hijacked by webbuying please help [Resolved]
Started by
marcw
, Oct 12 2007 01:44 PM
#1
Posted 12 October 2007 - 01:44 PM
#2
Posted 13 October 2007 - 07:35 AM
Hello marcw
Welcome to G2Go.
* Click here to download HJTsetup.exe
To do this:
Open HijackThis
*click Config
*click Misc Tools
*Click "Open Uninstall Manager"
*Click "Save List" (generates uninstall_list.txt)
*Click Save
copy and paste the results in your next post as well as a hijackthis log.
Welcome to G2Go.
* Click here to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
To do this:
Open HijackThis
*click Config
*click Misc Tools
*Click "Open Uninstall Manager"
*Click "Save List" (generates uninstall_list.txt)
*Click Save
copy and paste the results in your next post as well as a hijackthis log.
#3
Posted 13 October 2007 - 06:11 PM
I can't do anything. the moment i startup my computer, I start getting errors that explorer needs to shut down and restart. so my desktop fades in and out. if I try toopen hijack or even notepad, I get messgaes that theose programs generated errrs and need to shut down. I think I can only work in safe mode
#4
Posted 13 October 2007 - 06:25 PM
Please do it from safe mode.(If possible)
#5
Posted 13 October 2007 - 06:37 PM
the moment i try to run hijackthis (even in safe mode) I get a message that it generated an error and needs to shut down.
is there any utility that i can use that will get the computer working aain at least for a short time
is there any utility that i can use that will get the computer working aain at least for a short time
#6
Posted 13 October 2007 - 06:39 PM
Try this please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will receive a prompt:
- Do you want to skip supplementary searches?
click NO
- Do you want to skip supplementary searches?
- If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
- You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
- Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
#7
Posted 13 October 2007 - 07:26 PM
when i try to open the log, it opens for about 2 seconds before i get a message that notepad has generated errors and needs to shut down
#8
Posted 13 October 2007 - 07:32 PM
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"RMC" = ""C:\Program Files\Reuters\RMC\\RunRM.exe"" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SoundFusion" = "RunDll32 cwcprops.cpl,CrystalControlWnd" [MS]
"TCASUTIEXE" = "TCAUDIAG -off" [file not found]
"Adaptec DirectCD" = "C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" ["Adaptec"]
"HPAIO_PrintFolderMgr" = "C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe" [file not found]
"QuickTime Task" = "C:\WINNT\System32\qttask.exe" [file not found]
"LoadQM" = "loadqm.exe" [MS]
"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"uprom" = ""C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe"" [null data]
"explorer" = "C:\Documents and Settings\jonathan levene\Desktop\winstall.exe" [file not found]
"Matrox Powerdesk" = "C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch" ["Matrox Graphics Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"PCTAVApp" = ""C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN" ["PC Tools Research Pty Ltd"]
"ntdll.dll" = "C:\WINNT\avp.exe" ["MskSoftStudy Corp."]
"avp" = "C:\WINNT\avp.exe" ["MskSoftStudy Corp."]
"smgr" = "mgrs.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\(Default) = (no title provided)
\StubPath = "C:\WINNT\System32\qiawpbjj.exe" ["Microsoft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00A6FAF1-072E-44cf-8957-5838F569A31D}\(Default) = "MyWebSearch Search Assistant BHO"
-> {HKLM...CLSID} = "MyWebSearch Search Assistant BHO"
\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL" ["MyWebSearch.com"]
{026B5895-3E8E-49A9-8EEE-B52A326DA962}\(Default) = "ð%…"
-> {HKLM...CLSID} = "qiawpbjj.msdn_hlp"
\InProcServer32\(Default) = "C:\WINNT\System32\qiawpbjj.dll" ["Microsoft"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2EA1D9E5-24DD-4057-8B3C-9337201E4F51}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\hope4444.dll" [null data]
{69481415-2cf2-4865-83a6-07e971f3fd4d}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\iwcwcnd.dll" [null data]
{75ABD04B-A2C9-4BA0-E5B0-50B98917A8DE}\(Default) = "0"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\labutu.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{B4E7CAAB-6535-4243-99BD-F12350B584A2}\(Default) = "Google Search Assistant"
-> {HKLM...CLSID} = "Google Search Assistant"
\InProcServer32\(Default) = "C:\WINNT\System32\gln.dll" ["Google Inc."]
{EE7C331C-E79D-4631-A4B9-26E642115302}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\hope83122.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {HKLM...CLSID} = "Adaptec Directcd Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{4A741382-48B4-11d2-AD84-00A024D24BF3}" = "Matrox PowerDesk Properties"
-> {HKLM...CLSID} = "Matrox PowerDesk Properties"
\InProcServer32\(Default) = "C:\WINNT\System32\PDesk\PDPAGES.DLL" ["Matrox Graphics Inc."]
"{282E8AE5-A8E3-412D-B40C-F5080832FFE0}" = "HtBt"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\HtBt.dll" [empty string]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}" = "`é…"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\khfghig.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINNT\system32\userinit.exe,C:\WINNT\System32\ntos.exe," [MS], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dcbabaceacdafcdb\DLLName = "C:\WINNT\System32\dcbabaceacdafcdb.dll" [null data]
<<!>> khfghig\DLLName = "khfghig.dll" [null data]
<<!>> __c00A268C\DLLName = "C:\WINNT\System32\__c00A268C.dat" [null data]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
PCTAVShellExtension\(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"
-> {HKLM...CLSID} = "PCTAVShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "c:\zipitfast2\zShellAd.dll" ["MicroSmarts Enterprise"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PCTAVShellExtension\(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"
-> {HKLM...CLSID} = "PCTAVShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "c:\zipitfast2\zShellAd.dll" ["MicroSmarts Enterprise"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "c:\zipitfast2\zShellAd.dll" ["MicroSmarts Enterprise"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|System|Logon/Logoff|
Remove Task Manager}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\default.htm"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"
Active Desktop web content (hidden if disabled):
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"
Startup items in "administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HPAiODevice" -> shortcut to: "C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe -DeviceID 989418253" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll ["PC Tools Research Pty Ltd."], 01 - 15, 31
%SystemRoot%\system32\msafd.dll [MS], 16 - 18, 21 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 19 - 20
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{B48798CE-A2E0-4918-BC00-0F72FBA708E2}\
"ButtonText" = "RemindU"
