Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HiJack This log (inqwire popups) [RESOLVED]

Started by newtoforum , Jun 22 2005 11:34 AM

This topic is locked

#46
newtoforum

Posted 14 July 2005 - 10:36 PM

Member

Topic Starter
Member
32 posts

Hi Excal,
I haven't been able to burn the CD yet, and won't be able to until later this weekend. I'm taking my nephew to the San Diego Comic-Con for the next few days. I'll post when I get back.
Thanks for all your help!

#47
Excal

Posted 14 July 2005 - 10:39 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

No problem at all, I will leave the topic open. Thanks for letting me know. Have a good and safe trip

Excal

#48
newtoforum

Posted 17 July 2005 - 10:53 PM

Member

Topic Starter
Member
32 posts

Hi Excal,
Thanks for you help and patience.
Was able to get a boot disk made finally!

Here is the rk files log:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\IEAccess2.dll: UPX!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\Unwash5.exe: UPX!
Finished
bye

Here is the FindIt log:

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

IGM32 DLL 227,104 06-26-05 10:03p IGM32.DLL
MVISAM11 DLL 227,104 06-26-05 10:03p MVISAM11.DLL
IUMUI DLL 227,104 06-26-05 10:03p IUMUI.DLL
RIPILIB DLL 227,104 06-26-05 10:03p RIPILIB.DLL
RQX DLL 227,104 06-26-05 10:03p Rqx.dll
5 file(s) 1,135,520 bytes
0 dir(s) 20,237.84 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 1,006 07-17-05 8:14p vsconfig.xml
ZLLICTBL DAT 4,212 05-30-05 7:01a zllictbl.dat
HPF72H06 GID 8,628 10-20-04 6:52p HPF72h06.GID
HPF72T06 GID 8,628 10-20-04 6:51p HPF72t06.GID
LOG0 TXT 5,709 04-06-04 9:03p log0.txt
LOGBAK~1 TXT 29,416 04-06-04 9:03p log.bak.txt
LOG1 TXT 10,365 04-06-04 9:27a log1.txt
FIZ0 218 04-06-04 9:01a fiz0
LOG2 TXT 13,407 04-06-04 9:01a log2.txt
RATINGS POL 8,192 12-22-03 7:56p RATINGS.POL
HPF72D06 GID 8,628 11-21-03 6:14a HPF72d06.GID
DESKTOP INI 271 06-21-00 10:21a desktop.ini
FOLDER HTT 23,155 06-21-00 10:21a folder.htt
13 file(s) 121,835 bytes
0 dir(s) 20,237.81 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Sun Jul 17 2005 8:14:08p A..H. 1,006 0.98 K
zllictbl.dat Mon May 30 2005 7:01:08a ...H. 4,212 4.11 K
igm32.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
mvisam11.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
iumui.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
ripilib.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K
rqx.dll Sun Jun 26 2005 10:03:56p ..S.R 227,104 221.78 K

7 items found: 7 files, 0 directories.
Total of file sizes: 1,140,738 bytes 1.09 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Thanks

#49
Excal

Posted 17 July 2005 - 11:07 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Please run Killbox.

Select "Delete on Reboot".
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM\ripilib.dll
C:\WINDOWS\SYSTEM\guard.tmp
C:\WINDOWS\SYSTEM\igm32.dll
C:\WINDOWS\SYSTEM\mvisam11.dll
C:\WINDOWS\SYSTEM\iumui.dll
C:\WINDOWS\SYSTEM\rqx.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Let the system reboot.

Please post a fresh findit log

#50
newtoforum

Posted 17 July 2005 - 11:34 PM

Member

Topic Starter
Member
32 posts

Thanks again Excal, here's the latest FindIt log:

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

20,266.72 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 0EC4-50EC
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 1,006 07-17-05 10:22p vsconfig.xml
ZLLICTBL DAT 4,212 05-30-05 7:01a zllictbl.dat
HPF72H06 GID 8,628 10-20-04 6:52p HPF72h06.GID
HPF72T06 GID 8,628 10-20-04 6:51p HPF72t06.GID
LOG0 TXT 5,709 04-06-04 9:03p log0.txt
LOGBAK~1 TXT 29,416 04-06-04 9:03p log.bak.txt
LOG1 TXT 10,365 04-06-04 9:27a log1.txt
FIZ0 218 04-06-04 9:01a fiz0
LOG2 TXT 13,407 04-06-04 9:01a log2.txt
RATINGS POL 8,192 12-22-03 7:56p RATINGS.POL
HPF72D06 GID 8,628 11-21-03 6:14a HPF72d06.GID
DESKTOP INI 271 06-21-00 10:21a desktop.ini
FOLDER HTT 23,155 06-21-00 10:21a folder.htt
13 file(s) 121,835 bytes
0 dir(s) 20,266.69 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Sun Jul 17 2005 10:22:34p A..H. 1,006 0.98 K
zllictbl.dat Mon May 30 2005 7:01:08a ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 5,218 bytes 5.09 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\hosts: 127.0.0.1 www.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#51
Excal

Posted 18 July 2005 - 09:18 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Please Download the following tools to assist us in removing this infection!

Download WinPFind
- Right Click the Zip Folder and Select "Extract All"
- Extract it somewhere you will remember like the Desktop
- Dont do anything with it yet!
Download Track qoo
- Save it somewhere you will remember like the Desktop

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

#52
newtoforum

Posted 19 July 2005 - 11:24 AM

Member

Topic Starter
Member
32 posts

The link for Track Goo isn't working for me. Even though I'm logged in, I get the error message:

Sorry, but you do not have permission to use this feature. If you are not logged in, you may do so using the form below if available

#53
Excal

Posted 19 July 2005 - 11:58 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

I attached it to this post.

Thanks,

:tazz:

Excal

#54
newtoforum

Posted 19 July 2005 - 12:06 PM

Member

Topic Starter
Member
32 posts

Thank You! I'll post the logs tonight.

#55
Excal

Posted 19 July 2005 - 12:17 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Sounds good :tazz:

Excal

#56
newtoforum

Posted 20 July 2005 - 09:16 AM

Member

Topic Starter
Member
32 posts

Hi Excal,
Here are the files:

WinPFind:
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
UPX! 7/17/2005 8:25:38 PM 521 C:\log.txt
UPX! 7/17/2005 8:19:38 PM 39 C:\win.txt
UPX! 7/17/2005 8:24:44 PM 30 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
SAHAgent 7/20/2005 8:00:22 AM 3833888 C:\WINDOWS\SYSTEM.DAT
qoologic 7/16/2005 8:27:38 PM 1217 C:\WINDOWS\hosts
urllogic 7/16/2005 8:27:38 PM 1217 C:\WINDOWS\hosts
urllogic 7/16/2005 8:27:38 PM 1217 C:\WINDOWS\hosts
UPX! 9/11/2003 5:00:06 AM 45056 C:\WINDOWS\Unwash5.exe

Checking %System% folder...
PTech 11/9/1999 3:55:54 PM 88571 C:\WINDOWS\system\MDACRDME.HTM
UPX! 9/27/2002 5:05:24 PM 74752 C:\WINDOWS\system\IEAccess2.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/20/2005 7:58:56 AM 6463520 CLASSES.DAT
7/20/2005 8:00:22 AM 3833888 SYSTEM.DAT
7/20/2005 8:01:32 AM 1609760 USER.DAT
7/3/2005 8:59:58 AM 54156 QTFont.qfn
7/19/2005 6:54:40 AM 32731 ttfCache
7/20/2005 7:58:48 AM 831218 ShellIconCache
7/20/2005 7:57:56 AM 6 SA.DAT
7/20/2005 8:00:18 AM 61250 HelpSessionHistory.stream
7/20/2005 7:58:16 AM 1006 vsconfig.xml
5/30/2005 7:01:08 AM 4212 zllictbl.dat
7/2/2005 10:21:26 PM 2352 Desktop.htt
6/9/2005 9:04:22 AM 67 desktop.ini
6/9/2005 9:04:24 AM 67 desktop.ini
6/9/2005 9:11:08 AM 67 desktop.ini
6/9/2005 9:11:12 AM 67 desktop.ini
6/9/2005 9:11:18 AM 67 desktop.ini
6/9/2005 9:11:20 AM 67 desktop.ini
6/9/2005 9:04:24 AM 113 desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/3/2005 7:04:12 AM 532 C:\WINDOWS\Start Menu\Programs\StartUp\Acrobat Assistant.lnk
4/3/2005 7:04:12 AM 527 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.exe.lnk
4/3/2005 7:04:14 AM 527 C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
4/3/2005 7:04:14 AM 470 C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
4/3/2005 7:04:14 AM 560 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk

Checking files in %USERPROFILE%\Application Data folder...
7/17/2005 9:07:06 PM 6703 C:\WINDOWS\Application Data\dw.log

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\{08FB80A6-F0D2-0BFA-15F8-D2966C2977FA}
=

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\Program Files\GlobalSCAPE\CuteFTP\Cuteshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
PCHealth C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
OEMRUNONCE c:\windows\options\cabs\oemrun.exe
Promon.exe Promon.exe
GWMDMMSG GWMDMMSG.exe
GWMDMpi C:\WINDOWS\GWMDMpi.exe
Hot Key Kbd 9910 Daemon SK9910DM.EXE
Keyboard Preload Check C:\OEMDRVRS\KEYB\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Gateway Ink Monitor C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
Iomega Startup Options C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
tgcmd "C:\Program Files\Support.com\bin\tgcmd.exe" /server
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz nwiz.exe /install
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
HPDJ Taskbar Utility C:\WINDOWS\SYSTEM\hpztsb10.exe
HP Component Manager "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
HP Software Update C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
SUNASDTSERV C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe

sunasServ C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
CreateCD50 C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mozilla Quick Launch "C:\PROGRA~1\NETSCAPE\NETSCA~2\NETSCP.EXE" -turbo

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.

TrackGoo:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"Promon.exe"="Promon.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Gateway Ink Monitor"="C:\\Program Files\\Gateway\\Gateway Ink Monitor\\InkMonitor.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb10.exe"
"HP Component Manager"="\"C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SUNASDTSERV"="C:\\PROGRAM FILES\\SUNBELT SOFTWARE\\COUNTERSPY CLIENT\\SUNASDTSERV.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"CreateCD50"="C:\\PROGRA~1\\COMMON~1\\ADAPTE~1\\CREATECD\\CREATE~1.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- WinRAR

Subkey --- CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c}
C:\Program Files\GlobalSCAPE\CuteFTP\Cuteshell.dll

Subkey --- StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467}
C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\SYSTEM\DOCPROP2.DLL

==============================
C:\WINDOWS\All Users\Start Menu\Programs\StartUp

==============================
C:\WINDOWS\Start Menu\Programs\StartUp

Adobe Gamma Loader.exe.lnk
Acrobat Assistant.lnk
Adobe Gamma Loader.lnk
Encoder Agent.lnk
Microsoft Office.lnk
==============================
C:\WINDOWS\SYSTEM cpl files

APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
WUAUCPL.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
AutoDisk.cpl Iomega Corp.
NVTUICPL.CPL NVIDIA Corporation
ACCESS.CPL Microsoft Corporation
THEMES.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
PROSETP.CPL Intel Corporation
FINDFAST.CPL Microsoft Corporation
Adobe Gamma.cpl Adobe Systems, Inc.
QTW32.CPL Apple Computer, Inc.
JOY.CPL Microsoft Corporation
plugincpl131_02.cpl Sun Microsystems
plugincpl140_01.cpl Sun Microsystems
jpicpl32.cpl Sun Microsystems, Inc.

Thanks!

#57
Excal

Posted 20 July 2005 - 09:35 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Been so long since I seen your HiJackThis log...l had to look back to see what Operating System you had!

Run this online virus scan: ActiveScan - Save the results from the scan!

Please post a fresh HiJackthis log and the results from the active scan

How is your computer running?

Thanks,

:tazz:

TOm

#58
newtoforum

Posted 20 July 2005 - 10:27 AM

Member

Topic Starter
Member
32 posts

Hi Excal,
My computer is running much better, faster to start up and no pop-ups (other than those on sites I know are safe)! I'll have to run the scan tonight, and post the details then.
Thanks so much.

#59
Excal

Posted 20 July 2005 - 10:31 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Ok, see you then :tazz:

Tom

#60
newtoforum

Posted 21 July 2005 - 12:12 PM

Member

Topic Starter
Member
32 posts

Hi Excal,
I had problems when trying to scan my whole computer, Activescan seemed to freeze (I tried twice). I just finished scanning drive C. I'll scan my other drive later. Here's the report on Drive C:

Incident Status Location

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\BIINI.INF
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\JDVAPRXY.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NORSPL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NJWRSZHT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SAFOLDER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\JHT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MPJTES40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Szace.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CNRDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IXM32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SJC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\HWINK.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MGSYSTEM.DLL
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx
Adware:Adware/Qdown No disinfected C:\WINDOWS\Downloaded Program Files\QDow.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\mm15201518.Stub.exe