Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Starting Instructions [resolved]

Started by vanny , Mar 27 2005 10:31 PM

  • This topic is locked This topic is locked

#1
vanny
Posted 27 March 2005 - 10:31 PM

vanny

    Member

  • Member
  • PipPip
  • 19 posts
I am trying to complete the tasks set out to do before posting hijack this log, but I've had a few problems. I couldn't get Adaware to accept the tweak During removal, unload explorer and IE if necessary", I couldn't get all programs to close when running programs (but I have run them in safe mode). I am not sure if I got the DOS Exploit fix for Spybot - I kept getting errors. Can you tell how to know if I got it? I have two programs running at start-up that I don't recognize - ddpd.exe, which doesn't come up on a Google, and KavSvc, which appears to have something to do with Kapersky antivirus, but I have no idea where it came from. I am having the IGetNet problem, where i have auto.search.msn.com, ieautosearch and search.netscape.com, all with 69.20.16.183 and numerous pop-up ads interupting my surfing and gaming. I think I also have a Trojan - n20050308.exe - it could not be removed because the file was in use, but I can't get norton to run in safe mode to get it taken care of. I did run Adaware, Spybot, and SpywareDoctor in Safe mode with varying results. I don't remember specifically what they were. After running the above programs in Safe mode, Norton run regularly came up with WUInst.dll, MiniBugTransport, exStub.exe and n20050308.exe.
I am not sure what to do next - should I post my HJT log, or do I need to work on these other initial steps first.
Thanks so much for your help - I've been struggling for weeks trying to clean this out.
Karen
  • 0

Advertisements

#2
coachwife6
Posted 27 March 2005 - 11:00 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Just go ahead and post the log. :tazz:
  • 0

#3
vanny
Posted 31 March 2005 - 06:16 PM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:12:48 PM, on 3/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RRMRMZ.EXE
C:\PROGRAM FILES\ICQ\NDETECT.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROTEK\SCANWIZARD 5\SCANNERFINDER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NORTON ANTIVIRUS\OPSCAN.EXE
C:\WINDOWS\DESKTOP\MY SOFTWARE\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrmrmz.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Startup: ddpd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {33C9CD44-1EB4-41BC-BDAE-67200C31CC01} - http://supportservic...ages/msncfg.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - https://supportservi...ool/MailCfg.cab
O16 - DPF: {94418D7F-29BF-460F-8614-DEFB34871FA4} () - https://secure3.true.../TrueConfig.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.co...p-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002245.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = 702com.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.239.0.75,216.239.0.76
  • 0

#4
vanny
Posted 31 March 2005 - 06:27 PM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Please disregard above log - I had some programs turned off, and forgot to turn them on before i ran my HJT. BRB with log including all. So sorry, and thanks so much for help.
Karen
  • 0

#5
vanny
Posted 31 March 2005 - 06:30 PM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, here is the log with all start-up programs turned on.

Logfile of HijackThis v1.99.1
Scan saved at 6:27:42 PM, on 3/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RRMRMZ.EXE
C:\WINDOWS\N20050308.EXE
C:\PROGRAM FILES\ICQ\NDETECT.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROTEK\SCANWIZARD 5\SCANNERFINDER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NORTON ANTIVIRUS\OPSCAN.EXE
C:\WINDOWS\DESKTOP\MY SOFTWARE\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrmrmz.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\SIXTYPOPSIX.exe
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\N20050308.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Startup: ddpd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {33C9CD44-1EB4-41BC-BDAE-67200C31CC01} - http://supportservic...ages/msncfg.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - https://supportservi...ool/MailCfg.cab
O16 - DPF: {94418D7F-29BF-460F-8614-DEFB34871FA4} () - https://secure3.true.../TrueConfig.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.co...p-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002245.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = 702com.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.239.0.75,216.239.0.76
  • 0

#6
coachwife6
Posted 31 March 2005 - 07:07 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download the following file:

http://castlecops.co.../FindIt9xME.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
  • 0

#7
vanny
Posted 31 March 2005 - 09:05 PM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
do I need to enable everything on start-up again, or will it work with the ugly programs turned off? I'm thinking we just needed them activated for the HJT log?
Karen
  • 0

#8
coachwife6
Posted 31 March 2005 - 09:07 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Enable everything.
  • 0

#9
vanny
Posted 01 April 2005 - 11:35 PM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is HP_PAVILION
Volume Serial Number is 0D6D-0AD5
Directory of C:\WINDOWS\SYSTEM

