17 2005 8:14:04p ...H. 4,212 4.11 K

Please let me know what information you find on the above files

Kc :tazz:
  • 0

#13
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi thatman,
Thanks for the ongoing help - it is much appreciated.

As requested, here's all the info I could dig out regarding the files:

ryaui.dll
- located in windows\system file
- size listed as 218KB (224152bytes), 229376bytes used
- marked as read only and system
- digital signature is from NicTech Networks Inc. no e-mail or time stamp available

efiuiabd.dll
- located in windows\system
- size listed as 218KB (224152bytes), 229376bytes used
- marked as read only and system
- digital signature is from NicTech Networks Inc. no e-mail or time stamp available

mzrd3x40.dll
- located in windows\system
- size listed as 218KB (224152bytes), 229376bytes used
- marked as read only and system
- digital signature is from NicTech Networks Inc. no e-mail or time stamp available

vsconfig.xml
- hidden file in windows\system
- size listed as 889 bytes, 32768 bytes used
- creation date is Sept 26-04, modifed and last accessed date of March 21-05
- marked as archive
- further reading shows is connected to Zone Alarm
- contents of file as follows:
-------
?xml version="1.0"?
securitypolicy version="1"
lockupinfo server="209.87.208.60" port="0" enable="true"/
startuphookafd wsockvermajor="0x00000000" wsockverminor="0x00000000" enable="false"/
protection zlcommdb="true"/
processes
process name="fssm32.exe" openprocessaction="allow"
md5table
md5hex fileversion="5.40.8210.0"6ea475f6-d34c3c6d-7a8a6845-a525d6e6/md5hex
md5hex fileversion="5.40.8390.0"91feb4e9-8cf1e8e5-4f6f306a-e1399374/md5hex
md5hex fileversion="5.40.8480.0"2f856f29-4d155a8c-c4ebb124-3bfeb9d4/md5hex
md5hex fileversion="5.50.9240.0"e610722c-2d8ebb67-ff634a05-31622bfa/md5hex
md5hex fileversion="5.50.9381.0"0457f8cb-fb2cb7e0-920fcd4e-316ad1bf/md5hex
md5hex fileversion="5.50.9410.0"8d4ea429-5d89f910-4fc4e79a-932ffbc8/md5hex
/md5table
/process
/processes
/securitypolicy
------------

ffastlog.txt
- hidden file in windows\system
- size listed as 22.1KB (22703bytes), 32768 bytes used
- creation date is Mar 20-05, modified and last accessed date of Mar 21-05
- marked as archive
- no further information available
- looking into the file shows a number of 'cannot access' entries. Large file, will post this if required.
- further reading indicates this could be a legitimate file

msg202.dll
- located in windows\system
- size listed as 218KB (224152bytes), 229376 bytes used
- creation date is Mar 17-05, modifed date of Mar 17-05 and last accessed date of Mar 21-05
- marked as read only
- digital signature is from NicTech Networks Inc., no e-mail or time stamp available

zllictbl.dat
- hidden file in windows\system
- size listed as 4.11KB (4212bytes) 32768 bytes used
- creation date September 26-04, modified Mar 17-05 and last accessed Mar 21-05
- further reading shows this file is connected to Zone Alarm

Here is one you did not ask for, but FindIt picked it up:

cwmcat.dll
- located in windows\system
- size listed as 218KB (224152bytes) 229376bytes used
- creation date Mar 21-05, modifed Mar 17-05 last accessed Mar 21-05
- marked as read only and system
- digital signature is from NicTech Networks Inc., no e-mail or time stamp available

FindIt also had this in the log file:
---
------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

Entire log available if required.

If I missed some information, let me know.
  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi KarenA

please post the full find it log
And a new HJT.log

Thank you

Kc :tazz:
  • 0

#15
KarenA

KarenA

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Heya thatman,

Here's the logs:

FindIt
------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

RYAUI DLL 224,152 03-17-05 8:12p RYAUI.DLL
EFIUIABD DLL 224,152 03-17-05 8:12p EFIUIABD.DLL
CWMCAT DLL 224,152 03-17-05 8:12p CWMCAT.DLL
MZRD3X40 DLL 224,152 03-17-05 8:12p MZRD3X40.DLL
MSG202 DLL 224,152 03-17-05 8:12p msg202.dll
5 file(s) 1,120,760 bytes
0 dir(s) 11,891.50 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3B67-16D9
Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT 23,217 03-21-05 2:41p ffastlog.txt
VSCONFIG XML 889 03-21-05 12:37p vsconfig.xml
ZLLICTBL DAT 4,212 03-17-05 8:14p zllictbl.dat
ATI98DEF GID 10,844 12-09-01 5:02p ati98def.GID
FOLDER HTT 13,122 12-09-01 3:57p folder.htt
DESKTOP INI 266 12-09-01 3:57p desktop.ini
6 file(s) 52,550 bytes
0 dir(s) 11,891.47 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{45690220-3BEF-A05F-3BA2-2E89A2ABDDCB}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ryaui.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
efiuiabd.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
cwmcat.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
mzrd3x40.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
vsconfig.xml Mon Mar 21 2005 12:37:20p A..H. 889 0.87 K
ffastlog.txt Mon Mar 21 2005 2:41:36p A..H. 23,217 22.67 K
msg202.dll Thu Mar 17 2005 8:12:56p ..S.R 224,152 218.90 K
zllictbl.dat Thu Mar 17 2005 8:14:04p ...H. 4,212 4.11 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,149,078 bytes 1.09 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.504: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.504: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"AtiCwd32"="Aticwd32.exe"
"AtiQiPcl"="AtiQiPcl.exe"
"AtiKey"="Atitask.exe"
"EPSON Stylus C84 Series"="C:\\WINDOWS\\SYSTEM\\E_S4I2D1.EXE /P23 \"EPSON Stylus C84 Series\" /O5 \"LPT1:\" /M \"Stylus C84\""
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="C:\\Program Files\\Creative\\Launcher\\CTLauncher.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

------

Hijack This
----
Logfile of HijackThis v1.99.1
Scan saved at 4:20:52 PM, on 3/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Access2000\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: Yahoo! Chat - http://cs7.chat.sc5....m/c381/chat.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} (BHO Class) - http://plugin.secure...servicepack.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Getting so I can run these in my sleep now :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP