please help! Spyware is not working! [RESOLVED]
#1
Posted 17 August 2005 - 10:59 AM
#2
Posted 17 August 2005 - 11:04 AM
Welcome to GeekstoGo my name is Snickets and I will be helping you today!!!
1.Set up a folder by doing the following.
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.
2. Then go here to download the latest version of hijack this 1.99.1 and save this into the folder you created for hijackthis.
3. Double-click on the hijackthis.exe to scan.
Select "Scan and Save Log".
After the scan save the log somewhere where you will remember.
Then go to the location where you saved the hijack this log and open it up, then hit CTRL A to highlight all the text inside, then right click and hit the copy option then paste the contents back into this thread.
Thank you,
Snickets
#3
Posted 17 August 2005 - 11:31 AM
Logfile of HijackThis v1.99.1
Scan saved at 1:29:46 PM, on 8/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\UTHM\AREA.EXE
C:\GLEH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\4SDDDX.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL (file missing)
O2 - BHO: (no name) - {7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD} - C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sdddx.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [ACTADM] C:\WINDOWS\SYSTEM\ACTADM.exe
O4 - HKCU\..\Run: [Uate] C:\Program Files\uthm\area.exe
O4 - Startup: prct.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...om_bedroom1.xml
ok, let me know what to do next!! THanks again!
#4
Posted 18 August 2005 - 09:28 AM
Please Download the following tools to assist us in removing this infection!
- Download WinPFind
- Right Click the Zip Folder and Select "Extract All"
- Extract it somewhere you will remember like the Desktop
- Dont do anything with it yet!
- Download Track qoo
- Save it somewhere you will remember like the Desktop
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Doubleclick WinPFind.exe
- Click "Start Scan"
- It will scan the entire System, so please be patient!
- Once the Scan is Complete
- Go to the WinPFind folder
- Locate WinPFind.txt
- Place those results in the next post!
Double Click on "Track qoo.vbs"
Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!
Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
Thank you,
Snickets
#5
Posted 18 August 2005 - 10:17 AM
Ok, so I did that. I will post the results below. First, i wanted to tell you that I have been running my spyware detector programs, and the only thing that is coming up now is the tracking cookie. Even though it is not showing any virus or trojan or major problem, I still am getting popups like crazy. Is that really just from a tracking cookie?? Or is it possible there is an infection deeply embedded in my computer that these programs arent catching??
Here is the Trackqoo report:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Keyboard Manager"="C:\\Program Files\\Netropa\\One-touch Multimedia Keyboard\\MMKeybd.exe"
"MMTray"=""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Delay"="C:\\WINDOWS\\delayrun.exe"
"Adaptec DirectCD"="C:\\Program Files\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"winsync"="C:\\WINDOWS\\4sdddx.exe reg_run"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\SYSTEM\DOCPROP2.DLL
==============================
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
==============================
C:\WINDOWS\Start Menu\Programs\StartUp
prct.exe
==============================
C:\WINDOWS\SYSTEM cpl files
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
WUAUCPL.CPL Microsoft Corporation
ACCESS.CPL Microsoft Corporation
THEMES.CPL Microsoft Corporation
igfxcpl.cpl Intel Corporation
FINDFAST.CPL Microsoft Corporation
conres.cpl
And here is the winpfind.txt report:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 5.50.4134.0600
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
PTech 8/18/2005 11:45:50 AM 831520 C:\WINDOWS\USER.DAT
KavSvc 8/18/2005 11:45:50 AM 2687008 C:\WINDOWS\SYSTEM.DAT
winsync 8/18/2005 11:45:50 AM 2687008 C:\WINDOWS\SYSTEM.DAT
69.59.186.63 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll
209.66.67.134 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll
web-nex 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll
winsync 8/18/2005 11:08:40 AM 46080 C:\WINDOWS\kfdggfj.dll
Items found in C:\WINDOWS\hosts
69.59.186.63 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
209.66.67.134 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
web-nex 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
winsync 8/18/2005 11:08:40 AM 10240 C:\WINDOWS\oekbb.dll
UPX! 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\ru.exe
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
PTech 8/18/2005 11:38:50 AM 5632 C:\WINDOWS\VSX1.1.exe
web-nex 8/15/2005 6:07:28 PM 3943 C:\WINDOWS\hmvkk.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
Checking %System% folder...
PTech 11/9/1999 10:55:54 PM 88571 C:\WINDOWS\SYSTEM\MDACRDME.HTM
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\VDAJET32.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\HUZFLT04.DLL
69.59.186.63 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
209.66.67.134 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
66.63.167.97 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
66.63.167.77 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
web-nex 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
winsync 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
rec2_run 8/17/2005 1:13:42 PM 30208 C:\WINDOWS\SYSTEM\datadx.dll
PEC2 8/3/2005 6:27:14 AM 50176 C:\WINDOWS\SYSTEM\ba7_ni.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IX41_QCX.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SJDPAPI.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MARD2X40.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MKAPSSPC.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOLOR.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SGSTHUNK.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MADOCS.DLL
UPX! 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\SYSTEM\area.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOMPOS.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IPWDIAL.DLL
UPX! 8/15/2005 3:37:50 PM 24576 C:\WINDOWS\SYSTEM\AUNPS2.dll.tcf
UPX! 8/16/2005 5:39:50 PM 67072 C:\WINDOWS\SYSTEM\actadm.exe.tcf
UPX! 8/16/2005 2:55:06 PM 29696 C:\WINDOWS\SYSTEM\PSof1.exe.tcf
UPX! 8/18/2005 11:27:02 AM 68096 C:\WINDOWS\SYSTEM\msigag.exe
UPX! 8/18/2005 11:32:52 AM 68096 C:\WINDOWS\SYSTEM\rnadnu.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MUJDBC10.DLL
UPX! 8/18/2005 11:38:52 AM 68096 C:\WINDOWS\SYSTEM\whlraw.exe
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\owhlp30e.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mwiosd32.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\UFDMXFRM.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RWCLTS3.DLL
aspack 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
KavSvc 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
69.59.186.63 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
209.66.67.134 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
66.63.167.97 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
66.63.167.77 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
web-nex 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
yourkey 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
rec2_run 8/15/2005 4:58:24 PM 29184 C:\WINDOWS\SYSTEM\supdate.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mamdvdif.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\JEEG2X32.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TjxDlgUtil.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RNAENH.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mgikbdsw.dll
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TIP3216S.DLL
Umonitor 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TEP3216S.DLL
Checking %System%\Drivers folder and sub-folders...
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/18/2005 11:46:56 AM 847904 C:\WINDOWS\USER.DAT
H 8/18/2005 11:45:50 AM 2687008 C:\WINDOWS\SYSTEM.DAT
H 8/18/2005 11:43:56 AM 11560 C:\WINDOWS\ttfCache
H 8/18/2005 11:38:56 AM 5087264 C:\WINDOWS\CLASSES.DAT
SH 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\ru.exe
H 8/18/2005 11:08:28 AM 6 C:\WINDOWS\TASKS\SA.DAT
SH 8/18/2005 11:08:36 AM 182 C:\WINDOWS\TASKS\RUTASK.job
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\8RC3AN2J\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\1W6SJZCA\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\3R15TV7Y\desktop.ini
SH 8/16/2005 1:08:32 PM 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\GCOT7A6K\desktop.ini
SH 8/18/2005 9:21:06 AM 3584 C:\WINDOWS\DRM\drmv2.sst
SH 8/18/2005 9:21:06 AM 48 C:\WINDOWS\DRM\v2ks.sec
SH 8/18/2005 9:21:06 AM 312 C:\WINDOWS\DRM\v2ks.bla
H 8/18/2005 11:45:18 AM 344064 C:\WINDOWS\Cookies\index.dat
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IDSCONFG.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\VDAJET32.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\HUZFLT04.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\BGACKBOX.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SJDPAPI.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MARD2X40.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MKAPSSPC.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOLOR.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\SGSTHUNK.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MADOCS.DLL
SH 8/18/2005 11:08:34 AM 82432 C:\WINDOWS\SYSTEM\area.exe
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\DICOMPOS.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\IPWDIAL.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\MUJDBC10.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\owhlp30e.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mwiosd32.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\UFDMXFRM.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RWCLTS3.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mamdvdif.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\JEEG2X32.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TjxDlgUtil.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\RNAENH.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\mgikbdsw.dll
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TIP3216S.DLL
S 8/15/2005 2:18:02 PM 405504 C:\WINDOWS\SYSTEM\TEP3216S.DLL
H 8/18/2005 11:45:40 AM 668 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
SH 8/18/2005 11:35:52 AM 2580 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
SH 8/15/2005 4:01:02 PM 788 C:\WINDOWS\Temporary Internet Files\Ssk.log
SH 8/17/2005 3:48:18 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
SH 8/17/2005 3:56:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GLARKXAZ\desktop.ini
SH 8/17/2005 3:56:40 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8LIJC563\desktop.ini
SH 8/17/2005 3:56:56 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GLUV09QR\desktop.ini
Checking for CPL files...
Microsoft Corporation 6/6/2000 4:21:34 PM 259344 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 62464 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 104368 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 250128 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 111616 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 389872 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 5/31/2000 1:17:14 PM 15152 C:\WINDOWS\SYSTEM\WUAUCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\THEMES.CPL
Intel Corporation 8/8/2000 3:09:26 PM 84480 C:\WINDOWS\SYSTEM\igfxcpl.cpl
Microsoft Corporation 2/10/1999 11:48:46 AM 40960 C:\WINDOWS\SYSTEM\FINDFAST.CPL
8/17/2005 1:13:42 PM 31232 C:\WINDOWS\SYSTEM\conres.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
8/18/2005 11:08:40 AM 92160 C:\WINDOWS\Start Menu\Programs\StartUp\prct.exe
Checking files in %USERPROFILE%\Application Data folder...
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SharingMenu
{6D78EC20-5AA6-101B-8681-366FBD64CEB9} = msshrui.dll
<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD}
= C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
Band Class = C:\WINDOWS\DSR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
CControl Object = C:\Program Files\E2G\IeBHOs.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
PCHealth C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Keyboard Manager C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
MMTray
hpsysdrv c:\windows\system\hpsysdrv.exe
Delay C:\WINDOWS\delayrun.exe
Adaptec DirectCD C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
winsync C:\WINDOWS\4sdddx.exe reg_run
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent mstask.exe
*StateMgr C:\WINDOWS\System\Restore\StateMgr.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NETAPI C:\WINDOWS\SYSTEM\NETAPI.EXE
Uate C:\Program Files\uthm\area.exe
WHLRAW C:\WINDOWS\SYSTEM\WHLRAW.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
WHLRAW C:\WINDOWS\SYSTEM\WHLRAW.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HideSharePwds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ACTADM C:\WINDOWS\SYSTEM\ACTADM.exe
WHLRAW C:\WINDOWS\SYSTEM\WHLRAW.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook {BCBCD383-3E06-11D3-91A9-00C04F68105C} = C:\WINDOWS\SYSTEM\AUHOOK.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/18/2005 11:50:12 AM
ok thanks again!
#6
Posted 19 August 2005 - 07:57 AM
Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.
Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.
REGEDIT4
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD}
= C:\WINDOWS\SYSTEM\TLRFAVDE.DLL]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
Band Class = C:\WINDOWS\DSR.DLL]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
CControl Object = C:\Program Files\E2G\IeBHOs.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uate"=-
"WHLRAW"=-
Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"
C:\WINDOWS\Start Menu\Programs\StartUp\prct.exe
C:\WINDOWS\SYSTEM\conres.cpl
C:\WINDOWS\kfdggfj.dll
C:\WINDOWS\oekbb.dll
C:\WINDOWS\ru.exe
C:\WINDOWS\RMAgentOutput.dll
C:\WINDOWS\VSX1.1.exe
C:\WINDOWS\hmvkk.dll
C:\WINDOWS\SYSTEM\AUNPS2.dll.tcf
C:\WINDOWS\SYSTEM\area.exe
C:\WINDOWS\SYSTEM\DICOMPOS.DLL
C:\WINDOWS\SYSTEM\IPWDIAL.DLL
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\owhlp30e.dll
C:\WINDOWS\SYSTEM\mwiosd32.dll
C:\WINDOWS\SYSTEM\whlraw.exe
C:\GLEH.EXE
C:\PROGRAM FILES\UTHM\AREA.EXE
C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\SYSTEM\DATADX.DLL
As you Paste each entry into Killbox,place a tick by any of these Selections available
"Delete on Reboot"
"Unregister .dll before Deleting"
Click the Red Circle with the White X in the Middle to Delete!
Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.
This time place a tick by any of these selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL (file missing)
O2 - BHO: (no name) - {7F5F4EB7-8A5A-80F8-2DF4-D0F88D9697CD} - C:\WINDOWS\SYSTEM\TLRFAVDE.DLL
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sdddx.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKCU\..\Run: [Uate] C:\Program Files\uthm\area.exe
O4 - Startup: prct.exe
Now close all windows other than HiJackThis, then click Fix Checked.
Restart back in Normal Mode and Post a fresh HijackThis log!
Thank you,
Snickets
#7
Posted 19 August 2005 - 09:18 AM
Ok, I did everything you said. The only thing is, when started to do Killbox in Safe Mode, all the icons disappeared. So after I finished running the files in Killbox, I had to reboot again into Safe Mode to run HiJackThis. So when I ran it, only one of the 7 entries showed up on HiJackThis. Of course, I clicked it and fixed it, but i just wanted you to know that the others werent even on the list. Then, as soon as i rebooted into Normal mode, a popup came up. Only one, so that is better, but I don't know if that is normal, or if my machine still has something going on. ANyways, I an hijackthis in normal again and saved the log file. Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 11:15:52 AM, on 8/19/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\ETB\POKAPOKA63.EXE
C:\WINDOWS\SYSTEM\MSWUMB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSWUMB.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [MSWUMB] C:\WINDOWS\SYSTEM\MSWUMB.exe
O4 - HKCU\..\RunOnce: [MSWUMB] C:\WINDOWS\SYSTEM\MSWUMB.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...om_bedroom1.xml
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
Thanks Again!!!
#8
Posted 19 August 2005 - 09:36 AM
1. Download this tool: LQfix.zip
Unzip it to your Desktop.
Don't use it yet!
IMPORTANT! Reboot the computer into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').
2. Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, that is normal.
3. Reboot into normal mode and scan with HijackThis. Post the new log as a reply to this thread.
Thank you,
Snickets
#9
Posted 22 August 2005 - 08:50 AM
sorry for the delay, don't have access to the computer over the weekend! So i did the last step, and here is the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:48:46 AM, on 8/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\JAVNPU.EXE
C:\WINDOWS\SYSTEM\JAVNPU.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O4 - HKCU\..\RunOnce: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...om_bedroom1.xml
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
THanks again!! What next??
#10
Posted 22 August 2005 - 01:03 PM
Download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
1.Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:
C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\SYSTEM\NETAPI.EXE
C:\WINDOWS\SYSTEM\JAVNPU.exe
C:\Program Files\E2G\IeBHOs.dll
For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes and boot into safe mode at this time.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.
2.Once in safe mode please run HijackThis and place a check next to the following items.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.go2realsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.go2realsearch.com/sp2.php
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [NETAPI] C:\WINDOWS\SYSTEM\NETAPI.EXE
O4 - HKCU\..\Run: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O4 - HKCU\..\RunOnce: [JAVNPU] C:\WINDOWS\SYSTEM\JAVNPU.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...om_bedroom1.xml
After checking these entries CLOSE ALL open windows [browsers and programs] EXCEPT HijackThis and click "Fix Checked."
===================================================
3.Please remove these entries from Add/Remove Programs in the Control Panel(if present).
Delfin
AlwaysUpdateNews
E2Give
Please note any other programs that you dont recognize in that list in your next response
4.Please delete these files and folders using Windows Explorer(if present):
files=blue
folders=red
C:\Program Files\E2G\
C:\WINDOWS\SYSTEM\nsvsvc\
:\WINDOWS\SYSTEM\VIDCTRL\
C:\WINDOWS\SYSTEM\NETAPI.EXE
C:\WINDOWS\SYSTEM\JAVNPU.exe
5.Please Search for these files below seperately and delete if present using the following instructions:
Go to Start>Run>Search for Files and Folders>and type in the following files:
AUNPS2.DLL
6. Run Ewido:
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
7.Reboot into normal windows.
8.Please rescan with HijackThis and post the new results in this thread along with the ewido scan results. At this time please let me know how your system is running.
Thank you,
Snickets
Edited by Snickets, 24 August 2005 - 09:08 AM.
#11
Posted 24 August 2005 - 08:44 AM
Ewido is for Windows 2000 or XP, i have ME, so it is not installing on my computer. WHat should I do?? My computer is still having a lot of pop ups and every time i run ad-aware, new critical objects show up!
#12
Posted 24 August 2005 - 09:06 AM
Sorry about that I should have noticed that.
Please do the steps without the ewido scan and then post a fresh hijack this log.
I will then see where we are at with the problem.
Thanks,
Snickets
#13
Posted 24 August 2005 - 09:29 AM
I went ahead and worked on that anyways! So, the files or folders that I could not find to delete were the c:\windows\system\nsvsvc, c:\windows\system\javnpu.exe and c:\windows\system\netapi.exe. There was no Delfin or AlwaysUpdate news in my Add/remove programs, and the only thing i noticed that I didnt really know what it was was OIN. Here is the new hijackthis log, and as far as my system, still popups!!! Even when I rebooted in normal!!
Logfile of HijackThis v1.99.1
Scan saved at 11:15:45 AM, on 8/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
thanks again!
#14
Posted 24 August 2005 - 09:55 AM
Let's see if this scan will work for us.
1.Please go here and download the free 30 day trial for trojan hunter.
Save the program to a place where you can find it easily, like your desktop. Then once saved you need to install the trojan hunter onto your computer. Then it will prompt you to update the definitions, please do so at this time.
2.Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!
3.Once in safe mode open up trojan hunter.
1. Push the full scan button at the top left hand corner of the program.
2. Then once the scan completes, please remove all trojans found on the system by checking the individual infections, then clicking on clean.
3. Once the clean is complete, please copy the scan log and paste it into the next reply.
4.Reboot into normal mode at this time.
5.Then please rescan with hijack this and paste a new log into this thread for me to review. Please let me know how your system is running at this time.
Thank you,
Snickets
#15
Posted 25 August 2005 - 10:17 AM
so I already had trojan hunter, and when i went into safe mode to run it, it would scan, but the window that allows you to clean never came up, so it didnt really do anything. I ran it in normal mode and cleaned the scan, but the computer is getting worse! I think I deleted something by accident becuase now when I open the internet, a message keeps popping up that says "iExplore has caused an error in MSVCRT.dll, explorer will now close." So i cant really do anything on that computer with the internet! I am using a different computer to write this to you. Also, even more pop ups are happeining. I ran all my spyware detector programs and it is not showing me anything! I think this might be hopeless!! What can I try now?
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users