RYCLTCCM DLL 227,104 03-17-05 9:57p RYCLTCCM.DLL
SYNDMAIL DLL 227,104 03-17-05 9:57p SYNDMAIL.DLL
MTNP32 DLL 227,104 03-17-05 9:57p MTNP32.DLL
CFYPTUI DLL 227,104 03-17-05 9:57p CFYPTUI.DLL
HIFREADR DLL 227,104 03-17-05 9:57p HIFREADR.DLL
MUTIME DLL 227,104 03-17-05 9:57p MUTIME.DLL
IX1XDD DLL 227,104 03-17-05 9:57p iX1xdd.dll
MMHTMLER DLL 227,104 03-17-05 9:57p MMHTMLER.DLL
FQWPP DLL 227,104 03-17-05 9:57p FQWPP.DLL
INSCLASS DLL 227,104 03-17-05 9:57p INSCLASS.DLL
ALICAP DLL 227,104 03-17-05 9:57p ALICAP.DLL
OPBCCR32 DLL 227,104 03-17-05 9:57p OPBCCR32.DLL
OPEACCRC DLL 227,104 03-17-05 9:57p OPEACCRC.DLL
MGVIDCTL DLL 227,104 03-17-05 9:57p MGVIDCTL.DLL
MGREPL40 DLL 227,104 03-17-05 9:57p MGREPL40.DLL
MTXMLR DLL 227,104 03-17-05 9:57p MTXMLR.DLL
DZDREF8 DLL 227,104 03-17-05 9:57p dZdref8.dll
HJFECP20 DLL 227,104 03-17-05 9:57p HJFecp20.dll
PEC_SDK DLL 227,104 03-17-05 9:57p PEC_SDK.dll
DRIMG401 DLL 227,104 03-17-05 9:57p drimg401.dll
RVCRTP DLL 227,104 03-17-05 9:57p RVCRTP.dll
NMTBIOS DLL 227,104 03-17-05 9:57p NMTBIOS.DLL
CCPICOM DLL 227,104 03-17-05 9:57p cCpicom.dll
PPXUSD DLL 227,104 03-17-05 9:57p PPXUSD.DLL
MJC70U DLL 227,104 03-17-05 9:57p mjc70u.dll
MEREPL35 DLL 227,104 03-17-05 9:57p MEREPL35.DLL
HRFIMG20 DLL 227,104 03-17-05 9:57p HRFimg20.dll
EV00STR DLL 227,104 03-17-05 9:57p EV00str.dll
ARL DLL 227,104 03-17-05 9:57p arl.dll
RDAUI DLL 227,104 03-17-05 9:57p RDAUI.DLL
SSTUPX DLL 227,104 03-17-05 9:57p SSTUPX.DLL
CPCFG32 DLL 227,104 03-17-05 9:57p CPCFG32.DLL
OOEACCRC DLL 227,104 03-17-05 9:57p OOEACCRC.DLL
MLR DLL 227,104 03-17-05 9:57p MLR.DLL
MVVCR71 DLL 227,104 03-17-05 9:57p mvvcr71.dll
WDNG32 DLL 227,104 03-17-05 9:57p WDNG32.DLL
MWR DLL 227,104 03-17-05 9:57p MWR.DLL
XVILEXR DLL 227,104 03-17-05 9:57p XVILEXR.DLL
MBJINT35 DLL 227,104 03-17-05 9:57p MBJINT35.DLL
SUHANNEL DLL 227,104 03-17-05 9:57p SUHANNEL.DLL
DACPROP DLL 227,104 03-17-05 9:57p DACPROP.DLL
SBGE DLL 227,104 03-17-05 9:57p sBge.dll
WDLP32T DLL 227,104 03-17-05 9:57p WDLP32T.DLL
OTSLB400 DLL 227,104 03-17-05 9:57p OTSLB400.DLL
WNBVW DLL 227,104 03-09-05 12:13a WNBVW.DLL
MEIOSD16 DLL 227,104 03-09-05 12:13a MEIOSD16.DLL
UVP10 DLL 227,104 03-09-05 12:13a uvp10.dll
DB210 DLL 227,104 03-09-05 12:13a DB210.dll
EATIER2 DLL 227,104 03-09-05 12:13a EATIER2.DLL
MKC70U DLL 227,104 03-09-05 12:13a mkc70u.dll
TIAPI DLL 227,104 03-09-05 12:13a TIAPI.DLL
FUAMEBUF DLL 227,104 03-09-05 12:13a FUAMEBUF.DLL
MCVCP70 DLL 227,104 03-09-05 12:13a mcvcp70.dll
IN41_QCX DLL 227,104 03-09-05 12:13a in41_qcx.dll
APYCFILT DLL 227,104 03-09-05 12:13a APYCFILT.DLL
SMSCLASS DLL 227,104 03-09-05 12:13a SMSCLASS.DLL
WYAUDSDK DLL 227,104 03-09-05 12:13a WYAUDSDK.DLL
AUERES DLL 227,104 03-09-05 12:13a aueres.dll
SASDETMG DLL 227,104 03-09-05 12:13a SASDETMG.DLL
OO25 DLL 227,104 03-09-05 12:13a OO25.DLL
OWBC16GT DLL 227,104 03-09-05 12:13a OWBC16GT.DLL
AXL71 DLL 227,104 03-09-05 12:13a axl71.dll
MYPRINT DLL 227,104 03-09-05 12:13a MYPRINT.DLL
RQANP DLL 227,104 03-09-05 12:13a RQANP.DLL
FLWPP DLL 227,104 03-09-05 12:13a FLWPP.DLL
PVTORERC DLL 227,104 03-09-05 12:13a PVTORERC.DLL
ABVIEW32 DLL 227,104 03-09-05 12:13a ABVIEW32.DLL
FJAMEBUF DLL 227,104 03-09-05 12:13a FJAMEBUF.DLL
68 file(s) 15,443,072 bytes
0 dir(s) 3,389.76 MB free

------- Hidden Files in System Directory -------


Volume in drive C is HP_PAVILION
Volume Serial Number is 0D6D-0AD5
Directory of C:\WINDOWS\SYSTEM

TCAUDIAG GID 8,628 03-12-05 7:28p TCAUDIAG.GID
RATINGS POL 16,384 01-14-05 5:21p RATINGS.POL
HPF61D20 GID 8,628 03-04-04 5:46p HPF61d20.GID
HPF61H20 GID 8,628 11-20-02 3:37p HPF61h20.GID
HPF61T20 GID 8,628 06-18-02 10:47p HPF61t20.GID
HPF61R20 GID 8,628 03-06-00 11:19p HPF61r20.GID
FOLDER HTT 13,122 11-09-99 1:13p folder.htt
DESKTOP INI 266 11-09-99 1:13p desktop.ini
8 file(s) 72,912 bytes
0 dir(s) 3,389.75 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9D15D0F3-96A8-4118-02DA-0AE0360FC0B8}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
wnbvw.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
rycltccm.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
syndmail.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
meiosd16.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
ratings.pol Fri Jan 14 2005 5:21:30p ...HR 16,384 16.00 K
mtnp32.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
cfyptui.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
hifreadr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
uvp10.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
db210.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
eatier2.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
mkc70u.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
tiapi.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
mutime.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
ix1xdd.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
fuamebuf.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
mcvcp70.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
in41_qcx.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
mmhtmler.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
fqwpp.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
apycfilt.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
smsclass.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
wyaudsdk.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
aueres.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
sasdetmg.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
oo25.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
owbc16gt.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
axl71.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
myprint.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
rqanp.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
flwpp.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
pvtorerc.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
abview32.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
fjamebuf.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
insclass.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
alicap.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
tcaudiag.gid Sat Mar 12 2005 7:28:38p A..H. 8,628 8.43 K
opbccr32.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
opeaccrc.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mgvidctl.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mgrepl40.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mtxmlr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
dzdref8.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
hjfecp20.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
pec_sdk.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
drimg401.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
rvcrtp.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
nmtbios.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
ccpicom.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
ppxusd.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mjc70u.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
merepl35.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
hrfimg20.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
ev00str.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
arl.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
rdaui.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
sstupx.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
cpcfg32.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
ooeaccrc.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mlr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mvvcr71.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
wdng32.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mwr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
xvilexr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mbjint35.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
suhannel.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
dacprop.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
sbge.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
wdlp32t.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
otslb400.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K

