Thanks...Kenneth
Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 05/06/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
»»»»» lagitamate file's can/will show in this section.
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
Cannot execute C:\DOCUME~1\KENNET~1.FRA\DESKTOP\FIND-IT'S\XFIND.COM
»»»»» Checking Windir\svcproc.exe and nail.exe.
svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is BC2E-F323
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is BC2E-F323
Directory of C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\aurora
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
Now here is the Hijack This Log.........
Logfile of HijackThis v1.99.1
Scan saved at 10:08:01 PM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\BySoft FreeRAM\FreeRAM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Kenneth.FRANKIE\Desktop\Downloads\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\Program Files\BySoft FreeRAM\FreeRAM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://dar.armstrong...timage30717.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Should I run Ewido Software scan? Because I am sure it will be a while before anyone posts back on this thread?
Kenneth