Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijackthis log [RESOLVED]

Started by Sk0rch , Jul 03 2005 10:49 AM

This topic is locked

#106
Excal

Posted 22 August 2005 - 07:29 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

I never heard of the program, and there isn't much information out on it. Do you havea web site for it?

Excal

#107
Sk0rch

Posted 22 August 2005 - 07:45 PM

Member

Topic Starter
Member
335 posts

Ok the 018 protocols, there were like 76 of them, I checked them and click fix checked and then I did the scan again and they were still there, I checked em all again but no luck.

AboutBuster 5.0 reference file 31
Scan started on [8/22/2005] at [8:37:32 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:38:08 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:45:40 PM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PD - {EC3DAB87-C8C9-49A4-BEEB-B631A4B5EFF3} - C:\Program Files\Pop up Blocker\pd.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096169702640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124393047008
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.c.../ymmapi_416.dll
O18 - Protocol: bw+0 - (no CLSID) - (no file)
O18 - Protocol: bw+0s - (no CLSID) - (no file)
O18 - Protocol: bw-0 - (no CLSID) - (no file)
O18 - Protocol: bw-0s - (no CLSID) - (no file)
O18 - Protocol: bw00 - (no CLSID) - (no file)
O18 - Protocol: bw00s - (no CLSID) - (no file)
O18 - Protocol: bw10 - (no CLSID) - (no file)
O18 - Protocol: bw10s - (no CLSID) - (no file)
O18 - Protocol: bw20 - (no CLSID) - (no file)
O18 - Protocol: bw20s - (no CLSID) - (no file)
O18 - Protocol: bw30 - (no CLSID) - (no file)
O18 - Protocol: bw30s - (no CLSID) - (no file)
O18 - Protocol: bw40 - (no CLSID) - (no file)
O18 - Protocol: bw40s - (no CLSID) - (no file)
O18 - Protocol: bw50 - (no CLSID) - (no file)
O18 - Protocol: bw50s - (no CLSID) - (no file)
O18 - Protocol: bw60 - (no CLSID) - (no file)
O18 - Protocol: bw60s - (no CLSID) - (no file)
O18 - Protocol: bw70 - (no CLSID) - (no file)
O18 - Protocol: bw70s - (no CLSID) - (no file)
O18 - Protocol: bw80 - (no CLSID) - (no file)
O18 - Protocol: bw80s - (no CLSID) - (no file)
O18 - Protocol: bw90 - (no CLSID) - (no file)
O18 - Protocol: bw90s - (no CLSID) - (no file)
O18 - Protocol: bwa0 - (no CLSID) - (no file)
O18 - Protocol: bwa0s - (no CLSID) - (no file)
O18 - Protocol: bwb0 - (no CLSID) - (no file)
O18 - Protocol: bwb0s - (no CLSID) - (no file)
O18 - Protocol: bwc0 - (no CLSID) - (no file)
O18 - Protocol: bwc0s - (no CLSID) - (no file)
O18 - Protocol: bwd0 - (no CLSID) - (no file)
O18 - Protocol: bwd0s - (no CLSID) - (no file)
O18 - Protocol: bwe0 - (no CLSID) - (no file)
O18 - Protocol: bwe0s - (no CLSID) - (no file)
O18 - Protocol: bwf0 - (no CLSID) - (no file)
O18 - Protocol: bwf0s - (no CLSID) - (no file)
O18 - Protocol: bwg0 - (no CLSID) - (no file)
O18 - Protocol: bwg0s - (no CLSID) - (no file)
O18 - Protocol: bwh0 - (no CLSID) - (no file)
O18 - Protocol: bwh0s - (no CLSID) - (no file)
O18 - Protocol: bwi0 - (no CLSID) - (no file)
O18 - Protocol: bwi0s - (no CLSID) - (no file)
O18 - Protocol: bwj0 - (no CLSID) - (no file)
O18 - Protocol: bwj0s - (no CLSID) - (no file)
O18 - Protocol: bwk0 - (no CLSID) - (no file)
O18 - Protocol: bwk0s - (no CLSID) - (no file)
O18 - Protocol: bwl0 - (no CLSID) - (no file)
O18 - Protocol: bwl0s - (no CLSID) - (no file)
O18 - Protocol: bwm0 - (no CLSID) - (no file)
O18 - Protocol: bwm0s - (no CLSID) - (no file)
O18 - Protocol: bwn0 - (no CLSID) - (no file)
O18 - Protocol: bwn0s - (no CLSID) - (no file)
O18 - Protocol: bwo0 - (no CLSID) - (no file)
O18 - Protocol: bwo0s - (no CLSID) - (no file)
O18 - Protocol: bwp0 - (no CLSID) - (no file)
O18 - Protocol: bwp0s - (no CLSID) - (no file)
O18 - Protocol: bwq0 - (no CLSID) - (no file)
O18 - Protocol: bwq0s - (no CLSID) - (no file)
O18 - Protocol: bwr0 - (no CLSID) - (no file)
O18 - Protocol: bwr0s - (no CLSID) - (no file)
O18 - Protocol: bws0 - (no CLSID) - (no file)
O18 - Protocol: bws0s - (no CLSID) - (no file)
O18 - Protocol: bwt0 - (no CLSID) - (no file)
O18 - Protocol: bwt0s - (no CLSID) - (no file)
O18 - Protocol: bwu0 - (no CLSID) - (no file)
O18 - Protocol: bwu0s - (no CLSID) - (no file)
O18 - Protocol: bwv0 - (no CLSID) - (no file)
O18 - Protocol: bwv0s - (no CLSID) - (no file)
O18 - Protocol: bww0 - (no CLSID) - (no file)
O18 - Protocol: bww0s - (no CLSID) - (no file)
O18 - Protocol: bwx0 - (no CLSID) - (no file)
O18 - Protocol: bwx0s - (no CLSID) - (no file)
O18 - Protocol: bwy0 - (no CLSID) - (no file)
O18 - Protocol: bwy0s - (no CLSID) - (no file)
O18 - Protocol: bwz0 - (no CLSID) - (no file)
O18 - Protocol: bwz0s - (no CLSID) - (no file)
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

The good news is I am pretty sure I haven't had a popup today. I think it has been ever since we found that hidden netdde.exe in the system32 folder. It is still in my recycling bin, do you want me to empty it?

EDIT: Nvm, I think I already emptied it lol.

Edited by Sk0rch, 22 August 2005 - 07:47 PM.

#108
Excal

Posted 22 August 2005 - 07:58 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Did you uninstall the logitech desktop messenger?

Excal

#109
Sk0rch

Posted 22 August 2005 - 11:04 PM

Member

Topic Starter
Member
335 posts

Yeah I just googled pcx files or whatever and somehow I downloaded Imagewalker, pretty sure this is the website. http://www.imagewalker.com/

And I went to control panel and removed logitech but it is still there. Also I haven't had a popup all day :tazz:

#110
Excal

Posted 22 August 2005 - 11:09 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

It was definately that file keeping it alive.

Make sure you have ewido off, and try to check off those O18's in safe mode.

:tazz:

Excal

#111
Sk0rch

Posted 22 August 2005 - 11:23 PM

Member

Topic Starter
Member
335 posts

Which file? The hidden netdde.exe? Yeah that's what I think too. What do you think could have put it there?

You want me to have ewido off while I check off the O18's? Or have it off in general? Because it finds a lot of malicious things with that infect alert.

Edited by Sk0rch, 22 August 2005 - 11:24 PM.

#112
Excal

Posted 22 August 2005 - 11:26 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Have it off!! It will protect the entries.

Excal

#113
Sk0rch

Posted 22 August 2005 - 11:36 PM

Member

Topic Starter
Member
335 posts

I know, but I was asking just during safe mode while I do the Hijackthis log or just have it off whenever I'm on, in other words, delete it? Anyways I'll do that tomorrow evening, I have the 1st day of school starting in less than 7 hours. Grrrrrrr :[. Oh well atleast it is the last year.

#114
Excal

Posted 22 August 2005 - 11:43 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Good luck with school! Just have it off when your fixing those Hijack entries :tazz:

Excal

#115
Sk0rch

Posted 27 August 2005 - 04:45 PM

Member

Topic Starter
Member
335 posts

The popups didn't go away. And I thought it was the poker programs but now I think it is not because I deleted every single poker program I have and the popups are still there. Ok there were some about:blanks and R1's and R0's too, and I checked off those and all the O18's. The O18's are back, and the about:blanks will be soon too probably. Here is the hijackthis log I just did, can I ask what the O16's O12's and O23's are?

Logfile of HijackThis v1.99.1
Scan saved at 5:44:55 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\program files\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096169702640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124393047008
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.c.../ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DF65C0F-7292-4D21-8937-D46BD8F1A1E7}: NameServer = 206.141.192.60 206.141.193.55
O18 - Protocol: bw+0 - (no CLSID) - (no file)
O18 - Protocol: bw+0s - (no CLSID) - (no file)
O18 - Protocol: bw-0 - (no CLSID) - (no file)
O18 - Protocol: bw-0s - (no CLSID) - (no file)
O18 - Protocol: bw00 - (no CLSID) - (no file)
O18 - Protocol: bw00s - (no CLSID) - (no file)
O18 - Protocol: bw10 - (no CLSID) - (no file)
O18 - Protocol: bw10s - (no CLSID) - (no file)
O18 - Protocol: bw20 - (no CLSID) - (no file)
O18 - Protocol: bw20s - (no CLSID) - (no file)
O18 - Protocol: bw30 - (no CLSID) - (no file)
O18 - Protocol: bw30s - (no CLSID) - (no file)
O18 - Protocol: bw40 - (no CLSID) - (no file)
O18 - Protocol: bw40s - (no CLSID) - (no file)
O18 - Protocol: bw50 - (no CLSID) - (no file)
O18 - Protocol: bw50s - (no CLSID) - (no file)
O18 - Protocol: bw60 - (no CLSID) - (no file)
O18 - Protocol: bw60s - (no CLSID) - (no file)
O18 - Protocol: bw70 - (no CLSID) - (no file)
O18 - Protocol: bw70s - (no CLSID) - (no file)
O18 - Protocol: bw80 - (no CLSID) - (no file)
O18 - Protocol: bw80s - (no CLSID) - (no file)
O18 - Protocol: bw90 - (no CLSID) - (no file)
O18 - Protocol: bw90s - (no CLSID) - (no file)
O18 - Protocol: bwa0 - (no CLSID) - (no file)
O18 - Protocol: bwa0s - (no CLSID) - (no file)
O18 - Protocol: bwb0 - (no CLSID) - (no file)
O18 - Protocol: bwb0s - (no CLSID) - (no file)
O18 - Protocol: bwc0 - (no CLSID) - (no file)
O18 - Protocol: bwc0s - (no CLSID) - (no file)
O18 - Protocol: bwd0 - (no CLSID) - (no file)
O18 - Protocol: bwd0s - (no CLSID) - (no file)
O18 - Protocol: bwe0 - (no CLSID) - (no file)
O18 - Protocol: bwe0s - (no CLSID) - (no file)
O18 - Protocol: bwf0 - (no CLSID) - (no file)
O18 - Protocol: bwf0s - (no CLSID) - (no file)
O18 - Protocol: bwg0 - (no CLSID) - (no file)
O18 - Protocol: bwg0s - (no CLSID) - (no file)
O18 - Protocol: bwh0 - (no CLSID) - (no file)
O18 - Protocol: bwh0s - (no CLSID) - (no file)
O18 - Protocol: bwi0 - (no CLSID) - (no file)
O18 - Protocol: bwi0s - (no CLSID) - (no file)
O18 - Protocol: bwj0 - (no CLSID) - (no file)
O18 - Protocol: bwj0s - (no CLSID) - (no file)
O18 - Protocol: bwk0 - (no CLSID) - (no file)
O18 - Protocol: bwk0s - (no CLSID) - (no file)
O18 - Protocol: bwl0 - (no CLSID) - (no file)
O18 - Protocol: bwl0s - (no CLSID) - (no file)
O18 - Protocol: bwm0 - (no CLSID) - (no file)
O18 - Protocol: bwm0s - (no CLSID) - (no file)
O18 - Protocol: bwn0 - (no CLSID) - (no file)
O18 - Protocol: bwn0s - (no CLSID) - (no file)
O18 - Protocol: bwo0 - (no CLSID) - (no file)
O18 - Protocol: bwo0s - (no CLSID) - (no file)
O18 - Protocol: bwp0 - (no CLSID) - (no file)
O18 - Protocol: bwp0s - (no CLSID) - (no file)
O18 - Protocol: bwq0 - (no CLSID) - (no file)
O18 - Protocol: bwq0s - (no CLSID) - (no file)
O18 - Protocol: bwr0 - (no CLSID) - (no file)
O18 - Protocol: bwr0s - (no CLSID) - (no file)
O18 - Protocol: bws0 - (no CLSID) - (no file)
O18 - Protocol: bws0s - (no CLSID) - (no file)
O18 - Protocol: bwt0 - (no CLSID) - (no file)
O18 - Protocol: bwt0s - (no CLSID) - (no file)
O18 - Protocol: bwu0 - (no CLSID) - (no file)
O18 - Protocol: bwu0s - (no CLSID) - (no file)
O18 - Protocol: bwv0 - (no CLSID) - (no file)
O18 - Protocol: bwv0s - (no CLSID) - (no file)
O18 - Protocol: bww0 - (no CLSID) - (no file)
O18 - Protocol: bww0s - (no CLSID) - (no file)
O18 - Protocol: bwx0 - (no CLSID) - (no file)
O18 - Protocol: bwx0s - (no CLSID) - (no file)
O18 - Protocol: bwy0 - (no CLSID) - (no file)
O18 - Protocol: bwy0s - (no CLSID) - (no file)
O18 - Protocol: bwz0 - (no CLSID) - (no file)
O18 - Protocol: bwz0s - (no CLSID) - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#116
Excal

Posted 28 August 2005 - 02:33 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

can I ask what the O16's O12's and O23's are?

The O16's are activeX installers and they are all legit

That O12 is Adobe Internet Explorer Plugin

the 023's are Non Microsoft services and they both are legit

I am stumped with the about:buster popups!

Let me do some more research....ack!

:tazz:

Excal

#117
Excal

Posted 28 August 2005 - 02:47 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

Also I'd like to see the values in a registry key..

Please download and install Registrar Lite. Run reglite and paste this line into the address box:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs

Click on 'Go', then highlight AboutURLs in the right pane. Click File >> Export and save the export in a convenient place. Then, locate the file, Right-click >> Edit, and paste the contents of the file here for me to see.

#118
Sk0rch

Posted 28 August 2005 - 10:03 AM

Member

Topic Starter
Member
335 posts

I cannot edit it exports.reg. This file does not have an program associated with it for performing this action.

#119
Sk0rch

Posted 28 August 2005 - 10:39 AM

Member

Topic Starter
Member
335 posts

Not sure I was supposed to do this, but I changed exports.reg to exports.txt. Here is what was in Notepad.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"NavigationFailure"="res://shdoclc.dll/navcancl.htm"
"DesktopItemNavigationFailure"="res://shdoclc.dll/navcancl.htm"
"NavigationCanceled"="res://shdoclc.dll/navcancl.htm"
"OfflineInformation"="res://shdoclc.dll/offcancl.htm"
"Home"=dword:0000010e
"blank"="res://mshtml.dll/blank.htm"
"PostNotCached"="res://mshtml.dll/repost.htm"

And here is the log for the Rootkit thing.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 8/28/2005 10:59 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 6/30/2004 3:35 PM 64 bytes Windows API length not consistent with raw hive data.
C:\Documents and Settings\Owner\Desktop\exports.reg 8/28/2005 11:02 AM 420 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Desktop\Registrar Lite.lnk 8/28/2005 11:01 AM 1.52 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Desktop\reglite.exe 8/28/2005 11:01 AM 1.99 MB Hidden from Windows API.
C:\Documents and Settings\Owner\Desktop\WinsockXPFix-1.exe 8/28/2005 11:07 AM 1.35 MB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Desktop\WinsockXPFix.exe 8/28/2005 11:07 AM 1.35 MB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-1\728x90_motorolalove30k_alt.swf 8/28/2005 11:05 AM 29.61 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\plugtmp-1\free_poleflyer_xxxx_336x280.swf 8/28/2005 10:58 AM 30.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA 8/28/2005 11:07 AM 0 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\DELXP.reg 8/28/2005 11:07 AM 172 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\ERDNT.E_E 8/28/2005 11:07 AM 23.03 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\ERDNTDOS.LOC 8/28/2005 11:07 AM 2.54 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\ERDNTDOS.OVL 8/28/2005 11:07 AM 18.21 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\ERDNTWIN.LOC 8/28/2005 11:07 AM 2.94 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\ERDNTWIN.OVL 8/28/2005 11:07 AM 198.50 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\ERUNT.exe 8/28/2005 11:07 AM 203.50 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\ERUNT.LOC 8/28/2005 11:07 AM 4.00 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\Hosts 8/28/2005 11:07 AM 736 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\xpwinsock.reg 8/28/2005 11:07 AM 10.84 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\VBDATA\xpwinsock2.reg 8/28/2005 11:07 AM 110.18 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5248.tmp 8/28/2005 11:07 AM 16.00 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Owner\Recent\exports.txt.lnk 8/28/2005 11:03 AM 541 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Start Menu\Programs\Registrar Lite 8/28/2005 11:01 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Start Menu\Programs\Registrar Lite\Help.lnk 8/28/2005 11:01 AM 1.53 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Start Menu\Programs\Registrar Lite\Registrar Lite.lnk 8/28/2005 11:01 AM 679 bytes Hidden from Windows API.
C:\Program Files\Registrar Lite 8/28/2005 11:01 AM 0 bytes Hidden from Windows API.
C:\Program Files\Registrar Lite\default.ini 10/12/2000 7:13 AM 83.49 KB Hidden from Windows API.
C:\Program Files\Registrar Lite\file_id.diz 8/6/2002 7:07 PM 417 bytes Hidden from Windows API.
C:\Program Files\Registrar Lite\INSTALL.LOG 8/28/2005 11:01 AM 2.76 KB Hidden from Windows API.
C:\Program Files\Registrar Lite\readme.txt 8/2/2002 10:06 AM 971 bytes Hidden from Windows API.
C:\Program Files\Registrar Lite\rl.chm 8/7/2002 7:29 PM 1.07 MB Hidden from Windows API.
C:\Program Files\Registrar Lite\rl.exe 8/11/2002 7:55 PM 1.94 MB Hidden from Windows API.
C:\Program Files\Registrar Lite\rrsec.dll 2/17/2002 2:23 PM 110.00 KB Hidden from Windows API.
C:\Program Files\Registrar Lite\rrSec2k.exe 10/12/2000 7:13 AM 88.04 KB Hidden from Windows API.
C:\Program Files\Registrar Lite\UNWISE.EXE 5/24/2001 12:59 PM 158.50 KB Hidden from Windows API.
C:\Program Files\Registrar Lite\UNWISE.INI 8/28/2005 11:01 AM 0 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\IPCONFIG.EXE-05D7908C.pf 8/28/2005 11:07 AM 20.84 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\NETSH.EXE-23AED181.pf 8/28/2005 11:07 AM 24.85 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf 8/28/2005 11:07 AM 14.87 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\RL.EXE-0CBA5D4F.pf 8/28/2005 11:02 AM 21.90 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\WINSOCKXPFIX-1.EXE-24E4C753.pf 8/28/2005 11:07 AM 16.57 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\resetlog.txt 8/28/2005 11:07 AM 9.17 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\system32\comionc.dll 9/25/2004 11:28 PM 56.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\etc\hosts.bak 6/24/2004 3:17 AM 734 bytes Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Temp\Perflib_Perfdata_f14.dat 8/28/2005 11:07 AM 16.00 KB Visible in directory index, but not Windows API or MFT.
D: 0 bytes Error mounting volume

#120
Excal

Posted 28 August 2005 - 11:21 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme5.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window_Placement"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"ITBarLayout"=-

Locate fixme5.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

reboot and let me know

Thanks,

:tazz:

Excal