70 items found: 70 files, 0 directories.
Total of file sizes: 15,468,084 bytes 14.75 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.A
C:\WINDOWS\aaeaec.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\aahah.dll: excl_urls=heavy.com,onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,cdn.comcast.net,us.i1.yimg.com,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,altfarm.mediaplex.com,mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,adv.eblocs.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,as-us.falkag.net,falkag.net,z1.adserver.com,a1.yimg.com,a.as-us.falkag.net,yimg.com,trafficmp.com,us.a1.yimg.com,ads.exitexchange.com,aaabesthomepage.com,pan-advert.com,clicktrk.com,t.trafficmp.com,loadingwebsite.com,ezula.com,server.iad.liveperson.net,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,oz.valueclick.com,counters.honesty.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,count.exitexchange.com,xanga.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,amch.questionmarket.com,allaboutsearching.com,newupdates.lzio.com,akapp.whenu.com,cfg.mywebsearch.com,ads.delfinproject.com,searcheffect.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,jcontent.bns1.net,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,webpdp.gator.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,bannerfarm.ace.advertising.com,jbns2.cydoor.com,look2me.com,as.adwave.com,popuppers.com,wisapidata.weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,adserv1.gruvmedia.com,cdn.icq.com,banners.pennyweb.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,comcast.net,filter.belkin.com,clickit.go2net.com,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,aim-charts.pf.aol.com,microsoft.com,target.com,yahoo.com,aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,ekmas.com,affiliates.4lowrates.com,creativeby.viewpoint.com,couponage.com,c5.zedo.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,clickserve.cc-dt.com,popups.ad-logics.com,host239.ipowerweb.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,ad.doubleclick.net,as.casalemedia.com,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,sandboxer.com,a.websponsors.com,click2.containsitall.com,media.fastclick.net,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\VSAPI32.DLL: ASPACK EXE
C:\WINDOWS\VSAPI32.DLL: ASPACK2 EXE
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.04
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.03
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.02b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.01
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08
C:\WINDOWS\VSAPI32.DLL: ASPack 1.07b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.61
C:\WINDOWS\VSAPI32.DLL: ASPack 1.05b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.03
C:\WINDOWS\VSAPI32.DLL: ASPack 1.02
C:\WINDOWS\VSAPI32.DLL: ASPack 1.01
C:\WINDOWS\VSAPI32.DLL: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec Core LC"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe start"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"TCASUTIEXE"="TCAUDIAG.EXE -off"
"KavSvc"="C:\\WINDOWS\\rrmrmz.exe"
"sixtysix"="C:\\WINDOWS\\SIXTYPOPSIX.exe"
"nsvcin"="C:\\WINDOWS\\N20050308.EXE"


  • 0

#10
coachwife6
Posted 01 April 2005 - 11:56 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the http://www.bleepingc...les/killbox.php

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\RYCLTCCM.DLL

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

C:\WINDOWS\SYSTEM\SYNDMAIL DLL
C:\WINDOWS\SYSTEM\MTNP32 DLL
C:\WINDOWS\SYSTEM\CFYPTUI DLL
C:\WINDOWS\SYSTEM\ HIFREADR.DLL
C:\WINDOWS\SYSTEM\MUTIME.DLL
C:\WINDOWS\SYSTEM\ iX1xdd.dll
C:\WINDOWS\SYSTEM\MMHTMLER.DLL
C:\WINDOWS\SYSTEM\FQWPP.DLL
C:\WINDOWS\SYSTEM\ INSCLASS.DLL
C:\WINDOWS\SYSTEM\ALICAP.DLL
C:\WINDOWS\SYSTEM\OPBCCR32.DLL
C:\WINDOWS\SYSTEM\OPEACCRC.DLL
C:\WINDOWS\SYSTEM\MGVIDCTL.DLL
C:\WINDOWS\SYSTEM\MGREPL40.DLL
C:\WINDOWS\SYSTEM\MTXMLR DLL
C:\WINDOWS\SYSTEM\DZDREF8 DLL
C:\WINDOWS\SYSTEM\HJFECP20 DLL
C:\WINDOWS\SYSTEM\PEC_SDK DLL
C:\WINDOWS\SYSTEM\DRIMG401 DLL
C:\WINDOWS\SYSTEM\RVCRTP DLL
C:\WINDOWS\SYSTEM\NMTBIOS.DLL
C:\WINDOWS\SYSTEM\cCpicom.dll
C:\WINDOWS\SYSTEM\PPXUSD.DLL
C:\WINDOWS\SYSTEM\mjc70u.dll
C:\WINDOWS\SYSTEM\MEREPL35.DLL
C:\WINDOWS\SYSTEM\HRFimg20.dll
C:\WINDOWS\SYSTEM\EV00str.dll
C:\WINDOWS\SYSTEM\arl.dll
C:\WINDOWS\SYSTEM\RDAUI.DLL
C:\WINDOWS\SYSTEM\SSTUPX.DLL
C:\WINDOWS\SYSTEM\CPCFG32.DLL
C:\WINDOWS\SYSTEM\OOEACCRC.DLL
C:\WINDOWS\SYSTEM\MLR.DLL
C:\WINDOWS\SYSTEM\ mvvcr71.dll
C:\WINDOWS\SYSTEM\WDNG32.DLL
C:\WINDOWS\SYSTEM\MWR.DLL
C:\WINDOWS\SYSTEM\ XVILEXR.DLL
C:\WINDOWS\SYSTEM\MBJINT35.DLL
C:\WINDOWS\SYSTEM\SUHANNEL.DLL
C:\WINDOWS\SYSTEM\DACPROP.DLL
C:\WINDOWS\SYSTEM\sBge.dll
C:\WINDOWS\SYSTEM\WDLP32T.DLL
C:\WINDOWS\SYSTEM\OTSLB400.DLL
C:\WINDOWS\SYSTEM\WNBVW.DLL
C:\WINDOWS\SYSTEM\ MEIOSD16.DLL
C:\WINDOWS\SYSTEM\uvp10.dll
C:\WINDOWS\SYSTEM\DB210.dll
C:\WINDOWS\SYSTEM\EATIER2.DLL
C:\WINDOWS\SYSTEM\mkc70u.dll
C:\WINDOWS\SYSTEM\TIAPI.DLL
C:\WINDOWS\SYSTEM\FUAMEBUF.DLL
C:\WINDOWS\SYSTEM\mcvcp70.dll
C:\WINDOWS\SYSTEM\in41_qcx.dll
C:\WINDOWS\SYSTEM\APYCFILT.DLL
C:\WINDOWS\SYSTEM\SMSCLASS.DLL
C:\WINDOWS\SYSTEM\WYAUDSDK.DLL
C:\WINDOWS\SYSTEM\aueres.dll
C:\WINDOWS\SYSTEM\SASDETMG.DLL
C:\WINDOWS\SYSTEM\OO25.DLL
C:\WINDOWS\SYSTEM\OWBC16GT.DLL
C:\WINDOWS\SYSTEM\axl71.dll
C:\WINDOWS\SYSTEM\MYPRINT.DLL
C:\WINDOWS\SYSTEM\RQANP.DLL
C:\WINDOWS\SYSTEM\FLWPP.DLL
C:\WINDOWS\SYSTEM\ PVTORERC.DLL
C:\WINDOWS\SYSTEM\ABVIEW32.DLL
C:\WINDOWS\SYSTEM\FJAMEBUF.DLL
C:\WINDOWS\SYSTEM\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new log with the LATEST version of HJT, 1.99.1,and a new fix-it log.
  • 0

Advertisements

#11
vanny
Posted 02 April 2005 - 12:16 AM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
There were two file I could unzip. One was killbox.zip and one was killbox(1).zip I think. I chose the first one and began the process. The first file I didn't select replace on reboot or put a checkmark next to use dummy, but I redid the step and it seemed ok. First I get a test message, I click OK, then I get a Replace on reboot prompt and clik ok, but I don't get a pending operations prompt. I get a file will be deleted on reboot message is all. I did two or three files this way. Should I continue, or is something wrong?
Thank you for your help.
Karen
  • 0

#12
coachwife6
Posted 02 April 2005 - 07:11 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please continue. You have a really bad infection. :tazz:
  • 0

#13
vanny
Posted 02 April 2005 - 10:20 AM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the FindIt log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is HP_PAVILION
Volume Serial Number is 0D6D-0AD5
Directory of C:\WINDOWS\SYSTEM

DTVENUM DLL 227,104 03-17-05 9:57p DTVENUM.DLL
SYNDMAIL DLL 227,104 03-17-05 9:57p SYNDMAIL.DLL
MTNP32 DLL 227,104 03-17-05 9:57p MTNP32.DLL
CFYPTUI DLL 227,104 03-17-05 9:57p CFYPTUI.DLL
HIFREADR DLL 227,104 03-17-05 9:57p HIFREADR.DLL
IX1XDD DLL 227,104 03-17-05 9:57p iX1xdd.dll
INSCLASS DLL 227,104 03-17-05 9:57p INSCLASS.DLL
MTXMLR DLL 227,104 03-17-05 9:57p MTXMLR.DLL
DZDREF8 DLL 227,104 03-17-05 9:57p dZdref8.dll
HJFECP20 DLL 227,104 03-17-05 9:57p HJFecp20.dll
PEC_SDK DLL 227,104 03-17-05 9:57p PEC_SDK.dll
DRIMG401 DLL 227,104 03-17-05 9:57p drimg401.dll
RVCRTP DLL 227,104 03-17-05 9:57p RVCRTP.dll
MVVCR71 DLL 227,104 03-17-05 9:57p mvvcr71.dll
XVILEXR DLL 227,104 03-17-05 9:57p XVILEXR.DLL
MEIOSD16 DLL 227,104 03-09-05 12:13a MEIOSD16.DLL
MYPRINT DLL 227,104 03-09-05 12:13a MYPRINT.DLL
PVTORERC DLL 227,104 03-09-05 12:13a PVTORERC.DLL
18 file(s) 4,087,872 bytes
0 dir(s) 3,399.95 MB free

------- Hidden Files in System Directory -------


Volume in drive C is HP_PAVILION
Volume Serial Number is 0D6D-0AD5
Directory of C:\WINDOWS\SYSTEM

TCAUDIAG GID 8,628 03-12-05 7:28p TCAUDIAG.GID
RATINGS POL 16,384 01-14-05 5:21p RATINGS.POL
HPF61D20 GID 8,628 03-04-04 5:46p HPF61d20.GID
HPF61H20 GID 8,628 11-20-02 3:37p HPF61h20.GID
HPF61T20 GID 8,628 06-18-02 10:47p HPF61t20.GID
HPF61R20 GID 8,628 03-06-00 11:19p HPF61r20.GID
FOLDER HTT 13,122 11-09-99 1:13p folder.htt
DESKTOP INI 266 11-09-99 1:13p desktop.ini
8 file(s) 72,912 bytes
0 dir(s) 3,399.94 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9D15D0F3-96A8-4118-02DA-0AE0360FC0B8}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
dtvenum.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
syndmail.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
meiosd16.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
ratings.pol Fri Jan 14 2005 5:21:30p ...HR 16,384 16.00 K
mtnp32.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
cfyptui.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
hifreadr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
ix1xdd.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
myprint.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
pvtorerc.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
insclass.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
tcaudiag.gid Sat Mar 12 2005 7:28:38p A..H. 8,628 8.43 K
mtxmlr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
dzdref8.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
hjfecp20.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
pec_sdk.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
drimg401.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
rvcrtp.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mvvcr71.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
xvilexr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K

20 items found: 20 files, 0 directories.
Total of file sizes: 4,112,884 bytes 3.92 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.A
C:\WINDOWS\aaeaec.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\aahah.dll: excl_urls=heavy.com,onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,cdn.comcast.net,us.i1.yimg.com,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,altfarm.mediaplex.com,mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,adv.eblocs.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,as-us.falkag.net,falkag.net,z1.adserver.com,a1.yimg.com,a.as-us.falkag.net,yimg.com,trafficmp.com,us.a1.yimg.com,ads.exitexchange.com,aaabesthomepage.com,pan-advert.com,clicktrk.com,t.trafficmp.com,loadingwebsite.com,ezula.com,server.iad.liveperson.net,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,oz.valueclick.com,counters.honesty.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,count.exitexchange.com,xanga.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,amch.questionmarket.com,allaboutsearching.com,newupdates.lzio.com,akapp.whenu.com,cfg.mywebsearch.com,ads.delfinproject.com,searcheffect.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,jcontent.bns1.net,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,webpdp.gator.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,bannerfarm.ace.advertising.com,jbns2.cydoor.com,look2me.com,as.adwave.com,popuppers.com,wisapidata.weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,adserv1.gruvmedia.com,cdn.icq.com,banners.pennyweb.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,comcast.net,filter.belkin.com,clickit.go2net.com,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,aim-charts.pf.aol.com,microsoft.com,target.com,yahoo.com,aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,ekmas.com,affiliates.4lowrates.com,creativeby.viewpoint.com,couponage.com,c5.zedo.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,clickserve.cc-dt.com,popups.ad-logics.com,host239.ipowerweb.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,ad.doubleclick.net,as.casalemedia.com,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,sandboxer.com,a.websponsors.com,click2.containsitall.com,media.fastclick.net,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\VSAPI32.DLL: ASPACK EXE
C:\WINDOWS\VSAPI32.DLL: ASPACK2 EXE
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.04
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.03
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.02b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.01
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08
C:\WINDOWS\VSAPI32.DLL: ASPack 1.07b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.61
C:\WINDOWS\VSAPI32.DLL: ASPack 1.05b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.03
C:\WINDOWS\VSAPI32.DLL: ASPack 1.02
C:\WINDOWS\VSAPI32.DLL: ASPack 1.01
C:\WINDOWS\VSAPI32.DLL: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec Core LC"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe start"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"TCASUTIEXE"="TCAUDIAG.EXE -off"
"KavSvc"="C:\\WINDOWS\\rrmrmz.exe"
"sixtysix"="C:\\WINDOWS\\SIXTYPOPSIX.exe"
"nsvcin"="C:\\WINDOWS\\N20050308.EXE"




And here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:18:04 AM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RRMRMZ.EXE
C:\WINDOWS\N20050308.EXE
C:\PROGRAM FILES\ICQ\NDETECT.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROTEK\SCANWIZARD 5\SCANNERFINDER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\MY SOFTWARE\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrmrmz.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\SIXTYPOPSIX.exe
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\N20050308.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Startup: ddpd.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {33C9CD44-1EB4-41BC-BDAE-67200C31CC01} - http://supportservic...ages/msncfg.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - https://supportservi...ool/MailCfg.cab
O16 - DPF: {94418D7F-29BF-460F-8614-DEFB34871FA4} () - https://secure3.true.../TrueConfig.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.co...p-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002245.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = 702com.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.239.0.75,216.239.0.76
  • 0

#14
coachwife6
Posted 02 April 2005 - 10:30 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\dtvenum.dll

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

syndmail.dll
meiosd16.dll
mtnp32.dll
cfyptui.dll

ix1xdd.dll
myprint.dll
pvtorerc.dll
insclass.dll

mtxmlr.dll
dzdref8.dll
hjfecp20.dll
pec_sdk.dll
drimg401.dll
rvcrtp.dll
mvvcr71.dll
xvilexr.dll

C:\WINDOWS\SYSTEM\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new log with the LATEST version of HJT, 1.99.1,and a new fix-it log.
  • 0

#15
vanny
Posted 02 April 2005 - 11:23 AM

vanny

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I just can't thank you enough for your help with this. I have said a prayer for you and your family. Karen
Here is the new FindIt log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is HP_PAVILION
Volume Serial Number is 0D6D-0AD5
Directory of C:\WINDOWS\SYSTEM

ADICAP DLL 227,104 03-17-05 9:57p ADICAP.DLL
SYNDMAIL DLL 227,104 03-17-05 9:57p SYNDMAIL.DLL
MTNP32 DLL 227,104 03-17-05 9:57p MTNP32.DLL
CFYPTUI DLL 227,104 03-17-05 9:57p CFYPTUI.DLL
HIFREADR DLL 227,104 03-17-05 9:57p HIFREADR.DLL
IX1XDD DLL 227,104 03-17-05 9:57p iX1xdd.dll
INSCLASS DLL 227,104 03-17-05 9:57p INSCLASS.DLL
MTXMLR DLL 227,104 03-17-05 9:57p MTXMLR.DLL
DZDREF8 DLL 227,104 03-17-05 9:57p dZdref8.dll
HJFECP20 DLL 227,104 03-17-05 9:57p HJFecp20.dll
PEC_SDK DLL 227,104 03-17-05 9:57p PEC_SDK.dll
DRIMG401 DLL 227,104 03-17-05 9:57p drimg401.dll
RVCRTP DLL 227,104 03-17-05 9:57p RVCRTP.dll
MVVCR71 DLL 227,104 03-17-05 9:57p mvvcr71.dll
XVILEXR DLL 227,104 03-17-05 9:57p XVILEXR.DLL
MEIOSD16 DLL 227,104 03-09-05 12:13a MEIOSD16.DLL
MYPRINT DLL 227,104 03-09-05 12:13a MYPRINT.DLL
PVTORERC DLL 227,104 03-09-05 12:13a PVTORERC.DLL
18 file(s) 4,087,872 bytes
0 dir(s) 3,406.52 MB free

------- Hidden Files in System Directory -------


Volume in drive C is HP_PAVILION
Volume Serial Number is 0D6D-0AD5
Directory of C:\WINDOWS\SYSTEM

TCAUDIAG GID 8,628 03-12-05 7:28p TCAUDIAG.GID
RATINGS POL 16,384 01-14-05 5:21p RATINGS.POL
HPF61D20 GID 8,628 03-04-04 5:46p HPF61d20.GID
HPF61H20 GID 8,628 11-20-02 3:37p HPF61h20.GID
HPF61T20 GID 8,628 06-18-02 10:47p HPF61t20.GID
HPF61R20 GID 8,628 03-06-00 11:19p HPF61r20.GID
FOLDER HTT 13,122 11-09-99 1:13p folder.htt
DESKTOP INI 266 11-09-99 1:13p desktop.ini
8 file(s) 72,912 bytes
0 dir(s) 3,406.52 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{9D15D0F3-96A8-4118-02DA-0AE0360FC0B8}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
adicap.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
syndmail.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
meiosd16.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
ratings.pol Fri Jan 14 2005 5:21:30p ...HR 16,384 16.00 K
mtnp32.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
cfyptui.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
hifreadr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
ix1xdd.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
myprint.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
pvtorerc.dll Wed Mar 9 2005 12:13:42a ..S.R 227,104 221.78 K
insclass.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
tcaudiag.gid Sat Mar 12 2005 7:28:38p A..H. 8,628 8.43 K
mtxmlr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
dzdref8.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
hjfecp20.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
pec_sdk.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
drimg401.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
rvcrtp.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
mvvcr71.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K
xvilexr.dll Thu Mar 17 2005 9:57:06p ..S.R 227,104 221.78 K

20 items found: 20 files, 0 directories.
Total of file sizes: 4,112,884 bytes 3.92 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.518: TROJ_QOOLOGIC.A
C:\WINDOWS\aaeaec.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\Installer\Release\Installer.pdb
C:\WINDOWS\installer.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\aahah.dll: excl_urls=heavy.com,onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,cdn.comcast.net,us.i1.yimg.com,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,altfarm.mediaplex.com,mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,adv.eblocs.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,as-us.falkag.net,falkag.net,z1.adserver.com,a1.yimg.com,a.as-us.falkag.net,yimg.com,trafficmp.com,us.a1.yimg.com,ads.exitexchange.com,aaabesthomepage.com,pan-advert.com,clicktrk.com,t.trafficmp.com,loadingwebsite.com,ezula.com,server.iad.liveperson.net,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,oz.valueclick.com,counters.honesty.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,count.exitexchange.com,xanga.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,amch.questionmarket.com,allaboutsearching.com,newupdates.lzio.com,akapp.whenu.com,cfg.mywebsearch.com,ads.delfinproject.com,searcheffect.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,jcontent.bns1.net,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,webpdp.gator.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,bannerfarm.ace.advertising.com,jbns2.cydoor.com,look2me.com,as.adwave.com,popuppers.com,wisapidata.weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,adserv1.gruvmedia.com,cdn.icq.com,banners.pennyweb.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,comcast.net,filter.belkin.com,clickit.go2net.com,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,aim-charts.pf.aol.com,microsoft.com,target.com,yahoo.com,aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,ekmas.com,affiliates.4lowrates.com,creativeby.viewpoint.com,couponage.com,c5.zedo.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,clickserve.cc-dt.com,popups.ad-logics.com,host239.ipowerweb.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,ad.doubleclick.net,as.casalemedia.com,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,sandboxer.com,a.websponsors.com,click2.containsitall.com,media.fastclick.net,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\VSAPI32.DLL: ASPACK EXE
C:\WINDOWS\VSAPI32.DLL: ASPACK2 EXE
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.04
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.03
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.02b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08.01
C:\WINDOWS\VSAPI32.DLL: ASPack 1.08
C:\WINDOWS\VSAPI32.DLL: ASPack 1.07b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.61
C:\WINDOWS\VSAPI32.DLL: ASPack 1.05b
C:\WINDOWS\VSAPI32.DLL: ASPack 1.03
C:\WINDOWS\VSAPI32.DLL: ASPack 1.02
C:\WINDOWS\VSAPI32.DLL: ASPack 1.01
C:\WINDOWS\VSAPI32.DLL: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"POINTER"="point32.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec Core LC"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe start"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"TCASUTIEXE"="TCAUDIAG.EXE -off"
"KavSvc"="C:\\WINDOWS\\rrmrmz.exe"
"sixtysix"="C:\\WINDOWS\\SIXTYPOPSIX.exe"
"nsvcin"="C:\\WINDOWS\\N20050308.EXE"

Logfile of HijackThis v1.99.1
Scan saved at 11:21:44 AM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RRMRMZ.EXE
C:\WINDOWS\N20050308.EXE
C:\PROGRAM FILES\ICQ\NDETECT.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROTEK\SCANWIZARD 5\SCANNERFINDER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\MY SOFTWARE\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrmrmz.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\SIXTYPOPSIX.exe
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\N20050308.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Startup: ddpd.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {33C9CD44-1EB4-41BC-BDAE-67200C31CC01} - http://supportservic...ages/msncfg.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - https://supportservi...ool/MailCfg.cab
O16 - DPF: {94418D7F-29BF-460F-8614-DEFB34871FA4} () - https://secure3.true.../TrueConfig.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.co...p-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_1002245.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = 702com.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.239.0.75,216.239.0.76
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP