Host File "Corruption"[RESOLVED]
Started by
Nate3577
, Mar 22 2005 07:33 PM
#1
Posted 22 March 2005 - 07:33 PM
#3
Posted 24 March 2005 - 09:32 PM
Don,
Thanks for the info. Here is my Hijack This log. Thanks in advance for any and all assistance!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 10:32:42 PM, on 3/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Thanks for the info. Here is my Hijack This log. Thanks in advance for any and all assistance!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 10:32:42 PM, on 3/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
#4
Posted 24 March 2005 - 09:49 PM
Hi Nate, this is a real pest to get rid of,
This will take sometime,
Click here: http://www.downloads...VX2Finder9x.exe and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here in this thread.
Next click here: http://www.downloads.../DllCompare.exe to download DLLCompare.zip.
Save it to your desktop.
Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.
It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.
Click here
to download FindIt9xME.zip. Unzip it to your desktop.
Doubleclick on the find.bat file and let it run. It may take as long as ten minutes to run. When it is finished it will produce an output.txt file. Copy and paste the contents of output.txt here please.
Post back a fresh HJT log as well please
This will take sometime,
Click here: http://www.downloads...VX2Finder9x.exe and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here in this thread.
Next click here: http://www.downloads.../DllCompare.exe to download DLLCompare.zip.
Save it to your desktop.
Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.
It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.
Click here
to download FindIt9xME.zip. Unzip it to your desktop.
Doubleclick on the find.bat file and let it run. It may take as long as ten minutes to run. When it is finished it will produce an output.txt file. Copy and paste the contents of output.txt here please.
Post back a fresh HJT log as well please
#5
Posted 25 March 2005 - 11:23 PM
Don,
Thanks for all the help so far. Here are the results over everything so far. Let me know what you would like me to do next. Thanks again!
Nate
VX2 Finder:
User Agent String---
{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nfqtwk.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
874 items found: 874 files (27 H/S), 0 directories.
Total of file sizes: 178,226,753 bytes 169.97 M
--------------------End log---------------------
FindItLog:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
IDPEERS DLL 227,104 03-15-05 7:35p IDPEERS.DLL
NKDLL DLL 227,104 03-15-05 7:35p NKDLL.DLL
RECMQSVR DLL 227,104 03-15-05 7:35p RECMQSVR.DLL
NRTOS DLL 227,104 03-15-05 7:35p NRTOS.DLL
AAVAPI32 DLL 227,104 03-15-05 7:35p AAVAPI32.DLL
DYEML DLL 227,104 03-15-05 7:35p DYEML.DLL
ITSENG DLL 227,104 03-15-05 7:35p ITSENG.DLL
VUB32 DLL 227,104 03-15-05 7:35p VUB32.DLL
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
DGOUND3D DLL 227,104 03-15-05 7:35p DGOUND3D.DLL
HWDCI DLL 227,104 03-15-05 7:35p HWDCI.DLL
NFQTWK DLL 227,104 03-15-05 7:35p NFQTWK.DLL
MXIHRNFC DLL 227,104 03-15-05 7:35p mxihrnfc.dll
MXCUIW32 DLL 227,104 03-15-05 7:35p MXCUIW32.DLL
CSBVIEW DLL 227,104 03-15-05 7:35p CSBVIEW.DLL
MFDOCS DLL 227,104 03-15-05 7:35p MFDOCS.DLL
RFCHED20 DLL 227,104 03-15-05 7:35p RFCHED20.DLL
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
DRKAPI16 DLL 227,104 03-08-05 8:44p DRKAPI16.DLL
GXDEF DLL 227,104 03-08-05 8:44p GXDEF.DLL
HJINV DLL 227,104 03-08-05 8:44p hjinv.dll
DNNMPNTW DLL 227,104 03-08-05 8:44p DNNMPNTW.DLL
PMD DLL 227,104 03-08-05 8:44p PMD.DLL
IWSCONFG DLL 227,104 03-08-05 8:44p IWSCONFG.DLL
SRNS DLL 227,104 03-08-05 8:44p SRNS.DLL
WQIDX DLL 227,104 03-08-05 8:44p wqidx.dll
ODLYPRO DLL 227,104 03-08-05 8:44p OdlyPRO.dll
27 file(s) 6,131,808 bytes
0 dir(s) 53,970.75 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
1 dir(s) 53,970.72 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}"=""
------------------ Locate.com Results ------------------
------------ Strings.exe Qoologic Results ------------
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"{12EE7A5E-0674-42f9-A76B-000000004D00}"="rundll32.exe stlb2.dll,DllRunMain"
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB"="rundll32.exe E6F1873B.DLL,D9EBC318C"
"98D0CE0C16B1"="rundll32.exe D0CE0C16B1,D0CE0C16B1"
Hijack This Log
Logfile of HijackThis v1.99.1
Scan saved at 12:25:26 AM, on 3/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Thanks for all the help so far. Here are the results over everything so far. Let me know what you would like me to do next. Thanks again!
Nate
VX2 Finder:
User Agent String---
{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nfqtwk.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
874 items found: 874 files (27 H/S), 0 directories.
Total of file sizes: 178,226,753 bytes 169.97 M
--------------------End log---------------------
FindItLog:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
IDPEERS DLL 227,104 03-15-05 7:35p IDPEERS.DLL
NKDLL DLL 227,104 03-15-05 7:35p NKDLL.DLL
RECMQSVR DLL 227,104 03-15-05 7:35p RECMQSVR.DLL
NRTOS DLL 227,104 03-15-05 7:35p NRTOS.DLL
AAVAPI32 DLL 227,104 03-15-05 7:35p AAVAPI32.DLL
DYEML DLL 227,104 03-15-05 7:35p DYEML.DLL
ITSENG DLL 227,104 03-15-05 7:35p ITSENG.DLL
VUB32 DLL 227,104 03-15-05 7:35p VUB32.DLL
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
DGOUND3D DLL 227,104 03-15-05 7:35p DGOUND3D.DLL
HWDCI DLL 227,104 03-15-05 7:35p HWDCI.DLL
NFQTWK DLL 227,104 03-15-05 7:35p NFQTWK.DLL
MXIHRNFC DLL 227,104 03-15-05 7:35p mxihrnfc.dll
MXCUIW32 DLL 227,104 03-15-05 7:35p MXCUIW32.DLL
CSBVIEW DLL 227,104 03-15-05 7:35p CSBVIEW.DLL
MFDOCS DLL 227,104 03-15-05 7:35p MFDOCS.DLL
RFCHED20 DLL 227,104 03-15-05 7:35p RFCHED20.DLL
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
DRKAPI16 DLL 227,104 03-08-05 8:44p DRKAPI16.DLL
GXDEF DLL 227,104 03-08-05 8:44p GXDEF.DLL
HJINV DLL 227,104 03-08-05 8:44p hjinv.dll
DNNMPNTW DLL 227,104 03-08-05 8:44p DNNMPNTW.DLL
PMD DLL 227,104 03-08-05 8:44p PMD.DLL
IWSCONFG DLL 227,104 03-08-05 8:44p IWSCONFG.DLL
SRNS DLL 227,104 03-08-05 8:44p SRNS.DLL
WQIDX DLL 227,104 03-08-05 8:44p wqidx.dll
ODLYPRO DLL 227,104 03-08-05 8:44p OdlyPRO.dll
27 file(s) 6,131,808 bytes
0 dir(s) 53,970.75 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
1 dir(s) 53,970.72 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}"=""
------------------ Locate.com Results ------------------
------------ Strings.exe Qoologic Results ------------
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"{12EE7A5E-0674-42f9-A76B-000000004D00}"="rundll32.exe stlb2.dll,DllRunMain"
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB"="rundll32.exe E6F1873B.DLL,D9EBC318C"
"98D0CE0C16B1"="rundll32.exe D0CE0C16B1,D0CE0C16B1"
Hijack This Log
Logfile of HijackThis v1.99.1
Scan saved at 12:25:26 AM, on 3/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
#6
Posted 26 March 2005 - 06:10 AM
Lets see if we can get this pest for you Nate,
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
Next,
Download Pocket Killbox from. Here. unzip it and save it to your desk top
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\jzdw400.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\drkapi16.dll
C:\WINDOWS\SYSTEM\gxdef.dll
C:\WINDOWS\SYSTEM\idpeers.dll
C:\WINDOWS\SYSTEM\nkdll.dll
C:\WINDOWS\SYSTEM\recmqsvr.dll K
C:\WINDOWS\SYSTEM\nrtos.dll
C:\WINDOWS\SYSTEM\hjinv.dll
C:\WINDOWS\SYSTEM\aavapi32.dll
C:\WINDOWS\SYSTEM\dyeml.dll
C:\WINDOWS\SYSTEM\dnnmpntw.dll
C:\WINDOWS\SYSTEM\itseng.dll
C:\WINDOWS\SYSTEM\vub32.dll
C:\WINDOWS\SYSTEM\pmd.dll
C:\WINDOWS\SYSTEM\iwsconfg.dll
C:\WINDOWS\SYSTEM\merd2x40.dll
C:\WINDOWS\SYSTEM\dgound3d.dll
C:\WINDOWS\SYSTEM\hwdci.dll
C:\WINDOWS\SYSTEM\nfqtwk.dll
C:\WINDOWS\SYSTEM\srns.dll
C:\WINDOWS\SYSTEM\wqidx.dll
C:\WINDOWS\SYSTEM\odlypro.dll
C:\WINDOWS\SYSTEM\mxihrnfc.dll
C:\WINDOWS\SYSTEM\mxcuiw32.dll
C:\WINDOWS\SYSTEM\csbview.dll
C:\WINDOWS\SYSTEM\mfdocs.dll
C:\WINDOWS\SYSTEM\rfched20.dll
C:\Windows\System32\Guard.tmp
Next,
Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.
Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.
Reboot now
Post a fresh HJT log please
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
Next,
Download Pocket Killbox from. Here. unzip it and save it to your desk top
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\jzdw400.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\drkapi16.dll
C:\WINDOWS\SYSTEM\gxdef.dll
C:\WINDOWS\SYSTEM\idpeers.dll
C:\WINDOWS\SYSTEM\nkdll.dll
C:\WINDOWS\SYSTEM\recmqsvr.dll K
C:\WINDOWS\SYSTEM\nrtos.dll
C:\WINDOWS\SYSTEM\hjinv.dll
C:\WINDOWS\SYSTEM\aavapi32.dll
C:\WINDOWS\SYSTEM\dyeml.dll
C:\WINDOWS\SYSTEM\dnnmpntw.dll
C:\WINDOWS\SYSTEM\itseng.dll
C:\WINDOWS\SYSTEM\vub32.dll
C:\WINDOWS\SYSTEM\pmd.dll
C:\WINDOWS\SYSTEM\iwsconfg.dll
C:\WINDOWS\SYSTEM\merd2x40.dll
C:\WINDOWS\SYSTEM\dgound3d.dll
C:\WINDOWS\SYSTEM\hwdci.dll
C:\WINDOWS\SYSTEM\nfqtwk.dll
C:\WINDOWS\SYSTEM\srns.dll
C:\WINDOWS\SYSTEM\wqidx.dll
C:\WINDOWS\SYSTEM\odlypro.dll
C:\WINDOWS\SYSTEM\mxihrnfc.dll
C:\WINDOWS\SYSTEM\mxcuiw32.dll
C:\WINDOWS\SYSTEM\csbview.dll
C:\WINDOWS\SYSTEM\mfdocs.dll
C:\WINDOWS\SYSTEM\rfched20.dll
C:\Windows\System32\Guard.tmp
Next,
Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}"=-
Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.
Reboot now
Post a fresh HJT log please
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
#7
Posted 26 March 2005 - 10:25 AM
Good Morning Don,
Here is the latest report! Thanks once again!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 10:51:01 AM, on 3/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
IDPEERS DLL 227,104 03-15-05 7:35p IDPEERS.DLL
NKDLL DLL 227,104 03-15-05 7:35p NKDLL.DLL
RECMQSVR DLL 227,104 03-15-05 7:35p RECMQSVR.DLL
NRTOS DLL 227,104 03-15-05 7:35p NRTOS.DLL
AAVAPI32 DLL 227,104 03-15-05 7:35p AAVAPI32.DLL
DYEML DLL 227,104 03-15-05 7:35p DYEML.DLL
ITSENG DLL 227,104 03-15-05 7:35p ITSENG.DLL
VUB32 DLL 227,104 03-15-05 7:35p VUB32.DLL
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
DGOUND3D DLL 227,104 03-15-05 7:35p DGOUND3D.DLL
HWDCI DLL 227,104 03-15-05 7:35p HWDCI.DLL
SIHANNEL DLL 227,104 03-15-05 7:35p SIHANNEL.DLL
MXIHRNFC DLL 227,104 03-15-05 7:35p mxihrnfc.dll
MXCUIW32 DLL 227,104 03-15-05 7:35p MXCUIW32.DLL
CSBVIEW DLL 227,104 03-15-05 7:35p CSBVIEW.DLL
MFDOCS DLL 227,104 03-15-05 7:35p MFDOCS.DLL
RFCHED20 DLL 227,104 03-15-05 7:35p RFCHED20.DLL
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
DRKAPI16 DLL 227,104 03-08-05 8:44p DRKAPI16.DLL
GXDEF DLL 227,104 03-08-05 8:44p GXDEF.DLL
HJINV DLL 227,104 03-08-05 8:44p hjinv.dll
DNNMPNTW DLL 227,104 03-08-05 8:44p DNNMPNTW.DLL
PMD DLL 227,104 03-08-05 8:44p PMD.DLL
IWSCONFG DLL 227,104 03-08-05 8:44p IWSCONFG.DLL
SRNS DLL 227,104 03-08-05 8:44p SRNS.DLL
WQIDX DLL 227,104 03-08-05 8:44p wqidx.dll
ODLYPRO DLL 227,104 03-08-05 8:44p OdlyPRO.dll
27 file(s) 6,131,808 bytes
0 dir(s) 53,993.13 MB free
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
IDPEERS DLL 227,104 03-15-05 7:35p IDPEERS.DLL
NKDLL DLL 227,104 03-15-05 7:35p NKDLL.DLL
RECMQSVR DLL 227,104 03-15-05 7:35p RECMQSVR.DLL
NRTOS DLL 227,104 03-15-05 7:35p NRTOS.DLL
AAVAPI32 DLL 227,104 03-15-05 7:35p AAVAPI32.DLL
DYEML DLL 227,104 03-15-05 7:35p DYEML.DLL
ITSENG DLL 227,104 03-15-05 7:35p ITSENG.DLL
VUB32 DLL 227,104 03-15-05 7:35p VUB32.DLL
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
DGOUND3D DLL 227,104 03-15-05 7:35p DGOUND3D.DLL
HWDCI DLL 227,104 03-15-05 7:35p HWDCI.DLL
SIHANNEL DLL 227,104 03-15-05 7:35p SIHANNEL.DLL
MXIHRNFC DLL 227,104 03-15-05 7:35p mxihrnfc.dll
MXCUIW32 DLL 227,104 03-15-05 7:35p MXCUIW32.DLL
CSBVIEW DLL 227,104 03-15-05 7:35p CSBVIEW.DLL
MFDOCS DLL 227,104 03-15-05 7:35p MFDOCS.DLL
RFCHED20 DLL 227,104 03-15-05 7:35p RFCHED20.DLL
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
DRKAPI16 DLL 227,104 03-08-05 8:44p DRKAPI16.DLL
GXDEF DLL 227,104 03-08-05 8:44p GXDEF.DLL
HJINV DLL 227,104 03-08-05 8:44p hjinv.dll
DNNMPNTW DLL 227,104 03-08-05 8:44p DNNMPNTW.DLL
PMD DLL 227,104 03-08-05 8:44p PMD.DLL
IWSCONFG DLL 227,104 03-08-05 8:44p IWSCONFG.DLL
SRNS DLL 227,104 03-08-05 8:44p SRNS.DLL
WQIDX DLL 227,104 03-08-05 8:44p wqidx.dll
ODLYPRO DLL 227,104 03-08-05 8:44p OdlyPRO.dll
27 file(s) 6,131,808 bytes
0 dir(s) 53,866.28 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
1 dir(s) 53,993.09 MB free
---------------- User Agent ------------
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
1 dir(s) 53,866.28 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
sihannel.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
27 items found: 27 files, 0 directories.
Total of file sizes: 6,131,808 bytes 5.85 M
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
sihannel.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
27 items found: 27 files, 0 directories.
Total of file sizes: 6,131,808 bytes 5.85 M
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\khconc.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\sihannel.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
874 items found: 874 files (27 H/S), 0 directories.
Total of file sizes: 178,226,753 bytes 169.97 M
--------------------End log---------------------
Here is the latest report! Thanks once again!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 10:51:01 AM, on 3/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
IDPEERS DLL 227,104 03-15-05 7:35p IDPEERS.DLL
NKDLL DLL 227,104 03-15-05 7:35p NKDLL.DLL
RECMQSVR DLL 227,104 03-15-05 7:35p RECMQSVR.DLL
NRTOS DLL 227,104 03-15-05 7:35p NRTOS.DLL
AAVAPI32 DLL 227,104 03-15-05 7:35p AAVAPI32.DLL
DYEML DLL 227,104 03-15-05 7:35p DYEML.DLL
ITSENG DLL 227,104 03-15-05 7:35p ITSENG.DLL
VUB32 DLL 227,104 03-15-05 7:35p VUB32.DLL
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
DGOUND3D DLL 227,104 03-15-05 7:35p DGOUND3D.DLL
HWDCI DLL 227,104 03-15-05 7:35p HWDCI.DLL
SIHANNEL DLL 227,104 03-15-05 7:35p SIHANNEL.DLL
MXIHRNFC DLL 227,104 03-15-05 7:35p mxihrnfc.dll
MXCUIW32 DLL 227,104 03-15-05 7:35p MXCUIW32.DLL
CSBVIEW DLL 227,104 03-15-05 7:35p CSBVIEW.DLL
MFDOCS DLL 227,104 03-15-05 7:35p MFDOCS.DLL
RFCHED20 DLL 227,104 03-15-05 7:35p RFCHED20.DLL
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
DRKAPI16 DLL 227,104 03-08-05 8:44p DRKAPI16.DLL
GXDEF DLL 227,104 03-08-05 8:44p GXDEF.DLL
HJINV DLL 227,104 03-08-05 8:44p hjinv.dll
DNNMPNTW DLL 227,104 03-08-05 8:44p DNNMPNTW.DLL
PMD DLL 227,104 03-08-05 8:44p PMD.DLL
IWSCONFG DLL 227,104 03-08-05 8:44p IWSCONFG.DLL
SRNS DLL 227,104 03-08-05 8:44p SRNS.DLL
WQIDX DLL 227,104 03-08-05 8:44p wqidx.dll
ODLYPRO DLL 227,104 03-08-05 8:44p OdlyPRO.dll
27 file(s) 6,131,808 bytes
0 dir(s) 53,993.13 MB free
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
IDPEERS DLL 227,104 03-15-05 7:35p IDPEERS.DLL
NKDLL DLL 227,104 03-15-05 7:35p NKDLL.DLL
RECMQSVR DLL 227,104 03-15-05 7:35p RECMQSVR.DLL
NRTOS DLL 227,104 03-15-05 7:35p NRTOS.DLL
AAVAPI32 DLL 227,104 03-15-05 7:35p AAVAPI32.DLL
DYEML DLL 227,104 03-15-05 7:35p DYEML.DLL
ITSENG DLL 227,104 03-15-05 7:35p ITSENG.DLL
VUB32 DLL 227,104 03-15-05 7:35p VUB32.DLL
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
DGOUND3D DLL 227,104 03-15-05 7:35p DGOUND3D.DLL
HWDCI DLL 227,104 03-15-05 7:35p HWDCI.DLL
SIHANNEL DLL 227,104 03-15-05 7:35p SIHANNEL.DLL
MXIHRNFC DLL 227,104 03-15-05 7:35p mxihrnfc.dll
MXCUIW32 DLL 227,104 03-15-05 7:35p MXCUIW32.DLL
CSBVIEW DLL 227,104 03-15-05 7:35p CSBVIEW.DLL
MFDOCS DLL 227,104 03-15-05 7:35p MFDOCS.DLL
RFCHED20 DLL 227,104 03-15-05 7:35p RFCHED20.DLL
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
DRKAPI16 DLL 227,104 03-08-05 8:44p DRKAPI16.DLL
GXDEF DLL 227,104 03-08-05 8:44p GXDEF.DLL
HJINV DLL 227,104 03-08-05 8:44p hjinv.dll
DNNMPNTW DLL 227,104 03-08-05 8:44p DNNMPNTW.DLL
PMD DLL 227,104 03-08-05 8:44p PMD.DLL
IWSCONFG DLL 227,104 03-08-05 8:44p IWSCONFG.DLL
SRNS DLL 227,104 03-08-05 8:44p SRNS.DLL
WQIDX DLL 227,104 03-08-05 8:44p wqidx.dll
ODLYPRO DLL 227,104 03-08-05 8:44p OdlyPRO.dll
27 file(s) 6,131,808 bytes
0 dir(s) 53,866.28 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
1 dir(s) 53,993.09 MB free
---------------- User Agent ------------
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
1 dir(s) 53,866.28 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
sihannel.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
27 items found: 27 files, 0 directories.
Total of file sizes: 6,131,808 bytes 5.85 M
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
sihannel.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
27 items found: 27 files, 0 directories.
Total of file sizes: 6,131,808 bytes 5.85 M
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\khconc.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\drkapi16.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\gxdef.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\idpeers.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nkdll.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\recmqsvr.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\nrtos.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hjinv.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\aavapi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dyeml.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dnnmpntw.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\itseng.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\vub32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\pmd.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\iwsconfg.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\dgound3d.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\hwdci.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\sihannel.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\srns.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wqidx.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\odlypro.dll Tue Mar 8 2005 8:44:02p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxihrnfc.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mxcuiw32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\csbview.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mfdocs.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\rfched20.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
874 items found: 874 files (27 H/S), 0 directories.
Total of file sizes: 178,226,753 bytes 169.97 M
--------------------End log---------------------
#8
Posted 27 March 2005 - 09:44 PM
Hi again Nate,
You may want to print out these instructions,
I gave you a similiar list to delete with kill box,
I need you to do a search for each of the list and check properties and make sure they are not checked as Read Only, If they are uncheck them please, Run through all the files and check them prior to running killbox,
Next.
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\ jzdw400.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\drkapi16.dll
C:\WINDOWS\SYSTEM\gxdef.dll
C:\WINDOWS\SYSTEM\idpeers.dll
C:\WINDOWS\SYSTEM\nkdll.dll
C:\WINDOWS\SYSTEM\recmqsvr.dll
C:\WINDOWS\SYSTEM\nrtos.dll
C:\WINDOWS\SYSTEM\hjinv.dll
C:\WINDOWS\SYSTEM\aavapi32.dll
C:\WINDOWS\SYSTEM\dyeml.dll
C:\WINDOWS\SYSTEM\dnnmpntw.dll
C:\WINDOWS\SYSTEM\itseng.dll
C:\WINDOWS\SYSTEM\vub32.dll
C:\WINDOWS\SYSTEM\pmd.dll
C:\WINDOWS\SYSTEM\iwsconfg.dll
C:\WINDOWS\SYSTEM\merd2x40.dll
C:\WINDOWS\SYSTEM\dgound3d.dll
C:\WINDOWS\SYSTEM\hwdci.dll
C:\WINDOWS\SYSTEM\sihannel.dll
C:\WINDOWS\SYSTEM\srns.dll
C:\WINDOWS\SYSTEM\wqidx.dll
C:\WINDOWS\SYSTEM\odlypro.dll
C:\WINDOWS\SYSTEM\mxihrnfc.dll
C:\WINDOWS\SYSTEM\mxcuiw32.dll
C:\WINDOWS\SYSTEM\csbview.dll
C:\WINDOWS\SYSTEM\mfdocs.dll
C:\WINDOWS\SYSTEM\rfched20.dll
C:\WINDOWS\khconc.dll
C:\Windows\System32\Guard.tmp
Reboot now
Post a fresh HJT log please
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
You may want to print out these instructions,
I gave you a similiar list to delete with kill box,
I need you to do a search for each of the list and check properties and make sure they are not checked as Read Only, If they are uncheck them please, Run through all the files and check them prior to running killbox,
Next.
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\ jzdw400.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\drkapi16.dll
C:\WINDOWS\SYSTEM\gxdef.dll
C:\WINDOWS\SYSTEM\idpeers.dll
C:\WINDOWS\SYSTEM\nkdll.dll
C:\WINDOWS\SYSTEM\recmqsvr.dll
C:\WINDOWS\SYSTEM\nrtos.dll
C:\WINDOWS\SYSTEM\hjinv.dll
C:\WINDOWS\SYSTEM\aavapi32.dll
C:\WINDOWS\SYSTEM\dyeml.dll
C:\WINDOWS\SYSTEM\dnnmpntw.dll
C:\WINDOWS\SYSTEM\itseng.dll
C:\WINDOWS\SYSTEM\vub32.dll
C:\WINDOWS\SYSTEM\pmd.dll
C:\WINDOWS\SYSTEM\iwsconfg.dll
C:\WINDOWS\SYSTEM\merd2x40.dll
C:\WINDOWS\SYSTEM\dgound3d.dll
C:\WINDOWS\SYSTEM\hwdci.dll
C:\WINDOWS\SYSTEM\sihannel.dll
C:\WINDOWS\SYSTEM\srns.dll
C:\WINDOWS\SYSTEM\wqidx.dll
C:\WINDOWS\SYSTEM\odlypro.dll
C:\WINDOWS\SYSTEM\mxihrnfc.dll
C:\WINDOWS\SYSTEM\mxcuiw32.dll
C:\WINDOWS\SYSTEM\csbview.dll
C:\WINDOWS\SYSTEM\mfdocs.dll
C:\WINDOWS\SYSTEM\rfched20.dll
C:\WINDOWS\khconc.dll
C:\Windows\System32\Guard.tmp
Reboot now
Post a fresh HJT log please
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
#9
Posted 28 March 2005 - 03:12 PM
Good Afternoon Don,
Here is the latest update. A little bit better I think but still some work to go. Thanks once again!
Nate
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.. 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mmdart32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wlasf.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\ibctl.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
882 items found: 882 files (5 H/S), 0 directories.
Total of file sizes: 179,044,769 bytes 170.75 M
--------------------End log---------------------
Here is the latest update. A little bit better I think but still some work to go. Thanks once again!
Nate
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.. 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mmdart32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wlasf.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\ibctl.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
882 items found: 882 files (5 H/S), 0 directories.
Total of file sizes: 179,044,769 bytes 170.75 M
--------------------End log---------------------
#10
Posted 28 March 2005 - 03:13 PM
Sorry Don,
Only sent part of it. My apologies.
Logfile of HijackThis v1.99.1
Scan saved at 3:53:58 PM, on 3/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
MMDART32 DLL 227,104 03-15-05 7:35p MMDART32.DLL
WLASF DLL 227,104 03-15-05 7:35p WLASF.DLL
IBCTL DLL 227,104 03-15-05 7:35p ibctl.dll
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
5 file(s) 1,135,520 bytes
0 dir(s) 53,777.16 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
PICSVR <DIR> 03-27-05 6:18p picsvr
NSVSVC <DIR> 03-27-05 6:18p nsvsvc
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
3 dir(s) 53,777.13 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.. 227,104 221.78 K
merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mmdart32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
wlasf.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
ibctl.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
5 items found: 5 files, 0 directories.
Total of file sizes: 1,135,520 bytes 1.08 M
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\khconc.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"Nsv"="C:\\WINDOWS\\SYSTEM\\nsvsvc\\nsvsvc.exe"
"picsvr"="C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL,SHStart"
"KavSvc"="C:\\WINDOWS\\avzkpz.exe"
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.. 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mmdart32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wlasf.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\ibctl.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
882 items found: 882 files (5 H/S), 0 directories.
Total of file sizes: 179,044,769 bytes 170.75 M
--------------------End log---------------------
Only sent part of it. My apologies.
Logfile of HijackThis v1.99.1
Scan saved at 3:53:58 PM, on 3/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
MERD2X40 DLL 227,104 03-15-05 7:35p MERD2X40.DLL
MMDART32 DLL 227,104 03-15-05 7:35p MMDART32.DLL
WLASF DLL 227,104 03-15-05 7:35p WLASF.DLL
IBCTL DLL 227,104 03-15-05 7:35p ibctl.dll
JZDW400 DLL 227,104 03-08-05 8:44p JZDW400.DLL
5 file(s) 1,135,520 bytes
0 dir(s) 53,777.16 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
PICSVR <DIR> 03-27-05 6:18p picsvr
NSVSVC <DIR> 03-27-05 6:18p nsvsvc
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
3 dir(s) 53,777.13 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9CB693AB-EF2E-7C0D-2C12-ED099B3E2B21}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.. 227,104 221.78 K
merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
mmdart32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
wlasf.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
ibctl.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
5 items found: 5 files, 0 directories.
Total of file sizes: 1,135,520 bytes 1.08 M
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\khconc.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"Nsv"="C:\\WINDOWS\\SYSTEM\\nsvsvc\\nsvsvc.exe"
"picsvr"="C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL,SHStart"
"KavSvc"="C:\\WINDOWS\\avzkpz.exe"
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\jzdw400.dll Tue Mar 8 2005 8:44:02p ..S.. 227,104 221.78 K
C:\WINDOWS\SYSTEM\merd2x40.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\mmdart32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\wlasf.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
C:\WINDOWS\SYSTEM\ibctl.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
________________________________________________
882 items found: 882 files (5 H/S), 0 directories.
Total of file sizes: 179,044,769 bytes 170.75 M
--------------------End log---------------------
#11
Posted 28 March 2005 - 07:21 PM
No worry Nate,
Looks like it is cleaning up now,,
Again please check the rest of these to make sure they are not Read Only
Now, download VX2Finder9x(126).exe:
http://downloads.sub...nder9x(126).exe
Save the program in its own folder.
Do not run it yet.
Disconnect from the Internet and close all running programs!
Copy these instructions to Notepad for copy/paste use, since you will be off the Internet and cannot open this window.
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\ jzdw400.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\merd2x40.dll
C:\WINDOWS\SYSTEM\mmdart32.dll
C:\WINDOWS\SYSTEM\wlasf.dll
C:\WINDOWS\SYSTEM\ibctl.dll
C:\WINDOWS\khconc.dll
C:\WINDOWS\unadbeh.exe
C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL
C:\\WINDOWS\\avzkpz.exe
C:\Windows\System32\Guard.tmp
Reboot now
Run VX2Finder9x(126).exe
Select: Click to find VX2 BetterInternet
If any files show, select and click: Delete files
Next, click: User Agent$
Click: Restore Desktop (The Desktop disappears and reappears. It is OK)
Next, click: Import Reg
Once again, select: Click to Find VX2.BetterInternet
When the scan is done, select: Make Log
It will open the log in Notepad.
Please copy and paste the log in your next response.
Close VX2Finder
Post a fresh HJT log please
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
Looks like it is cleaning up now,,
Again please check the rest of these to make sure they are not Read Only
Now, download VX2Finder9x(126).exe:
http://downloads.sub...nder9x(126).exe
Save the program in its own folder.
Do not run it yet.
Disconnect from the Internet and close all running programs!
Copy these instructions to Notepad for copy/paste use, since you will be off the Internet and cannot open this window.
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\ jzdw400.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\merd2x40.dll
C:\WINDOWS\SYSTEM\mmdart32.dll
C:\WINDOWS\SYSTEM\wlasf.dll
C:\WINDOWS\SYSTEM\ibctl.dll
C:\WINDOWS\khconc.dll
C:\WINDOWS\unadbeh.exe
C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL
C:\\WINDOWS\\avzkpz.exe
C:\Windows\System32\Guard.tmp
Reboot now
Run VX2Finder9x(126).exe
Select: Click to find VX2 BetterInternet
If any files show, select and click: Delete files
Next, click: User Agent$
Click: Restore Desktop (The Desktop disappears and reappears. It is OK)
Next, click: Import Reg
Once again, select: Click to Find VX2.BetterInternet
When the scan is done, select: Make Log
It will open the log in Notepad.
Please copy and paste the log in your next response.
Close VX2Finder
Post a fresh HJT log please
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
#12
Posted 28 March 2005 - 08:29 PM
Don,
Here you go again. The VX log did not come up at all. The DLLCompare log was being difficult and it only held one DLL item that I added to the end of the cut and paste. WE seem to be making more head way. Thanks again for all the help!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 8:57:34 PM, on 3/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\AVZKPZ.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\VX2FINDER9X(126).EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\avzkpz.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: unai.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
GYI32 DLL 227,104 03-15-05 7:35p GYI32.DLL
1 file(s) 227,104 bytes
0 dir(s) 53,733.97 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
PICSVR <DIR> 03-27-05 6:18p picsvr
NSVSVC <DIR> 03-27-05 6:18p nsvsvc
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
3 dir(s) 53,733.94 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
gyi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
1 item found: 1 file, 0 directories.
Total of file sizes: 227,104 bytes 221.78 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\rjnzo.dll: excl_urls=heavy.com,onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,cdn.comcast.net,us.i1.yimg.com,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,altfarm.mediaplex.com,mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,adv.eblocs.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,as-us.falkag.net,falkag.net,z1.adserver.com,a1.yimg.com,a.as-us.falkag.net,yimg.com,trafficmp.com,us.a1.yimg.com,ads.exitexchange.com,aaabesthomepage.com,pan-advert.com,clicktrk.com,t.trafficmp.com,loadingwebsite.com,ezula.com,server.iad.liveperson.net,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,oz.valueclick.com,counters.honesty.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,count.exitexchange.com,xanga.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,amch.questionmarket.com,allaboutsearching.com,newupdates.lzio.com,akapp.whenu.com,cfg.mywebsearch.com,ads.delfinproject.com,searcheffect.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,jcontent.bns1.net,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,webpdp.gator.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,bannerfarm.ace.advertising.com,jbns2.cydoor.com,look2me.com,as.adwave.com,popuppers.com,wisapidata.weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,adserv1.gruvmedia.com,cdn.icq.com,banners.pennyweb.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,comcast.net,filter.belkin.com,clickit.go2net.com,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,aim-charts.pf.aol.com,microsoft.com,target.com,yahoo.com,aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,ekmas.com,affiliates.4lowrates.com,creativeby.viewpoint.com,couponage.com,c5.zedo.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,clickserve.cc-dt.com,popups.ad-logics.com,host239.ipowerweb.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,ad.doubleclick.net,as.casalemedia.com,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,sandboxer.com,a.websponsors.com,click2.containsitall.com,media.fastclick.net,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"Nsv"="C:\\WINDOWS\\SYSTEM\\nsvsvc\\nsvsvc.exe"
"picsvr"="C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL,SHStart"
"KavSvc"="C:\\WINDOWS\\avzkpz.exe"
The only item in the DLLCompare log was a C:\WINDOWS\SYSTEM\gyi32.dll
Here you go again. The VX log did not come up at all. The DLLCompare log was being difficult and it only held one DLL item that I added to the end of the cut and paste. WE seem to be making more head way. Thanks again for all the help!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 8:57:34 PM, on 3/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\AVZKPZ.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\VX2FINDER9X(126).EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\avzkpz.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: unai.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
GYI32 DLL 227,104 03-15-05 7:35p GYI32.DLL
1 file(s) 227,104 bytes
0 dir(s) 53,733.97 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
PICSVR <DIR> 03-27-05 6:18p picsvr
NSVSVC <DIR> 03-27-05 6:18p nsvsvc
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
3 dir(s) 53,733.94 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
gyi32.dll Tue Mar 15 2005 7:35:58p ..S.R 227,104 221.78 K
1 item found: 1 file, 0 directories.
Total of file sizes: 227,104 bytes 221.78 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\rjnzo.dll: excl_urls=heavy.com,onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,cdn.comcast.net,us.i1.yimg.com,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,altfarm.mediaplex.com,mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,adv.eblocs.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,as-us.falkag.net,falkag.net,z1.adserver.com,a1.yimg.com,a.as-us.falkag.net,yimg.com,trafficmp.com,us.a1.yimg.com,ads.exitexchange.com,aaabesthomepage.com,pan-advert.com,clicktrk.com,t.trafficmp.com,loadingwebsite.com,ezula.com,server.iad.liveperson.net,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,oz.valueclick.com,counters.honesty.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,count.exitexchange.com,xanga.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,amch.questionmarket.com,allaboutsearching.com,newupdates.lzio.com,akapp.whenu.com,cfg.mywebsearch.com,ads.delfinproject.com,searcheffect.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,jcontent.bns1.net,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,webpdp.gator.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,bannerfarm.ace.advertising.com,jbns2.cydoor.com,look2me.com,as.adwave.com,popuppers.com,wisapidata.weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,adserv1.gruvmedia.com,cdn.icq.com,banners.pennyweb.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,comcast.net,filter.belkin.com,clickit.go2net.com,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,aim-charts.pf.aol.com,microsoft.com,target.com,yahoo.com,aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,ekmas.com,affiliates.4lowrates.com,creativeby.viewpoint.com,couponage.com,c5.zedo.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,clickserve.cc-dt.com,popups.ad-logics.com,host239.ipowerweb.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,ad.doubleclick.net,as.casalemedia.com,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,sandboxer.com,a.websponsors.com,click2.containsitall.com,media.fastclick.net,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com
-------------- Strings.exe Aspack Results -------------
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"Nsv"="C:\\WINDOWS\\SYSTEM\\nsvsvc\\nsvsvc.exe"
"picsvr"="C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL,SHStart"
"KavSvc"="C:\\WINDOWS\\avzkpz.exe"
The only item in the DLLCompare log was a C:\WINDOWS\SYSTEM\gyi32.dll
#13
Posted 28 March 2005 - 08:55 PM
Looking much better Nate, We are gaining on it,,
Again I want you to remain offline while making these fix's,
Olease print them out or save them to notebook so you have them
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\ rjnzo.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\gyi32.dll
C:\Windows\System32\Guard.tmp
Reboot now
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\avzkpz.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD
C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
C:\WINDOWS\avzkpz.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
Restart your computer,
Please run these two online scans. Make sure they are set to clean automatically:
TrendMicro's HouseCall
ActiveScan
You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.
Then scan again with HijackThis and post another log.
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
Again I want you to remain offline while making these fix's,
Olease print them out or save them to notebook so you have them
Open Killbox, click the option Replace on Reboot & click the box Use Dummy
You'll see the path to the filename appear in the bottom box.
copy & paste 1 at a time starting.
C:\WINDOWS\SYSTEM\ rjnzo.dll
into the top box
Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.
This is important, if you reboot before you are finished entering all the files, you will have to start over again.
Do the same for this entire list
C:\WINDOWS\SYSTEM\gyi32.dll
C:\Windows\System32\Guard.tmp
Reboot now
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\avzkpz.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD
C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
C:\WINDOWS\avzkpz.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
Restart your computer,
Please run these two online scans. Make sure they are set to clean automatically:
TrendMicro's HouseCall
ActiveScan
You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.
Then scan again with HijackThis and post another log.
Post a fresh FindIt9xME log
Post a fresh DLLCompare log as well please
#14
Posted 29 March 2005 - 06:44 PM
Hey Don,
Here are the latest reports. Good news, there was nothing in the DLLcompare log now! That and I checked the host file for the first time in a week tonight and the ip addresses that were bad are now gone! OK here are the logs. Let me know if you see anything else I need to take care of. Once this is all said and done I will also run virus scan, spybot, counterspy and ad aware to make sure everything if good. THanks once again for all this help!!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 7:30:46 PM, on 3/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: STRINGS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
53,594.41 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
PICSVR <DIR> 03-27-05 6:18p picsvr
NSVSVC <DIR> 03-27-05 6:18p nsvsvc
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
3 dir(s) 53,594.38 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------------ Locate.com Results ------------------
No matches found.
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\rjnzo.dll: excl_urls=heavy.com,onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,cdn.comcast.net,us.i1.yimg.com,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,altfarm.mediaplex.com,mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,adv.eblocs.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,as-us.falkag.net,falkag.net,z1.adserver.com,a1.yimg.com,a.as-us.falkag.net,yimg.com,trafficmp.com,us.a1.yimg.com,ads.exitexchange.com,aaabesthomepage.com,pan-advert.com,clicktrk.com,t.trafficmp.com,loadingwebsite.com,ezula.com,server.iad.liveperson.net,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,oz.valueclick.com,counters.honesty.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,count.exitexchange.com,xanga.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,amch.questionmarket.com,allaboutsearching.com,newupdates.lzio.com,akapp.whenu.com,cfg.mywebsearch.com,ads.delfinproject.com,searcheffect.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,jcontent.bns1.net,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,webpdp.gator.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,bannerfarm.ace.advertising.com,jbns2.cydoor.com,look2me.com,as.adwave.com,popuppers.com,wisapidata.weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,adserv1.gruvmedia.com,cdn.icq.com,banners.pennyweb.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,comcast.net,filter.belkin.com,clickit.go2net.com,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,aim-charts.pf.aol.com,microsoft.com,target.com,yahoo.com,aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,ekmas.com,affiliates.4lowrates.com,creativeby.viewpoint.com,couponage.com,c5.zedo.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,clickserve.cc-dt.com,popups.ad-logics.com,host239.ipowerweb.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,ad.doubleclick.net,as.casalemedia.com,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,sandboxer.com,a.websponsors.com,click2.containsitall.com,media.fastclick.net,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
Here are the latest reports. Good news, there was nothing in the DLLcompare log now! That and I checked the host file for the first time in a week tonight and the ip addresses that were bad are now gone! OK here are the logs. Let me know if you see anything else I need to take care of. Once this is all said and done I will also run virus scan, spybot, counterspy and ad aware to make sure everything if good. THanks once again for all this help!!
Nate
Logfile of HijackThis v1.99.1
Scan saved at 7:30:46 PM, on 3/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: STRINGS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
53,594.41 MB free
------- Hidden Files in System Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 3649-19E9
Directory of C:\WINDOWS\SYSTEM
PICSVR <DIR> 03-27-05 6:18p picsvr
NSVSVC <DIR> 03-27-05 6:18p nsvsvc
VMSS <DIR> 01-13-05 10:45a vmss
ZLLICTBL DAT 4,212 08-10-04 9:11p zllictbl.dat
FOLDER HTT 23,155 11-01-00 3:51p folder.htt
DESKTOP INI 271 11-01-00 3:51p desktop.ini
3 file(s) 27,638 bytes
3 dir(s) 53,594.38 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------------ Locate.com Results ------------------
No matches found.
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\rjnzo.dll: excl_urls=heavy.com,onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,cdn.comcast.net,us.i1.yimg.com,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,altfarm.mediaplex.com,mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,adv.eblocs.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,as-us.falkag.net,falkag.net,z1.adserver.com,a1.yimg.com,a.as-us.falkag.net,yimg.com,trafficmp.com,us.a1.yimg.com,ads.exitexchange.com,aaabesthomepage.com,pan-advert.com,clicktrk.com,t.trafficmp.com,loadingwebsite.com,ezula.com,server.iad.liveperson.net,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,oz.valueclick.com,counters.honesty.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,count.exitexchange.com,xanga.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,amch.questionmarket.com,allaboutsearching.com,newupdates.lzio.com,akapp.whenu.com,cfg.mywebsearch.com,ads.delfinproject.com,searcheffect.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,jcontent.bns1.net,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,webpdp.gator.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,bannerfarm.ace.advertising.com,jbns2.cydoor.com,look2me.com,as.adwave.com,popuppers.com,wisapidata.weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,adserv1.gruvmedia.com,cdn.icq.com,banners.pennyweb.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,comcast.net,filter.belkin.com,clickit.go2net.com,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,aim-charts.pf.aol.com,microsoft.com,target.com,yahoo.com,aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,ekmas.com,affiliates.4lowrates.com,creativeby.viewpoint.com,couponage.com,c5.zedo.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,clickserve.cc-dt.com,popups.ad-logics.com,host239.ipowerweb.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,ad.doubleclick.net,as.casalemedia.com,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,sandboxer.com,a.websponsors.com,click2.containsitall.com,media.fastclick.net,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.522: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.522: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadQM"="loadqm.exe"
"ICSMGR"="ICSMGR.EXE"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
#15
Posted 30 March 2005 - 08:41 PM
Great stuff Nate,
Please run the 2 online scan please let us know what they come back with
Please run the 2 online scan please let us know what they come back with
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users