This topic is lockedPost the results for me
Thanks
Multiple Window Pop-ups [RESOLVED]
Started by
lilpippy
, Sep 02 2005 10:22 PM
#16
Posted 03 September 2005 - 09:42 PM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
Post the results for me
Thanks
#17
Posted 03 September 2005 - 10:05 PM
lilpippy
- Topic Starter
-
- Member
-
- 26 posts
Member
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"TCASUTIEXE"="TCAUDIAG -off"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb07.exe"
"HPHmon04"="C:\\WINDOWS\\SYSTEM\\HPHMON04.EXE"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Speed racer"="C:\\Program Files\\Creative\\PlayCenter\\CTSRReg.exe"
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"78OQ1Y84"="\\Progra~1\\78OQ1Y84\\78OQ1Y84.exe"
"r78i36j"="WMPSVINN.EXE"
"snss Launcher"="\"C:\\Program Files\\snss\\snss.exe\""
"STOPzilla"="C:\\PROGRAM FILES\\STOPZILLA!\\STOPZILLA.EXE /autostart"
"devldr16.exe"="C:\\WINDOWS\\SYSTEM\\devldr16.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll
Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Subkey --- SnagItMainShellExt
{CF74B903-3389-469c-B3B6-0204D204FCBD}
C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\SYSTEM\DOCPROP2.DLL
==============================
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
==============================
C:\WINDOWS\Start Menu\Programs\StartUp
America Online 9.0 Tray Icon.lnk
Microsoft Office.lnk
prui.exe
==============================
C:\WINDOWS\SYSTEM cpl files
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
WUAUCPL.CPL Microsoft Corporation
ACCESS.CPL Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
CTDetect.cpl Creative Technology Ltd.
Audiohq.cpl Creative Technology Ltd.
jpicpl32.cpl Sun Microsystems
vgactl.cpl
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"TCASUTIEXE"="TCAUDIAG -off"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb07.exe"
"HPHmon04"="C:\\WINDOWS\\SYSTEM\\HPHMON04.EXE"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Speed racer"="C:\\Program Files\\Creative\\PlayCenter\\CTSRReg.exe"
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"78OQ1Y84"="\\Progra~1\\78OQ1Y84\\78OQ1Y84.exe"
"r78i36j"="WMPSVINN.EXE"
"snss Launcher"="\"C:\\Program Files\\snss\\snss.exe\""
"STOPzilla"="C:\\PROGRAM FILES\\STOPZILLA!\\STOPZILLA.EXE /autostart"
"devldr16.exe"="C:\\WINDOWS\\SYSTEM\\devldr16.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll
Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Subkey --- SnagItMainShellExt
{CF74B903-3389-469c-B3B6-0204D204FCBD}
C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\SYSTEM\SHELL32.DLL
Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\SYSTEM\DOCPROP2.DLL
==============================
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
==============================
C:\WINDOWS\Start Menu\Programs\StartUp
America Online 9.0 Tray Icon.lnk
Microsoft Office.lnk
prui.exe
==============================
C:\WINDOWS\SYSTEM cpl files
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
WUAUCPL.CPL Microsoft Corporation
ACCESS.CPL Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
CTDetect.cpl Creative Technology Ltd.
Audiohq.cpl Creative Technology Ltd.
jpicpl32.cpl Sun Microsystems
vgactl.cpl
#18
Posted 03 September 2005 - 10:12 PM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
Im sorry its the other one .....FindQoologic..That I need to see 
#19
Posted 03 September 2005 - 10:18 PM
lilpippy
- Topic Starter
-
- Member
-
- 26 posts
Member
I knew that...LOL My 3 year old woke up up too early today and no nap for her so no rest for me!! Looks like they are still there:
ld Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\KFFSJSD.DLL
* winsync C:\WINDOWS\OERAN.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\OERAN.DLL
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\RDXMNBQ.EXE
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\SYSTEM\VGACTL.CPL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
ld Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\KFFSJSD.DLL
* winsync C:\WINDOWS\OERAN.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\OERAN.DLL
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\RDXMNBQ.EXE
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\SYSTEM\VGACTL.CPL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
#20
Posted 03 September 2005 - 10:30 PM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
I knew that...LOL My 3 year old woke up up too early today and no nap for her so no rest for me!!
Boy do I know that feeling
Ok lets go after it again with a little different method
Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"
C:\WINDOWS\OERAN.DLL
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\RDXMNBQ.EXE
C:\WINDOWS\SYSTEM\VGACTL.CPL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\OERAN.DLL
c:\windows\system\nnwbqn.exe
C:\WINDOWS\4sxsgl.exe
As you Paste each entry into Killbox,place a tick by any of these Selections available
"Delete on Reboot"
"Unregister .dll before Deleting"
Click the Red Circle with the White X in the Middle to Delete!
Post back a new find Quoologic log and a hijack log please
#21
Posted 03 September 2005 - 10:53 PM
lilpippy
- Topic Starter
-
- Member
-
- 26 posts
Member
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:55:08 PM, on 9/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOXA.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {B7AB6789-6F67-4EEA-B8D3-0BC4DFC34AED} - (no file)
O2 - BHO: (no name) - {8C7B6EA3-4D1A-46DE-9F34-EA4A5F1F6C1F} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [78OQ1Y84] \Progra~1\78OQ1Y84\78OQ1Y84.exe
O4 - HKLM\..\Run: [nnwbqn] c:\windows\system\nnwbqn.exe
O4 - HKLM\..\Run: [r78i36j] WMPSVINN.EXE
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sxsgl.exe reg_run
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [UMDVAE] C:\WINDOWS\SYSTEM\UMDVAE.exe
O4 - HKCU\..\Run: [DLLPI3] C:\WINDOWS\SYSTEM\DLLPI3.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: prui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedoll...age/XUpload.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O20 - Winlogon Notify: STOPzilla - IS3WLHandler.dll (file missing)
****************************************************
UGGGGGGGGGGGGGGGGGGGGGG...STILL THERE
Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\KFFSJSD.DLL
* winsync C:\WINDOWS\OERAN.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\OERAN.DLL
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\RDXMNBQ.EXE
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\SYSTEM\VGACTL.CPL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
Logfile of HijackThis v1.99.1
Scan saved at 11:55:08 PM, on 9/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOXA.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {B7AB6789-6F67-4EEA-B8D3-0BC4DFC34AED} - (no file)
O2 - BHO: (no name) - {8C7B6EA3-4D1A-46DE-9F34-EA4A5F1F6C1F} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [78OQ1Y84] \Progra~1\78OQ1Y84\78OQ1Y84.exe
O4 - HKLM\..\Run: [nnwbqn] c:\windows\system\nnwbqn.exe
O4 - HKLM\..\Run: [r78i36j] WMPSVINN.EXE
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sxsgl.exe reg_run
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [UMDVAE] C:\WINDOWS\SYSTEM\UMDVAE.exe
O4 - HKCU\..\Run: [DLLPI3] C:\WINDOWS\SYSTEM\DLLPI3.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: prui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedoll...age/XUpload.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O20 - Winlogon Notify: STOPzilla - IS3WLHandler.dll (file missing)
****************************************************
UGGGGGGGGGGGGGGGGGGGGGG...STILL THERE
Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\KFFSJSD.DLL
* winsync C:\WINDOWS\OERAN.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\OERAN.DLL
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\RDXMNBQ.EXE
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\SYSTEM\VGACTL.CPL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
#22
Posted 03 September 2005 - 11:11 PM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
This will be my last post tonight need to rethink this and go to bed 
Ive added a file to delete and changed the killbox deletion. Thanks for being patient. we will get this
Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\OERAN.DLL
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\RDXMNBQ.EXE
C:\WINDOWS\SYSTEM\VGACTL.CPL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\OERAN.DLL
c:\windows\system\nnwbqn.exe
C:\WINDOWS\4sxsgl.exe
As you Paste each entry into Killbox,place a tick by any of these Selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
Click the Red Circle with the White X in the Middle to Delete!
* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
Ive added a file to delete and changed the killbox deletion. Thanks for being patient. we will get this
Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\OERAN.DLL
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\4SXSGL.EXE
C:\WINDOWS\RDXMNBQ.EXE
C:\WINDOWS\SYSTEM\VGACTL.CPL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
C:\WINDOWS\KFFSJSD.DLL
C:\WINDOWS\OERAN.DLL
c:\windows\system\nnwbqn.exe
C:\WINDOWS\4sxsgl.exe
As you Paste each entry into Killbox,place a tick by any of these Selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
Click the Red Circle with the White X in the Middle to Delete!
* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
#23
Posted 04 September 2005 - 12:00 AM
lilpippy
- Topic Starter
-
- Member
-
- 26 posts
Member
The only thing it would not delete was the wuauclt file. OK...I''m headed to bed!! Thanks for all the help so far!! What a challenge. I hold an CIS associated and an MIS batchelor degree and this stuff stuff baffles me!! I feel really bad for those that have NO idea what is happening to their computers!!
*********************************************************
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet" ["Yahoo! Inc."]
"Spyware Doctor" = ""C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q" ["PCTools"]
"UMDVAE" = "C:\WINDOWS\SYSTEM\UMDVAE.exe" [file not found]
"DLLPI3" = "C:\WINDOWS\SYSTEM\DLLPI3.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"TCASUTIEXE" = "TCAUDIAG -off" ["0"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb07.exe" ["HP"]
"HPHmon04" = "C:\WINDOWS\SYSTEM\HPHMON04.EXE" ["Hewlett-Packard"]
"HPHUPD04" = ""C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"" [file not found]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"Speed racer" = "C:\Program Files\Creative\PlayCenter\CTSRReg.exe" ["Creative Technology Ltd."]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"78OQ1Y84" = "\Progra~1\78OQ1Y84\78OQ1Y84.exe" [file not found]
"nnwbqn" = "c:\windows\system\nnwbqn.exe" [file not found]
"r78i36j" = "WMPSVINN.EXE" [file not found]
"snss Launcher" = ""C:\Program Files\snss\snss.exe"" [file not found]
"autoupdate" = "rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart" [MS]
"winsync" = "C:\WINDOWS\4sxsgl.exe reg_run" [file not found]
"STOPzilla" = "C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart" [file not found]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"ccEvtMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]
"AolAcsDaemon1" = ""C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"" ["America Online, Inc."]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Desktop\May 6 05 Kaleigh Beautiful.jpg"
WIN.INI & SYSTEM.INI launch points:
-----------------------------------
SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR" (3D Flower Box.scr) [MS]
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Enabled Scheduled Tasks:
------------------------
"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL" ["TechSmith Corporation"]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL" ["Yahoo! Inc."]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\MSJAVA.DLL" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
Missing lines (compared with English-language version):
[Strings]: 2 lines
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 31 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 63 seconds)
*********************************************************
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet" ["Yahoo! Inc."]
"Spyware Doctor" = ""C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q" ["PCTools"]
"UMDVAE" = "C:\WINDOWS\SYSTEM\UMDVAE.exe" [file not found]
"DLLPI3" = "C:\WINDOWS\SYSTEM\DLLPI3.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"TCASUTIEXE" = "TCAUDIAG -off" ["0"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb07.exe" ["HP"]
"HPHmon04" = "C:\WINDOWS\SYSTEM\HPHMON04.EXE" ["Hewlett-Packard"]
"HPHUPD04" = ""C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"" [file not found]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"Speed racer" = "C:\Program Files\Creative\PlayCenter\CTSRReg.exe" ["Creative Technology Ltd."]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"78OQ1Y84" = "\Progra~1\78OQ1Y84\78OQ1Y84.exe" [file not found]
"nnwbqn" = "c:\windows\system\nnwbqn.exe" [file not found]
"r78i36j" = "WMPSVINN.EXE" [file not found]
"snss Launcher" = ""C:\Program Files\snss\snss.exe"" [file not found]
"autoupdate" = "rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart" [MS]
"winsync" = "C:\WINDOWS\4sxsgl.exe reg_run" [file not found]
"STOPzilla" = "C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart" [file not found]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"ccEvtMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]
"AolAcsDaemon1" = ""C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"" ["America Online, Inc."]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Desktop\May 6 05 Kaleigh Beautiful.jpg"
WIN.INI & SYSTEM.INI launch points:
-----------------------------------
SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR" (3D Flower Box.scr) [MS]
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Enabled Scheduled Tasks:
------------------------
"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL" ["TechSmith Corporation"]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL" ["Yahoo! Inc."]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\MSJAVA.DLL" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
Missing lines (compared with English-language version):
[Strings]: 2 lines
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 31 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 63 seconds)
#24
Posted 04 September 2005 - 12:26 AM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
So we did get those files. run and post the find quoologic
~ Fingers crossed ~
~ Fingers crossed ~
#25
Posted 04 September 2005 - 09:15 AM
lilpippy
- Topic Starter
-
- Member
-
- 26 posts
Member
PRUI and the WUAUCLT.DLL are still there...others are gone. Received a BUNCH of popups this morning about missing DLL files but restarted and they are all gone now.
******************************************************************
Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\TLXORIN.DLL
* winsync C:\WINDOWS\RKQWE.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
******************************************************************
Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\TLXORIN.DLL
* winsync C:\WINDOWS\RKQWE.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
#26
Posted 04 September 2005 - 12:14 PM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
Good some progress lets go after them again
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {B7AB6789-6F67-4EEA-B8D3-0BC4DFC34AED} - (no file)
O2 - BHO: (no name) - {8C7B6EA3-4D1A-46DE-9F34-EA4A5F1F6C1F} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [78OQ1Y84] \Progra~1\78OQ1Y84\78OQ1Y84.exe
O4 - HKLM\..\Run: [nnwbqn] c:\windows\system\nnwbqn.exe
O4 - HKLM\..\Run: [r78i36j] WMPSVINN.EXE
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sxsgl.exe reg_run
O4 - Startup: prui.exe
Now close all windows other than HiJackThis, then click Fix Checked. .
Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
C:\WINDOWS\TLXORIN.DLL
C:\WINDOWS\RKQWE.DLL
Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.
Post back a new Hijack log and a Find quoologic log
lets go after them againPlease re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {B7AB6789-6F67-4EEA-B8D3-0BC4DFC34AED} - (no file)
O2 - BHO: (no name) - {8C7B6EA3-4D1A-46DE-9F34-EA4A5F1F6C1F} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [78OQ1Y84] \Progra~1\78OQ1Y84\78OQ1Y84.exe
O4 - HKLM\..\Run: [nnwbqn] c:\windows\system\nnwbqn.exe
O4 - HKLM\..\Run: [r78i36j] WMPSVINN.EXE
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\4sxsgl.exe reg_run
O4 - Startup: prui.exe
Now close all windows other than HiJackThis, then click Fix Checked. .
Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
C:\WINDOWS\TLXORIN.DLL
C:\WINDOWS\RKQWE.DLL
Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.
Post back a new Hijack log and a Find quoologic log
Edited by loophole, 04 September 2005 - 12:15 PM.
#27
Posted 04 September 2005 - 01:29 PM
lilpippy
- Topic Starter
-
- Member
-
- 26 posts
Member
Qoologic log: PRUI still there:
Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\TLXORIN.DLL
* winsync C:\WINDOWS\RKQWE.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
***********************************************
HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 2:32:13 PM, on 9/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\WINDOWS\RDGIPA.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [78OQ1Y84] \Progra~1\78OQ1Y84\78OQ1Y84.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rdgipa.exe reg_run
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [UMDVAE] C:\WINDOWS\SYSTEM\UMDVAE.exe
O4 - HKCU\..\Run: [DLLPI3] C:\WINDOWS\SYSTEM\DLLPI3.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: prui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedoll...age/XUpload.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O20 - Winlogon Notify: STOPzilla - IS3WLHandler.dll (file missing)
Find Qoologic last edited 9/02/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* winsync C:\WINDOWS\TLXORIN.DLL
* winsync C:\WINDOWS\RKQWE.DLL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\PRUI.EXE
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
C:\WINDOWS\SYSTEM\WUAUCLT.DLL
C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\PRUI.EXE
***********************************************
HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 2:32:13 PM, on 9/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\WINDOWS\RDGIPA.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [78OQ1Y84] \Progra~1\78OQ1Y84\78OQ1Y84.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rdgipa.exe reg_run
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [UMDVAE] C:\WINDOWS\SYSTEM\UMDVAE.exe
O4 - HKCU\..\Run: [DLLPI3] C:\WINDOWS\SYSTEM\DLLPI3.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: prui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.sparedoll...age/XUpload.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O20 - Winlogon Notify: STOPzilla - IS3WLHandler.dll (file missing)
#28
Posted 04 September 2005 - 01:45 PM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
UGH! we need that winpfind log Let me search around and see if I can figure out why you cant run it
#29
Posted 04 September 2005 - 01:47 PM
lilpippy
- Topic Starter
-
- Member
-
- 26 posts
Member
I know most of the scans that show the files as they are scanning, hit the _RECOVERY that is a hidden file just off the C: drive. It's 2.6 gig and it takes FOREVER to run anything. I did the SPYWARE doctor the first time and it took 3 1/2 hours to do the full scan.
Errin
Errin
#30
Posted 04 September 2005 - 01:50 PM
loophole
-
- Retired Staff
-
- 9,798 posts
Malware Expert
OK Be back when I get some answers 
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