"Script" = "file://C:\Documents and Settings\Administrator\Application Data\Upromise__RemindU\uprot\uproC5.htm" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{00A6FAF6-072E-44cf-8957-5838F569A31D}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL" ["MyWebSearch.com"]
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "LCU" = hex:0x471169B3
<<H>> "GFC" = "6tgiD7pWsvrbf8b6cSjEuraahmUwwjoZ7xFjpGQ3Ns96vl6BnUQLoRGwbRfgq9u0ol8tD8ODajs
49tizUx/nCH+6VIEBuNFz5fcTYYV8VcoptKJeVkZGbYqHol5Hfyc0ZWSkv19iYSYmW8Ck5rlWpl2MxbjteczG/+pSETbf68bsUCgjis+lM6nqpc0EbqCkVKRse+wbZve1cgVouwr3Vv0BYsEVhBS02pmGLVOo1h2x0tVuX
auN45eNXacN6mg7dzKf9IgQ3/9nygZjXodJ1YRvkEIjX10cB42f54thw5xHuMIBbxefCpJ1C38meniVjq1V5Rs+r4RRseAlQunaQdQiiG
tC0Ukz8Nj06Kyeq5wY17E/XQeJaTuunXngLu4DjjHieC81xNj8vYk/oAuFUmJsK6G9VXi0d6+b/0j/4fGHNPQQNHl8HsTt/aCCUPTYN2DN/URj+thH7tAaxpXglXKRBvN546jzL5fad58lL/3SebCrpegkHaGWj1oyCfPtxJJ4ZU0x6cZlzZ1aHQkoEoMQ8pp7vSO05XO6BAh2i9uKjk9njvmyeUPMDv
yVGqSs4IybHGZ9Rd0KZ4UxmKP2Gn0lkmjRmvbhKtym6o1bs5xIfvPG45c+J0+Bcdb+4BOlLWv/VHj/Cflk3tKhtxnGpW34RsQcUbtHxgrO18sZLZFW/ZYqh+H9rsxImkFdA8gH82Hw1gmWVC19FcdxXCxclNSW4GoiqMOf9HCfnIThNzHLcBWgKJEORvwjdFwiY
RRc1UMTLPJiXZN2W43v78xLVJ3/3lsNBkGeNVT6/lw2+q5ZQYRx+R91S77tSfjvGgbTWtaXdklYH4J8/FZdK0L7z3hnk2rIKFEewFRmFJeHLMZ4A/6EwLQKHnrvT2sD71c4M9bXLBLByunlF5p1H55RYt5sGpyfS7Flw/tz5VUlduS1uzRlUDgLFccPqw8Qh0ipk3+aB3nAPDCsdnMf5+18shcJlNw/LL72Ip2U565RWVMuv2PFoHMRHI9nQBJ3FO1sgfS4YxZbTcjyzDxVn1Hx/wEVyZVBeX3LxOjvkBxS9ZlkhNuZ4hFOTUz/R5stb1HGBSd3wnlZY5OSK6TeQUlbn8vOtVoWuo2nmh3fy6TwuCMQeTeneBSFF8s0V3UcWniNfMJ7WpNz
I44H/A981dfx5i7FvSYJCu0raJwOaNeXMMCT/9fu6bN83ciQ4Q6bJb9YqXoRF4GEeZx0IZykMq8QSGuDXFyYCGOZMQimINQQbY2211CdQ70Lkhp94XDvP
EGXbJ43aD8FeGBShb8ppZmiwAjeATj0vmla0D8yqESC1W65osNk3bpQRwWv4c1x4LAUSlbSUU1BnqFgA
1Msye1xyPOGY2VPK2qlroPNZQn3OpSNvQJGMe/s3PM6qKNGbd8MTX7+uE4YanL52pnrT7oAKkF7VFyPUT5zm7LDnpTRG2m3rG8fpI1yHi5fWFe89t7OLBK
FRDHdG3K5qihR8xLempIjvuUjKSTug7TpkImUIowVI8nESS3V0jy7N24BYD9Oxm26b4QyDz2OBlBq1VK
utJOa9vJtwHRsJoCT32qejknU3PF/N9q+ihVhnv4P/9LX6X+UOCS0TlaGnTec+DXHDImHBbpvtTS1dPNVZowtOLJw/LmSbz8jBOxnaNb2LSK9ieQ8LbPuNw2Tw4wH5SSRe+toVIYV5jLrNtqJysMNb3yALQ/hSNl68gGiJMea/tY3fzJG+WoAwrG1JdAvWgi4llGcUhiUUUU2QEed+RPINSlVF99qDcGh6qjxfvoVqabiK/gxVLrfjHAWyKq/CiofO1IffKOhJ4s25M+yycXOjgpp/VPyRkhN/iIc4I4Nlfk7cM53kKZoRKQBSs5zEaTDgHaBZkG94qaVuLYC6SsoW2Za17BoslriAxORFDjsnzoK0pWXJ
Fukv2lIokdlQzX1stWUDvVSOzgd5NnK+FM8m0bMZGy2c9O0Yb+b+ZUFzpfzFeGCuytrc9zxK3eA2drqq
gIxaN6/MC7TNlD3Ba5Fcq94FJRyohMGS6efFqw4tKf6x81viEcBqY3p/qn2Xs5dy25cmS2w2zDa6zss0+jWP8xf96TymU+iCbxcZaCZy+xhRvkBZocchDaTBiB60gHx72VRW5IJE
niOt0RJL9peqQ/Pdk/Xmm2uWGqUyKr9HwoeHJugSWEfZpe5mARIso9hWkIrat6bh6BS/+wKyrXnXCeY/W8UIl8kq5uy/YDvzr8vNrqDerBialiNJMcs4gBR6ilkCwlJF7Segw+4GV38utuHSdcgzZ5hFsSs59TtQyXxtRv9ih9lU
M7My0rRGlKE4axePRjoCLz5u20ZdJioBGgfxe+dXDKVhz2xMVooisDOKTPnO7TG7uROSAMYa/7n2wR/wfCmJux2zjhw2Jc8g4wO0GaoQ+zskcTYlK36mNAQwhGE23VT0fiDSm9W+aO6VgRk3wO12uNbS5rMA/3+jAoSK8nQUAihjNtSkT7Di/CUybhP7HykaoJ/oWcI6WnSOrKFmlhQ/hnH5OEosk/MSkSxn+djRc6jRG6SekfHUmlSVvUyVmgCC/aZwWqGuBLFjgGB/uT+0oYDLfNy2S0tJFTpzXbSZfQUUGP0THnrkIwnQ65WUYQs78PUzJIlqhEjOlvZEor6X3l63n0rA4zkz
8y9s5CWMWhrc//C+o1yQFnoUeQ1rSSrJtCBUHCmb84yQXJGpIa7Z5dIovoWQ7eciKtA1bCDop2WhZWYtZlW95EKm2CpNy5
RzSjZr23jd42O34eGunVg7V7ZaUwY2DPn/z/bwngc9Yr6jXSgv92nH652NdwZaJH2EJXpq+/Kl1HM3u55QzvxJT2cDpy8mLtWWeMQkAAwpVTHTaPT/XHhmyP/3i4MpWKl2AztqIz35jpfbeTYHftysSOK/6Qtpt6RaYNiLkmTOzDdSuLFsCgnZfYb66YF7lKir8dNIxtaysOC/ycdb3mRAhmXoq+jutJOL6oj2zx6x1VYQAnqduu7UBYqGvgJDMjFDrP3GR+JlxBLFG0eY1WC8Rc5lYAMA
h20c4Pz2esXYPjqoDIFzRhgd4ifKtAZogzayjSpNQiMdFRoSGGD4BnAOpEPtNJePdW0CmWrXgxyQ+I7f
aiHWhdKjRaMcW5bpnVf3KWHWwjPzWim5ZaP8ftaN6XDuErUHBHIejCk9K+3X4rlmiHYXF6QZ5lR2R8T8
+wB2W9pNJFAS3QgipSQaw9mrO6Tpyo+zck4DrQ6U2C+ioI8pt7J7StAn7+Uv3bIFEbSqnPKeSNhayG67
offaPpmiNPU6lnisL8zR69pymJqZ/rC63i0LmD4ovKv2mquUvG2022FCaOU9LTo4Mi8DuJENnNVGBra09Lciy40nkpeBGA5n9mrPcYF4yviXT
8AynGzk1DRUpC2AO2ShbfHR5AsULDgC18hJep3KMEyz3GDEwN9IpXREIKqeBanLqikqDUHcPLMz/kE8lIdRnGuSw6U6xmLOKBHDcSZ8T3FoNKHjZXx048CQaTa4gSHcNZ3ticGiFfz5/w6BcZzYTqwnNKoY6Y103xJprMf4IDzjw4OqcOLwQcXUEH4yH8XgygPR/v2baBN8QODEKtn39K2n30SYZ01dCH1lQb+srYXZgavPvpAMOee/sHyUc4/oH0YLKfjaxsOWnEtMNd9qRT9KWBIh44eRuya1gXwwrI5Be2G9w7KHeUPHInhZxb7RKe1HohmfWECeZ5A
6tNAAN14OzSMiu+RJZfsxMnOwA/D9d5imB3RhRUxk/KVq/0oIxGZ5Ww5VxRsrsR09JZVG33V2Q5dhiClejGV5YmqoLv1LycG76fXp+gCpU34Xxy8L2NMc+HyQvyxB+
5nLmALFudFG0Q3qEUbHzXRR2IFV" [file not found]
<<H>> "lk" = hex:0x47116D87
<<H>> "LPP" = hex:0x47116E52
<<H>> "LPS" = hex:0x47116D89
HOSTS file
----------
C:\WINNT\System32\drivers\etc\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
3Com DMI Agent, 3ComDMIService, "C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE" ["3Com Corporation"]
AutoShutdown, AutoShutdown, "C:\WINNT\System32\PSSVC.EXE" ["Dell Computer Corporation"]
MGABGEXE, MGABGEXE, "C:\WINNT\System32\mgabg.exe" ["Matrox Graphics Inc."]
Network Monitor, Network Monitor, "C:\Program Files\Network Monitor\netmon.exe service" [null data]
PC Tools AntiVirus Engine, PCTAVSvc, ""C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe"" ["PC Tools Research Pty Ltd"]
---------- (launch time: 2007-10-13 21:10:59)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 97 seconds.
---------- (total run time: 492 seconds)
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"RMC" = ""C:\Program Files\Reuters\RMC\\RunRM.exe"" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SoundFusion" = "RunDll32 cwcprops.cpl,CrystalControlWnd" [MS]
"TCASUTIEXE" = "TCAUDIAG -off" [file not found]
"Adaptec DirectCD" = "C:\PROGRA~1\Adaptec\DirectCD\directcd.exe" ["Adaptec"]
"HPAIO_PrintFolderMgr" = "C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe" [file not found]
"QuickTime Task" = "C:\WINNT\System32\qttask.exe" [file not found]
"LoadQM" = "loadqm.exe" [MS]
"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"uprom" = ""C:\Program Files\Upromise__RemindU\UpromiseRemindUv.exe"" [null data]
"explorer" = "C:\Documents and Settings\jonathan levene\Desktop\winstall.exe" [file not found]
"Matrox Powerdesk" = "C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch" ["Matrox Graphics Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"PCTAVApp" = ""C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN" ["PC Tools Research Pty Ltd"]
"ntdll.dll" = "C:\WINNT\avp.exe" ["MskSoftStudy Corp."]
"avp" = "C:\WINNT\avp.exe" ["MskSoftStudy Corp."]
"smgr" = "mgrs.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\(Default) = (no title provided)
\StubPath = "C:\WINNT\System32\qiawpbjj.exe" ["Microsoft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00A6FAF1-072E-44cf-8957-5838F569A31D}\(Default) = "MyWebSearch Search Assistant BHO"
-> {HKLM...CLSID} = "MyWebSearch Search Assistant BHO"
\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL" ["MyWebSearch.com"]
{026B5895-3E8E-49A9-8EEE-B52A326DA962}\(Default) = "ð%…"
-> {HKLM...CLSID} = "qiawpbjj.msdn_hlp"
\InProcServer32\(Default) = "C:\WINNT\System32\qiawpbjj.dll" ["Microsoft"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2EA1D9E5-24DD-4057-8B3C-9337201E4F51}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\hope4444.dll" [null data]
{69481415-2cf2-4865-83a6-07e971f3fd4d}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\iwcwcnd.dll" [null data]
{75ABD04B-A2C9-4BA0-E5B0-50B98917A8DE}\(Default) = "0"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\labutu.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{B4E7CAAB-6535-4243-99BD-F12350B584A2}\(Default) = "Google Search Assistant"
-> {HKLM...CLSID} = "Google Search Assistant"
\InProcServer32\(Default) = "C:\WINNT\System32\gln.dll" ["Google Inc."]
{EE7C331C-E79D-4631-A4B9-26E642115302}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\hope83122.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {HKLM...CLSID} = "Adaptec Directcd Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{4A741382-48B4-11d2-AD84-00A024D24BF3}" = "Matrox PowerDesk Properties"
-> {HKLM...CLSID} = "Matrox PowerDesk Properties"
\InProcServer32\(Default) = "C:\WINNT\System32\PDesk\PDPAGES.DLL" ["Matrox Graphics Inc."]
"{282E8AE5-A8E3-412D-B40C-F5080832FFE0}" = "HtBt"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\HtBt.dll" [empty string]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{178D4E6A-BA5A-4ECB-8521-F7B8393FDB97}" = "`é…"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\khfghig.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINNT\system32\userinit.exe,C:\WINNT\System32\ntos.exe," [MS], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dcbabaceacdafcdb\DLLName = "C:\WINNT\System32\dcbabaceacdafcdb.dll" [null data]
<<!>> khfghig\DLLName = "khfghig.dll" [null data]
<<!>> __c00A268C\DLLName = "C:\WINNT\System32\__c00A268C.dat" [null data]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
PCTAVShellExtension\(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"
-> {HKLM...CLSID} = "PCTAVShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "c:\zipitfast2\zShellAd.dll" ["MicroSmarts Enterprise"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PCTAVShellExtension\(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}"
-> {HKLM...CLSID} = "PCTAVShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "c:\zipitfast2\zShellAd.dll" ["MicroSmarts Enterprise"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZipItFast!\(Default) = "{00000001-0001-0001-0001-000000000019}"
-> {HKLM...CLSID} = "ZipItFast! - Add to archive..."
\InProcServer32\(Default) = "c:\zipitfast2\zShellAd.dll" ["MicroSmarts Enterprise"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|System|Logon/Logoff|
Remove Task Manager}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\default.htm"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"
Active Desktop web content (hidden if disabled):
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"
Startup items in "administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HPAiODevice" -> shortcut to: "C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe -DeviceID 989418253" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll ["PC Tools Research Pty Ltd."], 01 - 15, 31
%SystemRoot%\system32\msafd.dll [MS], 16 - 18, 21 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 19 - 20
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{B48798CE-A2E0-4918-BC00-0F72FBA708E2}\
"ButtonText" = "RemindU"
"Script" = "file://C:\Documents and Settings\Administrator\Application Data\Upromise__RemindU\uprot\uproC5.htm" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{00A6FAF6-072E-44cf-8957-5838F569A31D}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL" ["MyWebSearch.com"]
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "LCU" = hex:0x471169B3
<<H>> "GFC" = "6tgiD7pWsvrbf8b6cSjEuraahmUwwjoZ7xFjpGQ3Ns96vl6BnUQLoRGwbRfgq9u0ol8tD8ODajs
49tizUx/nCH+6VIEBuNFz5fcTYYV8VcoptKJeVkZGbYqHol5Hfyc0ZWSkv19iYSYmW8Ck5rlWpl2MxbjteczG/+pSETbf68bsUCgjis+lM6nqpc0EbqCkVKRse+wbZve1cgVouwr3Vv0BYsEVhBS02pmGLVOo1h2x0tVuX
auN45eNXacN6mg7dzKf9IgQ3/9nygZjXodJ1YRvkEIjX10cB42f54thw5xHuMIBbxefCpJ1C38meniVjq1V5Rs+r4RRseAlQunaQdQiiG
tC0Ukz8Nj06Kyeq5wY17E/XQeJaTuunXngLu4DjjHieC81xNj8vYk/oAuFUmJsK6G9VXi0d6+b/0j/4fGHNPQQNHl8HsTt/aCCUPTYN2DN/URj+thH7tAaxpXglXKRBvN546jzL5fad58lL/3SebCrpegkHaGWj1oyCfPtxJJ4ZU0x6cZlzZ1aHQkoEoMQ8pp7vSO05XO6BAh2i9uKjk9njvmyeUPMDv
yVGqSs4IybHGZ9Rd0KZ4UxmKP2Gn0lkmjRmvbhKtym6o1bs5xIfvPG45c+J0+Bcdb+4BOlLWv/VHj/Cflk3tKhtxnGpW34RsQcUbtHxgrO18sZLZFW/ZYqh+H9rsxImkFdA8gH82Hw1gmWVC19FcdxXCxclNSW4GoiqMOf9HCfnIThNzHLcBWgKJEORvwjdFwiY
RRc1UMTLPJiXZN2W43v78xLVJ3/3lsNBkGeNVT6/lw2+q5ZQYRx+R91S77tSfjvGgbTWtaXdklYH4J8/FZdK0L7z3hnk2rIKFEewFRmFJeHLMZ4A/6EwLQKHnrvT2sD71c4M9bXLBLByunlF5p1H55RYt5sGpyfS7Flw/tz5VUlduS1uzRlUDgLFccPqw8Qh0ipk3+aB3nAPDCsdnMf5+18shcJlNw/LL72Ip2U565RWVMuv2PFoHMRHI9nQBJ3FO1sgfS4YxZbTcjyzDxVn1Hx/wEVyZVBeX3LxOjvkBxS9ZlkhNuZ4hFOTUz/R5stb1HGBSd3wnlZY5OSK6TeQUlbn8vOtVoWuo2nmh3fy6TwuCMQeTeneBSFF8s0V3UcWniNfMJ7WpNz
I44H/A981dfx5i7FvSYJCu0raJwOaNeXMMCT/9fu6bN83ciQ4Q6bJb9YqXoRF4GEeZx0IZykMq8QSGuDXFyYCGOZMQimINQQbY2211CdQ70Lkhp94XDvP
EGXbJ43aD8FeGBShb8ppZmiwAjeATj0vmla0D8yqESC1W65osNk3bpQRwWv4c1x4LAUSlbSUU1BnqFgA
1Msye1xyPOGY2VPK2qlroPNZQn3OpSNvQJGMe/s3PM6qKNGbd8MTX7+uE4YanL52pnrT7oAKkF7VFyPUT5zm7LDnpTRG2m3rG8fpI1yHi5fWFe89t7OLBK
FRDHdG3K5qihR8xLempIjvuUjKSTug7TpkImUIowVI8nESS3V0jy7N24BYD9Oxm26b4QyDz2OBlBq1VK
utJOa9vJtwHRsJoCT32qejknU3PF/N9q+ihVhnv4P/9LX6X+UOCS0TlaGnTec+DXHDImHBbpvtTS1dPNVZowtOLJw/LmSbz8jBOxnaNb2LSK9ieQ8LbPuNw2Tw4wH5SSRe+toVIYV5jLrNtqJysMNb3yALQ/hSNl68gGiJMea/tY3fzJG+WoAwrG1JdAvWgi4llGcUhiUUUU2QEed+RPINSlVF99qDcGh6qjxfvoVqabiK/gxVLrfjHAWyKq/CiofO1IffKOhJ4s25M+yycXOjgpp/VPyRkhN/iIc4I4Nlfk7cM53kKZoRKQBSs5zEaTDgHaBZkG94qaVuLYC6SsoW2Za17BoslriAxORFDjsnzoK0pWXJ
Fukv2lIokdlQzX1stWUDvVSOzgd5NnK+FM8m0bMZGy2c9O0Yb+b+ZUFzpfzFeGCuytrc9zxK3eA2drqq
gIxaN6/MC7TNlD3Ba5Fcq94FJRyohMGS6efFqw4tKf6x81viEcBqY3p/qn2Xs5dy25cmS2w2zDa6zss0+jWP8xf96TymU+iCbxcZaCZy+xhRvkBZocchDaTBiB60gHx72VRW5IJE
niOt0RJL9peqQ/Pdk/Xmm2uWGqUyKr9HwoeHJugSWEfZpe5mARIso9hWkIrat6bh6BS/+wKyrXnXCeY/W8UIl8kq5uy/YDvzr8vNrqDerBialiNJMcs4gBR6ilkCwlJF7Segw+4GV38utuHSdcgzZ5hFsSs59TtQyXxtRv9ih9lU
M7My0rRGlKE4axePRjoCLz5u20ZdJioBGgfxe+dXDKVhz2xMVooisDOKTPnO7TG7uROSAMYa/7n2wR/wfCmJux2zjhw2Jc8g4wO0GaoQ+zskcTYlK36mNAQwhGE23VT0fiDSm9W+aO6VgRk3wO12uNbS5rMA/3+jAoSK8nQUAihjNtSkT7Di/CUybhP7HykaoJ/oWcI6WnSOrKFmlhQ/hnH5OEosk/MSkSxn+djRc6jRG6SekfHUmlSVvUyVmgCC/aZwWqGuBLFjgGB/uT+0oYDLfNy2S0tJFTpzXbSZfQUUGP0THnrkIwnQ65WUYQs78PUzJIlqhEjOlvZEor6X3l63n0rA4zkz
8y9s5CWMWhrc//C+o1yQFnoUeQ1rSSrJtCBUHCmb84yQXJGpIa7Z5dIovoWQ7eciKtA1bCDop2WhZWYtZlW95EKm2CpNy5
RzSjZr23jd42O34eGunVg7V7ZaUwY2DPn/z/bwngc9Yr6jXSgv92nH652NdwZaJH2EJXpq+/Kl1HM3u55QzvxJT2cDpy8mLtWWeMQkAAwpVTHTaPT/XHhmyP/3i4MpWKl2AztqIz35jpfbeTYHftysSOK/6Qtpt6RaYNiLkmTOzDdSuLFsCgnZfYb66YF7lKir8dNIxtaysOC/ycdb3mRAhmXoq+jutJOL6oj2zx6x1VYQAnqduu7UBYqGvgJDMjFDrP3GR+JlxBLFG0eY1WC8Rc5lYAMA
h20c4Pz2esXYPjqoDIFzRhgd4ifKtAZogzayjSpNQiMdFRoSGGD4BnAOpEPtNJePdW0CmWrXgxyQ+I7f
aiHWhdKjRaMcW5bpnVf3KWHWwjPzWim5ZaP8ftaN6XDuErUHBHIejCk9K+3X4rlmiHYXF6QZ5lR2R8T8
+wB2W9pNJFAS3QgipSQaw9mrO6Tpyo+zck4DrQ6U2C+ioI8pt7J7StAn7+Uv3bIFEbSqnPKeSNhayG67
offaPpmiNPU6lnisL8zR69pymJqZ/rC63i0LmD4ovKv2mquUvG2022FCaOU9LTo4Mi8DuJENnNVGBra09Lciy40nkpeBGA5n9mrPcYF4yviXT
8AynGzk1DRUpC2AO2ShbfHR5AsULDgC18hJep3KMEyz3GDEwN9IpXREIKqeBanLqikqDUHcPLMz/kE8lIdRnGuSw6U6xmLOKBHDcSZ8T3FoNKHjZXx048CQaTa4gSHcNZ3ticGiFfz5/w6BcZzYTqwnNKoY6Y103xJprMf4IDzjw4OqcOLwQcXUEH4yH8XgygPR/v2baBN8QODEKtn39K2n30SYZ01dCH1lQb+srYXZgavPvpAMOee/sHyUc4/oH0YLKfjaxsOWnEtMNd9qRT9KWBIh44eRuya1gXwwrI5Be2G9w7KHeUPHInhZxb7RKe1HohmfWECeZ5A
6tNAAN14OzSMiu+RJZfsxMnOwA/D9d5imB3RhRUxk/KVq/0oIxGZ5Ww5VxRsrsR09JZVG33V2Q5dhiClejGV5YmqoLv1LycG76fXp+gCpU34Xxy8L2NMc+HyQvyxB+
5nLmALFudFG0Q3qEUbHzXRR2IFV" [file not found]
<<H>> "lk" = hex:0x47116D87
<<H>> "LPP" = hex:0x47116E52
<<H>> "LPS" = hex:0x47116D89
HOSTS file
----------
C:\WINNT\System32\drivers\etc\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
3Com DMI Agent, 3ComDMIService, "C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE" ["3Com Corporation"]
AutoShutdown, AutoShutdown, "C:\WINNT\System32\PSSVC.EXE" ["Dell Computer Corporation"]
MGABGEXE, MGABGEXE, "C:\WINNT\System32\mgabg.exe" ["Matrox Graphics Inc."]
Network Monitor, Network Monitor, "C:\Program Files\Network Monitor\netmon.exe service" [null data]
PC Tools AntiVirus Engine, PCTAVSvc, ""C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe"" ["PC Tools Research Pty Ltd"]
---------- (launch time: 2007-10-13 21:10:59)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 97 seconds.
---------- (total run time: 492 seconds)
#9
Posted 13 October 2007 - 07:37 PM
Lets see if we can get some of what you have cleaned a bit with an online scanner.
I don't know if it will work but it's worth a try.
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
I don't know if it will work but it's worth a try.
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
- Go to http://support.f-sec.../home/ols.shtml
- Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
- Allow the Active X control to be installed on your computer, then click the Accept button
- Click Full System Scan and allow the components to download and the scan to complete.
- If malware is found, check Submit samples to F-Secure then select Automatic cleaning
- When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
- Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
- When the cleaning option is presented, Uncheck Submit samples to F-Secure
- Click Automatic cleaning
- When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
- Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
- This scan will only work with Internet Explorer
- You must have administrator rights to run this scan
- This scan can take several hours, so please be patient
#10
Posted 13 October 2007 - 08:05 PM
ran into a bit of a problem. now my computer is frozen. is it possible to do this while id dos
Edited by marcw, 13 October 2007 - 08:07 PM.
#11
Posted 13 October 2007 - 08:10 PM
can you tell me how t regain access to the task manager (which is grayed out) while in dos. thanks for all your help
#12
Posted 13 October 2007 - 08:35 PM
Are only able to run in dos mode?
Are you still able to download anything?
Are you still able to download anything?
#13
Posted 13 October 2007 - 08:40 PM
i seem to be able to work in netscape if that helps
#14
Posted 13 October 2007 - 08:50 PM
i can download stuff using netscape
#15
Posted 13 October 2007 - 08:57 PM
i figured out how to get the task manager back
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users