Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

please help whenever you can


  • Please log in to reply

#1
underscore11

underscore11

    New Member

  • Member
  • Pip
  • 9 posts
basically my internet connection has drastically slowed down and sometimes it doesnt even connect i tried reinstalling windows me and the internet worked perfectly for that one day then went back to its old habits . Anyways im pretty new to this "hijackthis" stuff but i would really appreciate it if someone helped me and analyzed my log thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 11:45:54 PM, on 8/7/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\GUITARFX V2.18\UNINSTALL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [sload] ""
O4 - HKLM\..\Run: [uninstall] C:\PROGRAM FILES\GUITARFX V2.18\uninstall.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [xload] ""
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuklc.mht!http://kazaalite.pl/...Bridge-c139.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi underscore11 and Welcome to GeekstoGo!



Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue!

It should open automatically>Leave the "Default Settings ticked" and add a "tick" "Drives">this will light up "All Drives"> Place a tick by "All Files" and Click "Scan Clean" to begin!

This Scan may take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Post those results back here!

Once the MWAV Scanner is compoeted, download WinPFind from here
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [sload] ""

O4 - HKLM\..\Run: [uninstall] C:\PROGRAM FILES\GUITARFX V2.18\uninstall.exe

O4 - HKLM\..\Run: [xload] ""

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.sxload.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuklc.mht!http://kazaalite.pl/...Bridge-c139.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

From the WinPFind Folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Look in the WinPFind folder and locate WinPFind.txt!


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.

Select the tab labeled Startup and put a Check by every box there!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with a fresh HijackThis log and the results of WinPFind-> MWAV and Panda!
  • 0

#3
underscore11

underscore11

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
File C:\PROGRA~1\GUITAR~1.18\UNINST~1.EXE infected by "Trojan-Clicker.Win32.Delf.bn" Virus. Action Taken: File Deleted.
File C:\WINDOWS\ipinsigt.dll tagged as not-a-virus:AdWare.IPInsight.a. No Action Taken.
File C:\WINDOWS\Xbgstumx.dll tagged as not-a-virus:AdWare.SearchBand.a. No Action Taken.
File C:\WINDOWS\WindUp.exe infected by "Trojan-Downloader.Win32.WinAD.f" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\DSKTRF.DLL tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.b. No Action Taken.
File C:\WINDOWS\SYSTEM\2ndsrch.dll infected by "Trojan-Downloader.Win32.Agent.ja" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\SHAgentNew.dll tagged as not-a-virus:AdWare.Sahat.g. No Action Taken.
File C:\WINDOWS\SYSTEM\dsktrf1.dll tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.b. No Action Taken.
File C:\WINDOWS\SYSTEM\DSKTRF.DLL tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.b. No Action Taken.
File C:\WINDOWS\SYSTEM\SHAgentNew.dll tagged as not-a-virus:AdWare.Sahat.g. No Action Taken.
File C:\WINDOWS\SYSTEM\dsktrf1.dll tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.b. No Action Taken.
File C:\WINDOWS\Desktop\My Briefcase\hijackthis.log infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\WINDOWS\SYSTEM32\CD_CLINT.DLL tagged as not-a-virus:AdWare.Cydoor. No Action Taken.
File C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1e82d6b3-362e209b.zip infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\WINDOWS\setup\SHELL\14\Mozilla\Profiles\default\cerb0umw.slt\Cache\6BCD9B7Ed01 infected by "not-virus:BadJoke.Win32.Finger.b" Virus. Action Taken: File Renamed.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\xload.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Downloaded Program Files\MediaPassX.dll tagged as not-a-virus:AdWare.WinAD.w. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\xload.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\xload.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Downloaded Program Files\xload.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Downloaded Program Files\AdToolsX.dll tagged as not-a-virus:AdWare.WinAD.x. No Action Taken.
File C:\WINDOWS\ipinsigt.dll tagged as not-a-virus:AdWare.IPInsight.a. No Action Taken.
File C:\WINDOWS\Xbgstumx.dll tagged as not-a-virus:AdWare.SearchBand.a. No Action Taken.
File C:\WINDOWS.000\SYSTEM\HzTPLUG.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MoJTER35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\VoWWDM32.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\HsTPLUG.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\VmWWDM32.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\FlXLIB.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\ImFRARED.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MdLTUS35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\VgWWDM32.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MmJINT35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\VwWWDM32.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\wincore.dll tagged as not-a-virus:AdWare.Virtumonde.g. No Action Taken.
File C:\WINDOWS.000\SYSTEM\cidrules.dll tagged as not-a-virus:AdWare.Virtumonde.g. No Action Taken.
File C:\WINDOWS.000\SYSTEM\inetadpt.dll infected by "Trojan-Downloader.Win32.TargetSoft.b" Virus. Action Taken: File Deleted.
File C:\WINDOWS.000\SYSTEM\UoBUI.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\UpBUI.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MbRD2X35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\HtTPLUG.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\UiBUI.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MeJINT35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\HxTPLUG.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MhJINT35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\VxWWDM32.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MjLTUS35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MuJINT35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\VkWWDM32.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MnJINT35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MwTCP.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\McRD2X35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MnLTUS35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\UvBUI.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MwRD2X35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MfJINT35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\HwTPLUG.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\FeXLIB.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\UlBUI.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MmJTER35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\HjTPLUG.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\IxFRARED.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\UuBUI.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\CgFVIEW.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\VdWWDM32.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\ImSETUP.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM\MbJINT35.DLL tagged as not-a-virus:AdWare.Look2Me.i. No Action Taken.
File C:\WINDOWS.000\SYSTEM32\GirlControlCom.dll tagged as not-a-virus:[bleep]-Downloader.Win32.StripPlayer. No Action Taken.
File C:\WINDOWS.000\Application Data\Mozilla\Profiles\default\caxz6qtj.slt\Cache\687B0DCCd01 infected by "Trojan-Downloader.JS.IstBar.x" Virus. Action Taken: File Deleted.
File C:\WINDOWS.000\Application Data\wa_inst.exe.tcf infected by "Trojan-Dropper.Win32.Small.fl" Virus. Action Taken: File Deleted.
File C:\WINDOWS.000\Downloaded Program Files\CelebrityRants19.exe.tcf infected by "Trojan-Downloader.Win32.Small.px" Virus. Action Taken: File Deleted.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\UHWOFHLA\cnbabeie[1].exe tagged as not-a-virus:AdWare.CommonName.b. No Action Taken.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\HDPDSXMA\Burn4Free_Setup[1].exe tagged as not-a-virus:AdWare.NavExcel.d. No Action Taken.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\HDPDSXMA\saveupdate[1].exe tagged as not-a-virus:AdWare.SaveNow.c. No Action Taken.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\58RTQ9LK\IeBHOs[1].dll tagged as not-a-virus:AdWare.ToolBar.BHO.h. No Action Taken.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\W1IJ8HUN\object[1].hta infected by "Trojan.JS.Seeker-based" Virus. Action Taken: File Deleted.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\2PCZOVEB\cdt_bbi8016[1].exe tagged as not-a-virus:AdWare.BargainBuddy.a. No Action Taken.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\2PCZOVEB\installer-SB[1].cab tagged as not-a-virus:AdWare.Mirar.a. No Action Taken.
File C:\WINDOWS.000\Temporary Internet Files\Content.IE5\KROXI5I9\sahagent-netthink1004[1].exe tagged as not-a-virus:AdWare.Sahat.z. No Action Taken.
File C:\WINDOWS.000\iconz.exe tagged as not-a-virus:AdWare.AdURL.c. No Action Taken.
File C:\WINDOWS.000\Profiles\stringsonfire\Application Data\Mozilla\Profiles\default\caxz6qtj.slt\Cache\687B0DCCd01 infected by "Trojan-Downloader.JS.IstBar.x" Virus. Action Taken: File Deleted.
File C:\WINDOWS.000\Profiles\stringsonfire\Application Data\wa_inst.exe.tcf infected by "Trojan-Dropper.Win32.Small.fl" Virus. Action Taken: File Deleted.
File C:\WINDOWS.000\NDNuninstall5_20.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS.000\NDNuninstall5_40.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS.000\cdt_bbi8016.exe tagged as not-a-virus:AdWare.BargainBuddy.a. No Action Taken.
File C:\WINDOWS.000\cnbabeie.exe tagged as not-a-virus:AdWare.CommonName.b. No Action Taken.
File C:\WINDOWS.000\NDNuninstall6_10.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS.000\NDNuninstall6_22.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\_RESTORE\TEMP\A0002091.CPY infected by "Trojan-Clicker.Win32.Delf.bn" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0002092.CPY infected by "Trojan-Downloader.Win32.WinAD.f" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0002093.CPY infected by "Trojan-Downloader.Win32.Agent.ja" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0002094.CPY infected by "Trojan-Downloader.Win32.TargetSoft.b" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0002097.CPY infected by "Trojan.JS.Seeker-based" Virus. Action Taken: File to be deleted on reboot.
File C:\Program Files\Accessories\Cache4\opr003ZX.htm infected by "Trojan.JS.Deme" Virus. Action Taken: File Deleted.
File C:\Program Files\Accessories\Cache4\opr00419.htm infected by "Trojan.JS.Deme" Virus. Action Taken: File Deleted.
File C:\Program Files\Accessories\Cache4\opr0041U.htm infected by "Trojan.JS.Deme" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\WinTools\WToolsA.exe tagged as not-a-virus:AdWare.Wintol.m. No Action Taken.
File C:\Program Files\Common Files\WinTools\WSup.exe tagged as not-a-virus:AdWare.Wintol.m. No Action Taken.
File C:\Program Files\Common Files\WinTools\BTIEIN.DLL.tcf infected by "Trojan-Downloader.Win32.QDown.h" Virus. Action Taken: File Deleted.
File C:\Program Files\Overnet\newdevin.exe tagged as not-a-virus:AdWare.BookedSpace.c. No Action Taken.
File C:\Program Files\Overnet\449166.exe tagged as not-a-virus:AdWare.Beginto.a. No Action Taken.
File C:\E2G\IEBHOS.DLL tagged as not-a-virus:AdWare.ToolBar.BHO.h. No Action Taken.
File C:\FILE0229.CHK tagged as not-a-virus:AdWare.F1Organizer.c. No Action Taken.
File C:\FILE0239.CHK tagged as not-a-virus:AdWare.Beginto.a. No Action Taken.
File C:\FILE0244.CHK infected by "Trojan-Dropper.Win32.Delf.av" Virus. Action Taken: File Deleted.
File C:\FILE0273.CHK tagged as not-a-virus:AdWare.BookedSpace.c. No Action Taken.
File C:\FILE0301.CHK infected by "Trojan.Win32.Golid" Virus. Action Taken: File Deleted.
File C:\FILE0305.CHK infected by "Trojan-Downloader.Win32.Skoob.c" Virus. Action Taken: File Deleted.
File C:\FILE0373.CHK infected by "Trojan-Dropper.Win32.Agent.og" Virus. Action Taken: File Deleted.
File C:\FILE0377.CHK infected by "Trojan-Downloader.Win32.Lalus" Virus. Action Taken: File Deleted.
File C:\FILE0378.CHK infected by "Trojan-Spy.Win32.Spung.a" Virus. Action Taken: File Deleted.
File C:\FILE0386.CHK tagged as not-a-virus:AdWare.SaveNow.g. No Action Taken.
File C:\FILE0390.CHK infected by "Trojan.Win32.TalkStocks.a" Virus. Action Taken: File Deleted.
File C:\FILE0392.CHK tagged as not-a-virus:AdWare.SafeSurfing.b. No Action Taken.
File C:\FILE0395.CHK infected by "Trojan-Downloader.Win32.MlFree" Virus. Action Taken: File Deleted.
File C:\FILE0397.CHK infected by "Trojan-Spy.Win32.Spung.b" Virus. Action Taken: File Deleted.
File C:\FILE0400.CHK infected by "Trojan-Downloader.Win32.WinFavorites" Virus. Action Taken: File Deleted.
File C:\FILE0452.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0453.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0454.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0455.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0456.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0457.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0458.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0459.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0460.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0461.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0462.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0463.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0464.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0465.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE0482.CHK tagged as not-a-virus:AdWare.180Solutions. No Action Taken.
File C:\FILE0488.CHK tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\FILE0490.CHK tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\FILE0501.CHK infected by "Trojan-Downloader.Win32.Small.en" Virus. Action Taken: File Deleted.
File C:\FILE0510.CHK tagged as not-a-virus:AdWare.ToolBar.FWN.a. No Action Taken.
File C:\FILE0511.CHK infected by "Trojan.Win32.TalkStocks.a" Virus. Action Taken: File Deleted.
File C:\FILE0907.CHK infected by "Trojan-Clicker.Win32.Delf.bn" Virus. Action Taken: File Deleted.
File C:\FILE0938.CHK infected by "Trojan-Downloader.Win32.Small.en" Virus. Action Taken: File Deleted.
File C:\FILE1162.CHK infected by "Trojan-Downloader.Win32.Agent.gh" Virus. Action Taken: File Deleted.
File C:\FILE1309.CHK infected by "Trojan-Downloader.Win32.IstBar.g" Virus. Action Taken: File Deleted.
File C:\FILE1377.CHK tagged as not-a-virus:AdWare.BiSpy.m. No Action Taken.
File C:\FILE1846.CHK infected by "not-virus:BadJoke.Win32.Finger.b" Virus. Action Taken: File Renamed.
File C:\FILE2004.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE2077.CHK infected by "Trojan-Downloader.Win32.VB.ka" Virus. Action Taken: File Deleted.
File C:\FILE2089.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE2090.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE2095.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE2108.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE2175.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE2208.CHK infected by "Trojan-Downloader.Win32.Swizzor.e" Virus. Action Taken: File Deleted.
File C:\FILE2281.CHK tagged as not-a-virus:PSWTool.Win32.Brutus. No Action Taken.
File C:\FILE2503.CHK tagged as not-a-virus:Dialer.Win32.DialerOffline. No Action Taken.
File C:\FILE2798.CHK infected by "Trojan-Downloader.Win32.Agent.cp" Virus. Action Taken: File Deleted.
File C:\FILE2809.CHK infected by "Trojan-Downloader.Win32.Lookme.a" Virus. Action Taken: File Deleted.
File C:\FILE3310.CHK infected by "Trojan-Downloader.Win32.QDown.f" Virus. Action Taken: File Deleted.
File C:\FILE3539.CHK infected by "Trojan.Win32.TalkStocks.b" Virus. Action Taken: File Deleted.

UPX!
FSG!
PEC2
PECompact2
Umonitor
qoologic
aspack
PTech
urllogic
ad-beh
ad-behNior.com
sYVLLSAKY
_rtneg3
SAHAgent
buddy.exe
ZepMon
aurora.exe
;2x(V]@BMD
Tlji7Mk
urllogic
KavSvc
69.59.186.63
209.66.67.134
66.63.167.97
66.63.167.77
abetterinternet.com
8B!7F\(T
testpopup
web-nex
yourkey
winsync
rec2_run
WinShutDown
ad-w-a-r-e.com


Logfile of HijackThis v1.99.1
Scan saved at 2:25:29 PM, on 8/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab


P.S. I couldnt do the online panda scan because my internet hardly ever connects & when it does its very slow
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
What about the WinPFind log?

Tell me about this Computer....Is a dual booting PC or does it have multiple partitions or drives installed?

Edited by Cretemonster, 14 August 2005 - 05:36 AM.

  • 0

#5
underscore11

underscore11

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
the winpfind just generated this :
UPX!
FSG!
PEC2
PECompact2
Umonitor
qoologic
aspack
PTech
urllogic
ad-beh
ad-behNior.com
sYVLLSAKY
_rtneg3
SAHAgent
buddy.exe
ZepMon
aurora.exe
;2x(V]@BMD
Tlji7Mk
urllogic
KavSvc
69.59.186.63
209.66.67.134
66.63.167.97
66.63.167.77
abetterinternet.com
8B!7F\(T
testpopup
web-nex
yourkey
winsync
rec2_run
WinShutDown
ad-w-a-r-e.com

i dont know what its supposed to mean
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,So WinPFind Didnt run correctly because those Instructions for downloading are for NT Systems!

Do you have a Zipping Utility like WinZip?

What About the Panda Log?

Lets go ahead and Zap the Look2me Infection!

Please download L2m9xfix here:
http://swandog46.gee...om/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

Edited by Cretemonster, 14 August 2005 - 02:41 PM.

  • 0

#7
underscore11

underscore11

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:42:07 PM, on 8/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuklc.mht!http://kazaalite.pl/...Bridge-c139.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - ms-its:mhtml:file://c:\nosukmt.mht!http://kazaalite.pl/...tsInstaller.cab




Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\My Briefcase\l2m9xfix

************

Files found:


************

Registry entries found:



************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Before we go any further,I need to know is you have an Unzipping Utility Installed?

Such as WinZip or the like???
  • 0

#9
underscore11

underscore11

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
yeah ive got winzip
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,When you downloaded WinPFind,did you Extract all the Files?
  • 0

Advertisements


#11
underscore11

underscore11

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
yes i did
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,I am Attaching a text file to this post,please download ot to the Desktop!

Download Pocket KillBox from here:
http://www.atribune....llBox_beta_.exe

RegSupreme Pro 1.1.0.32
http://majorgeeks.co..._Pro_d4256.html

Once downloaded and launched,Click Yes to Update the Cache!

Open the text file you downloaded-> Right Click inside it and Click Select All-> Now Press Ctrl+ C to Copy!

Open Pocket Killbox-> Click File-> Click Paste From Clipboard!

Place a tick by Delete on Reboot and Click the Red Circle to Delete!

Click Yes to following prompts and let Killbox Reboot the PC!

Reboot into Safe Mode and Open RegSupreme-> Click "Registry Cleaner"-> Click "Aggresive" and "Start"-> Fix everything it finds-> Name the Backup it creates and Save it somewhere safe!

Restart Normal and Download Silent Runners from here
http://www.silentrun...ent Runners.zip

Unzip it and select Extract all files!

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

It will start scanning the System,be patient,it takes a bit!

Once Completed,it will produce a Notepad page,I need you to Copy&Paste those results into your next post!

Once its Complete,I need you to generate a HijackThis Startup list log!

Hijackthis StartUp Log:
Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!

Post those 2 Logs once Completed!

Attached Files


Edited by Cretemonster, 15 August 2005 - 08:47 PM.

  • 0

#13
underscore11

underscore11

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Taskbar Display Controls" = "RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"Hidserv" = "Hidserv.exe run" [MS]
"Keyboard Manager" = "C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"HPScanPatch" = "C:\WINDOWS\SYSTEM\HPScanFix.exe" ["Hewlett-Packard Company"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"Delay" = "C:\WINDOWS\delayrun.exe" [null data]
"LexStart" = "LexStart.EXE" ["Lexmark International, Inc."]
"avast! Web Scanner" = "C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE" ["ALWIL Software"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"avast!" = "C:\Program Files\Alwil Software\Avast4\ashServ.exe" [null data]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C56CB6B0-0D96-11D6-8C65-B2868B609932}\(Default) = "NTIECatcher Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL" ["Xi"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Encoder Agent" -> shortcut to: "C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE" [MS]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 54 seconds, including 18 seconds for message boxes)





StartupList report, 8/16/2005, 1:28:54 AM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
Hidserv = Hidserv.exe run
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
Delay = C:\WINDOWS\delayrun.exe
LexStart = LexStart.EXE
avast! Web Scanner = C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

avast! = C:\Program Files\Alwil Software\Avast4\ashServ.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[PerUser_HNW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[PerUser_moviemaker] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[SamplerPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_PCHealth] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_ZoneGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_PBGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Sysmon_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf

[MmoptMusicaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsEarthlinkPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\WINDOWS\INF\ols.inf

[Shell3PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 16/8/2005, 0:56:14)

[Rename]
NUL=C:\PROGRA~1\GUITAR~1.18\
NUL=C:\WINDOWS\IPINSIGT.DLL
NUL=C:\WINDOWS\XBGSTUMX.DLL
NUL=C:\WINDOWS\
NUL=C:\WINDOWS\SYSTEM\DSKTRF.DLL
NUL=C:\WINDOWS\SYSTEM\
NUL=C:\WINDOWS\SYSTEM\SHAGEN~2.DLL
NUL=C:\WINDOWS\SYSTEM\DSKTRF1.DLL
NUL=C:\WINDOWS\SYSTEM\DSKTRF.DLL
NUL=C:\WINDOWS\SYSTEM\SHAGEN~2.DLL
NUL=C:\WINDOWS\SYSTEM\DSKTRF1.DLL
NUL=C:\WINDOWS\DESKTOP\MYBRIE~1\HIJACK~1.LOG
NUL=C:\WINDOWS\SYSTEM32\CD_CLINT.DLL
NUL=C:\WINDOWS\APPLIC~1\SUN\JAVA\DEPLOY~1\CACHE\JAVAPI\V1.0\JAR\
NUL=C:\WINDOWS\SETUP\SHELL\14\MOZILLA\PROFILES\DEFAULT\CERB0UMW.SLT\CACHE\
NUL=C:\WINDOWS\DOWNLO~1\CONFLICT.1\
NUL=C:\WINDOWS\DOWNLO~1\MEDIAP~1.DLL
NUL=C:\WINDOWS\DOWNLO~1\CONFLICT.2\
NUL=C:\WINDOWS\DOWNLO~1\CONFLICT.3\
NUL=C:\WINDOWS\DOWNLO~1\
NUL=C:\WINDOWS\DOWNLO~1\ADTOOLSX.DLL
NUL=C:\WINDOWS\IPINSIGT.DLL
NUL=C:\WINDOWS\XBGSTUMX.DLL
NUL=C:\WINDOWS.000\SYSTEM\HZTPLUG.DLL
NUL=C:\WINDOWS.000\SYSTEM\MOJTER35.DLL
NUL=C:\WINDOWS.000\SYSTEM\VOWWDM32.DLL
NUL=C:\WINDOWS.000\SYSTEM\HSTPLUG.DLL
NUL=C:\WINDOWS.000\SYSTEM\VMWWDM32.DLL
NUL=C:\WINDOWS.000\SYSTEM\FLXLIB.DLL
NUL=C:\WINDOWS.000\SYSTEM\IMFRARED.DLL
NUL=C:\WINDOWS.000\SYSTEM\MDLTUS35.DLL
NUL=C:\WINDOWS.000\SYSTEM\VGWWDM32.DLL
NUL=C:\WINDOWS.000\SYSTEM\MMJINT35.DLL
NUL=C:\WINDOWS.000\SYSTEM\VWWWDM32.DLL
NUL=C:\WINDOWS.000\SYSTEM\WINCORE.DLL
NUL=C:\WINDOWS.000\SYSTEM\CIDRULES.DLL
NUL=C:\WINDOWS.000\SYSTEM\
NUL=C:\WINDOWS.000\SYSTEM\UOBUI.DLL
NUL=C:\WINDOWS.000\SYSTEM\UPBUI.DLL
NUL=C:\WINDOWS.000\SYSTEM\MBRD2X35.DLL
NUL=C:\WINDOWS.000\SYSTEM\HTTPLUG.DLL
NUL=C:\WINDOWS.000\SYSTEM\UIBUI.DLL
NUL=C:\WINDOWS.000\SYSTEM\MEJINT35.DLL
NUL=C:\WINDOWS.000\SYSTEM\HXTPLUG.DLL
NUL=C:\WINDOWS.000\SYSTEM\MHJINT35.DLL
NUL=C:\WINDOWS.000\SYSTEM\VXWWDM32.DLL
NUL=C:\WINDOWS.000\SYSTEM\MJLTUS35.DLL
NUL=C:\WINDOWS.000\SYSTEM\MUJINT35.DLL
NUL=C:\WINDOWS.000\SYSTEM\VKWWDM32.DLL
NUL=C:\WINDOWS.000\SYSTEM\MNJINT35.DLL
NUL=C:\WINDOWS.000\SYSTEM\MWTCP.DLL
NUL=C:\WINDOWS.000\SYSTEM\MCRD2X35.DLL
NUL=C:\WINDOWS.000\SYSTEM\MNLTUS35.DLL
NUL=C:\WINDOWS.000\SYSTEM\UVBUI.DLL
NUL=C:\WINDOWS.000\SYSTEM\MWRD2X35.DLL
NUL=C:\WINDOWS.000\SYSTEM\MFJINT35.DLL
NUL=C:\WINDOWS.000\SYSTEM\HWTPLUG.DLL
NUL=C:\WINDOWS.000\SYSTEM\FEXLIB.DLL
NUL=C:\WINDOWS.000\SYSTEM\ULBUI.DLL
NUL=C:\WINDOWS.000\SYSTEM\MMJTER35.DLL
NUL=C:\WINDOWS.000\SYSTEM\HJTPLUG.DLL
NUL=C:\WINDOWS.000\SYSTEM\IXFRARED.DLL
NUL=C:\WINDOWS.000\SYSTEM\UUBUI.DLL
NUL=C:\WINDOWS.000\SYSTEM\CGFVIEW.DLL
NUL=C:\WINDOWS.000\SYSTEM\VDWWDM32.DLL
NUL=C:\WINDOWS.000\SYSTEM\IMSETUP.DLL
NUL=C:\WINDOWS.000\SYSTEM\MBJINT35.DLL
NUL=C:\WINDOWS.000\SYSTEM32\GIRLCO~1.DLL
NUL=C:\WINDOWS.000\APPLIC~1\MOZILLA\PROFILES\DEFAULT\CAXZ6QTJ.SLT\CACHE\
NUL=C:\WINDOWS.000\APPLIC~1\
NUL=C:\WINDOWS.000\DOWNLO~1\
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\UHWOFHLA\CNBABE~1.EXE
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\HDPDSXMA\BURN4F~1.EXE
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\HDPDSXMA\SAVEUP~1.EXE
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\58RTQ9LK\IEBHOS~1.DLL
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\W1IJ8HUN\
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\2PCZOVEB\CDT_BB~1.EXE
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\2PCZOVEB\INSTAL~1.CAB
NUL=C:\WINDOWS.000\TEMPOR~1\CONTENT.IE5\KROXI5I9\SAHAGE~1.EXE
NUL=C:\WINDOWS.000\ICONZ.EXE
NUL=C:\WINDOWS.000\PROFILES\STRING~1\APPLIC~1\MOZILLA\PROFILES\DEFAULT\CAXZ6QTJ.SLT\CACHE\
NUL=C:\WINDOWS.000\PROFILES\STRING~1\APPLIC~1\
NUL=C:\WINDOWS.000\NDNUNI~1.EXE
NUL=C:\WINDOWS.000\NDNUNI~2.EXE
NUL=C:\WINDOWS.000\CDT_BB~1.EXE
NUL=C:\WINDOWS.000\CNBABEIE.EXE
NUL=C:\WINDOWS.000\NDNUNI~5.EXE
NUL=C:\WINDOWS.000\NDNUNI~6.EXE
NUL=C:\_RESTORE\TEMP\
NUL=C:\_RESTORE\TEMP\
NUL=C:\_RESTORE\TEMP\
NUL=C:\_RESTORE\TEMP\
NUL=C:\_RESTORE\TEMP\
NUL=C:\PROGRA~1\ACCESS~1\CACHE4\
NUL=C:\PROGRA~1\ACCESS~1\CACHE4\
NUL=C:\PROGRA~1\ACCESS~1\CACHE4\
NUL=C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
NUL=C:\PROGRA~1\COMMON~1\WINTOOLS\WSUP.EXE
NUL=C:\PROGRA~1\COMMON~1\WINTOOLS\
NUL=C:\PROGRA~1\OVERNET\NEWDEVIN.EXE
NUL=C:\PROGRA~1\OVERNET\449166.EXE
NUL=C:\E2G\IEBHOS.DLL
NUL=C:\FILE0229.CHK
NUL=C:\FILE0239.CHK
NUL=C:\
NUL=C:\FILE0273.CHK
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\FILE0386.CHK
NUL=C:\
NUL=C:\FILE0392.CHK
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\FILE0482.CHK
NUL=C:\FILE0488.CHK
NUL=C:\FILE0490.CHK
NUL=C:\
NUL=C:\FILE0510.CHK
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\FILE1377.CHK
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\FILE2281.CHK
NUL=C:\FILE2503.CHK
NUL=C:\
NUL=C:\
NUL=C:\
NUL=C:\

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\COMMON~1\MUVEET~1\030625

--------------------------------------------------

C:\CONFIG.SYS listing:

*File is empty*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[Java Plug-in 1.3.1_04]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
CODEBASE = http://java.sun.com/...-131_04-win.cab

[{32564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv8dmo.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNMESSENGERSETUPDOWNLOADER.OCX
CODEBASE = http://messenger.msn...pDownloader.cab

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...0367/wmavax.CAB

[{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\ADTOOLSX.DLL

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
VPOWERD: *VPOWERD
NDIS: ndis.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *MTRR
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 31,337 bytes
Report generated in 0.376 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,lets Disable System Restore
http://service1.syma...src=sec_doc_nam

Copy&Paste each entry below into Killbox and use the Instructions that follow!

C:\WINDOWS\WININIT.BAK
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\ADTOOLSX.DLL
C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX


As you paste each in-> place a tick by any of these selections available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


Click the Red Circle to Delete!

Download and Install
CleanUp!

Once Installed-> Run CleanUp-> Let it do its thing-> When Prompted to Reboot,do so!

Now try the Panda Scan again,if it doesnt work,Update MWAV and Scan the System again with that and post those results along with a fresh HijackThis log!
  • 0

#15
underscore11

underscore11

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
File C:\!Submit\ADTOOLSX.DLL tagged as not-a-virus:AdWare.WinAD.x. No Action Taken.
File C:\!Submit\MEDIAT~1.OCX tagged as not-a-virus:AdWare.MediaTickets.f. No Action Taken.
File C:\FILE0657.CHK tagged as not-a-virus:AdWare.180Solutions. No Action Taken.
File C:\FILE0882.CHK tagged as not-a-virus:AdWare.ToolBar.FWN.c. No Action Taken


Logfile of HijackThis v1.99.1
Scan saved at 1:13:01 AM, on 8/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) -
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP