Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ad.Yieldmanager [RESOLVED]

Started by YourStudent , Sep 08 2005 05:50 PM

  • This topic is locked This topic is locked

#1
YourStudent
Posted 08 September 2005 - 05:50 PM

YourStudent

    Member

  • Member
  • PipPip
  • 10 posts
Hello. I have reviewed your previous advice on this subject and I haven't been able to resolve it. Let me first say Thank You for your help, in advance. Ok.
I have ran Ad-Aware, Registry Mechanic, SpybotSE, CWShredder, and Clean Up.
I have also done a Panda Scan and updated Windows as well. I will post my hijackthis log below with hidden files exposed. I appreciate any assistance.

ogfile of HijackThis v1.99.1
Scan saved at 8:58:22 PM, on 9/8/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\ZPFUJJ.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\RGNZUD.EXE
C:\WINDOWS\SYSTEM\SGKOZR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\FPMQF.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\!UPDATE.EXE
C:\PROGRAM FILES\BHAT\TBAR.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - blank (file missing)
O2 - BHO: (no name) - {8C9D7D21-E5CF-E868-ED58-BABE497A64C2} - C:\WINDOWS\SYSTEM\NITWYPF.DLL
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\SYSTEM\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\Run: [Command] C:\WINDOWS\ZGVmYXVsdAAA\command.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\nlkumh.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rgnzud.exe reg_run
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\AYRKGJ.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\SGKOZR.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Wiplm] \fpmqf.exe
O4 - HKCU\..\Run: [Reoe] C:\Program Files\bhat\tbar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: pudc.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab

Edited by YourStudent, 08 September 2005 - 07:02 PM.

  • 0

Advertisements

#2
loophole
Posted 10 September 2005 - 11:55 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

If you still require help please post a new Hijack log in this
thread and I will help you. If your problem has been fixed please
respond and let us know.

Thanks
  • 0

#3
YourStudent
Posted 12 September 2005 - 03:00 PM

YourStudent

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi. Thank You. Yes, I do still need help. Here is my new log.

Logfile of HijackThis v1.99.1
Scan saved at 4:57:06 PM, on 9/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ZPFUJJ.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\RGNZUD.EXE
C:\WINDOWS\SYSTEM\SGKOZR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\FPMQF.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\BHAT\TBAR.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - blank (file missing)
O2 - BHO: (no name) - {8C9D7D21-E5CF-E868-ED58-BABE497A64C2} - C:\WINDOWS\SYSTEM\NITWYPF.DLL
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\SYSTEM\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\Run: [Command] C:\WINDOWS\ZGVmYXVsdAAA\command.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\nlkumh.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rgnzud.exe reg_run
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\AYRKGJ.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\SGKOZR.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Wiplm] \fpmqf.exe
O4 - HKCU\..\Run: [Reoe] C:\Program Files\bhat\tbar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: pudc.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
  • 0

#4
loophole
Posted 12 September 2005 - 04:18 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello and welcome to Geeks to Go:tazz:

I see you have been infected by malware. Lets get you fixed up.
Please follow the directions as closely as you can . Lets begin

Download LQfix Here
save it to your desktop, please do not use yet

Download and install CleanUp! Here
but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clicktoma...rch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - blank (file missing)
O2 - BHO: (no name) - {8C9D7D21-E5CF-E868-ED58-BABE497A64C2} - C:\WINDOWS\SYSTEM\NITWYPF.DLL
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\Run: [Command] C:\WINDOWS\ZGVmYXVsdAAA\command.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\AYRKGJ.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\SGKOZR.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Wiplm] \fpmqf.exe
O4 - HKCU\..\Run: [Reoe] C:\Program Files\bhat\tbar.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

MEDIA ACCESS
NaviSearch
SURFSIDEKICK 3
Cas
bhat



color=blue]Please note any other programs that you dont recognize in that list in your next response[/color]

Please delete these folders using Windows Explorer(if present):

C:\PROGRAM FILES\MEDIA ACCESS
C:\Program Files\NaviSearch
C:\PROGRAM FILES\SURFSIDEKICK 3
C:\Program Files\Cas
C:\WINDOWS\ZGVmYXVsdAAA
C:\Program Files\bhat

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\SYSTEM\PSof1.exe
c:\windows\system\zpfujj.exe
C:\WINDOWS\SYSTEM\AYRKGJ.exe
C:\WINDOWS\SYSTEM\SGKOZR.exe
AUNPS2.DLL <<<<<<<<<<<<<<<<<<<<<<<<<<< You will have to search for these two
fpmqf.exe

Now run cleanup

Now run the LQfix

Reboot


Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "[b]Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!


Post the Winpfind, Tracqoo and a hijack log

Thanks
  • 0

#5
YourStudent
Posted 13 September 2005 - 05:48 PM

YourStudent

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi. I have completed your instructions and will post the requested information below. I hope we're making progress! :tazz:


TRACK QOO

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Hidserv"="Hidserv.exe run"
"CountrySelection"="pctptt.exe"
"PCTVOICE"="pctvoice.exe"
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\cpqeadm.exe"
"EACLEAN"="C:\\Program Files\\Compaq\\Easy Access Button Support\\eaclean.exe"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"CPQInet"="c:\\compaq\\CPQInet\\CpqInet.exe"
"Digital Dashboard"="C:Program Files\\Compaq\\Digital Dashboard\\DevGulp.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb05.exe"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\SYSTEM\\PRISMSVR.EXE\" /APPLY"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"IPInSightMonitor 01"="\"C:\\PROGRAM FILES\\SBC YAHOO!\\CONNECTION MANAGER\\IP INSIGHT\\IPMon32.exe\""
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"KavSvc"="C:\\WINDOWS\\nlkumh.exe reg_run"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WUAUCLT.DLL,SHStart"
"winsync"="C:\\WINDOWS\\rgnzud.exe reg_run"
"zpfujj"="c:\\windows\\system\\zpfujj.exe"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\SYSTEM\DOCPROP2.DLL

==============================
C:\WINDOWS\All Users\Start Menu\Programs\StartUp

==============================
C:\WINDOWS\Start Menu\Programs\StartUp

Microsoft Works Calendar Reminders.lnk
Compaq Knowledge Center.lnk
pudc.exe
==============================
C:\WINDOWS\SYSTEM cpl files


INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
WUAUCPL.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
ACCESS.CPL Microsoft Corporation
PTCTRL.CPL PCtel, Inc.
UICONFIG.cpl Compaq Computer Corporation
DIGDASH.cpl Compaq Computer Corporation
cch.cpl
QuickTime.cpl Apple Computer, Inc.
vgactl.cpl


WinPFind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 9/3/2005 11:01:54 AM 46080 C:\InstallAPS.exe
UPX! 9/8/2005 8:57:32 PM 121433 C:\mc-58-12-0000106.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
KavSvc 9/13/2005 7:22:22 PM RH 2093088 C:\WINDOWS\SYSTEM.DAT
abetterinternet.com 9/13/2005 7:22:22 PM RH 2093088 C:\WINDOWS\SYSTEM.DAT
winsync 9/13/2005 7:22:22 PM RH 2093088 C:\WINDOWS\SYSTEM.DAT

Items found in C:\WINDOWS\hosts

69.59.186.63 9/13/2005 7:13:54 PM 181760 C:\WINDOWS\txknolk.dll
209.66.67.134 9/13/2005 7:13:54 PM 181760 C:\WINDOWS\txknolk.dll
web-nex 9/13/2005 7:13:54 PM 181760 C:\WINDOWS\txknolk.dll
winsync 9/13/2005 7:13:54 PM 181760 C:\WINDOWS\txknolk.dll
69.59.186.63 9/13/2005 7:13:56 PM 133120 C:\WINDOWS\rqgkl.dll
209.66.67.134 9/13/2005 7:13:56 PM 133120 C:\WINDOWS\rqgkl.dll
web-nex 9/13/2005 7:13:56 PM 133120 C:\WINDOWS\rqgkl.dll
winsync 9/13/2005 7:13:56 PM 133120 C:\WINDOWS\rqgkl.dll
UPX! 8/31/2005 6:48:40 PM 18944 C:\WINDOWS\icont.exe
abetterinternet.com 7/26/2001 2:46:14 AM 3278 C:\WINDOWS\abiuninst.htm
UPX! 9/13/2005 7:13:30 PM RHS 82432 C:\WINDOWS\ru.exe

Checking %System% folder...
Umonitor 8/30/2005 6:23:50 PM 405504 C:\WINDOWS\SYSTEM\ALHOOK.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MEIDLE.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SGC.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\CYGMGR32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MDRLE32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AVTXPRXY.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\JYCRIPT.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ILDll300.dll
69.59.186.63 9/8/2005 9:03:30 PM 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
209.66.67.134 9/8/2005 9:03:30 PM 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
66.63.167.97 9/8/2005 9:03:30 PM 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
66.63.167.77 9/8/2005 9:03:30 PM 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
web-nex 9/8/2005 9:03:30 PM 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
winsync 9/8/2005 9:03:30 PM 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
rec2_run 9/8/2005 9:03:30 PM 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IRSCONFG.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DZEML.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MO3216.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DTBENG.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DVDIM.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\JVAW400.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DOUSIC16.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SIRMDLL.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DKDXOF.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lytga11n.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AOIFIL32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\RLVPSP.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IZNPSTUB.DLL
PTech 3/1/2005 1:00:04 AM 1438497 C:\WINDOWS\SYSTEM\GKSKEVu1.xml
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WYNTRUST.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\iqfxsrvc.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MQTIME.DLL
FSG! 12/13/2004 7:55:34 AM 398742 C:\WINDOWS\SYSTEM\GKSKEVk1.xml
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OTBCCU32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OFESVR.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MMDEMUI.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OLCOM400.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SCC.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\VVODEC32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DNWSOCK.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NTSWAN16.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ORBCCR32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\mpvbvm60.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\CDET16.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\JWAW400.DLL
FSG! 12/13/2004 7:55:34 AM 398742 C:\WINDOWS\SYSTEM\VCHUOEk1.xml
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\HQAGENT.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WKW32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ljeps11n.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SNGR.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DAMODEMX.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\nYbapi32.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IEIGN32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MIUNI11.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MDXDM.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DCMV2CLT.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\UNL.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SJI_CI.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DZDIM.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\FCNTEXT.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DEUSIC.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MHCANS32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WVERRENU.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WQ5INF32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WTADRVUD.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IOSCONFG.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AGRACE.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ieetcomm.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NXTAPI32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\RCAUI.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SBI_CI.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MRNP32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OSEAUT32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WWNASPI.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NGTOS.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\QVVD.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lzbmp11n.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OSDBSE32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\YXRWin32.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MNIDLE.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lneps11n.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ANNPS2.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DYRAW.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MXXML.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WFV3IS.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\mnpatcha.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\PMNMAP.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AIRESX32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\QUDIT.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WDNTRUST.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\RYUTETAB.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SGDOCVW.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lmwmf11n.dll
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NOINST32.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AFIFILE.DLL
Umonitor 8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IYM32.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/13/2005 7:23:14 PM RH 675872 C:\WINDOWS\USER.DAT
9/13/2005 7:28:06 PM RH 2093088 C:\WINDOWS\SYSTEM.DAT
9/13/2005 7:20:28 PM RH 3215392 C:\WINDOWS\CLASSES.DAT
9/13/2005 7:12:18 PM H 8843 C:\WINDOWS\ttfCache
8/30/2005 3:07:22 AM H 60 C:\WINDOWS\ppbsb
9/13/2005 7:20:38 PM H 465084 C:\WINDOWS\ShellIconCache
9/13/2005 7:13:30 PM RHS 82432 C:\WINDOWS\ru.exe
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\CGGMGR32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MEIDLE.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SGC.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MNDOCS.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\CYGMGR32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MDRLE32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AVTXPRXY.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\JYCRIPT.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ILDll300.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IRSCONFG.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DZEML.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MO3216.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DTBENG.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DVDIM.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\JVAW400.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DOUSIC16.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SIRMDLL.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DKDXOF.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lytga11n.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AOIFIL32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\RLVPSP.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IZNPSTUB.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WYNTRUST.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\iqfxsrvc.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MQTIME.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OTBCCU32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OFESVR.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MMDEMUI.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OLCOM400.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SCC.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\VVODEC32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DNWSOCK.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NTSWAN16.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ORBCCR32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\mpvbvm60.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\CDET16.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\JWAW400.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\HQAGENT.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WKW32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ljeps11n.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SNGR.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DAMODEMX.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\nYbapi32.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IEIGN32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MIUNI11.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MDXDM.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DCMV2CLT.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\UNL.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SJI_CI.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DZDIM.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\FCNTEXT.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DEUSIC.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MHCANS32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WVERRENU.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WQ5INF32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WTADRVUD.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IOSCONFG.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AGRACE.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ieetcomm.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NXTAPI32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\RCAUI.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SBI_CI.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MRNP32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OSEAUT32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WWNASPI.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NGTOS.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\QVVD.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lzbmp11n.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\OSDBSE32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\YXRWin32.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MNIDLE.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lneps11n.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\ANNPS2.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\DYRAW.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MXXML.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WFV3IS.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\mnpatcha.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\PMNMAP.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AIRESX32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\QUDIT.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\WDNTRUST.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\RYUTETAB.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\SGDOCVW.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\lmwmf11n.dll
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\NOINST32.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\AFIFILE.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\MMXML.DLL
8/30/2005 6:23:50 PM R S 405504 C:\WINDOWS\SYSTEM\IYM32.DLL
9/13/2005 7:22:20 PM H 31994 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
9/13/2005 7:13:04 PM H 6 C:\WINDOWS\TASKS\SA.DAT
9/13/2005 7:13:32 PM HS 194 C:\WINDOWS\TASKS\RUTASK.job
9/13/2005 7:21:58 PM HS 2586 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
8/31/2005 8:10:08 PM HS 67 C:\WINDOWS\Temporary Internet Files\desktop.ini
9/3/2005 2:24:08 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
9/8/2005 7:30:56 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\0EOBVYCH\desktop.ini
9/3/2005 2:25:46 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\78LDMCEE\desktop.ini
9/3/2005 2:25:46 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\AB1T312G\desktop.ini
9/3/2005 2:25:46 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\W1M385Q7\desktop.ini
9/3/2005 2:25:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WKNEEH7G\desktop.ini
9/3/2005 2:25:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ZD5CKFAX\desktop.ini
9/3/2005 2:25:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\OXYJGX63\desktop.ini
9/8/2005 7:22:28 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\C1NXM5WP\desktop.ini
9/8/2005 7:25:10 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\KPQ3KTAZ\desktop.ini
9/8/2005 7:31:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\01234567\desktop.ini
9/3/2005 2:27:56 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\5A52GFXP\desktop.ini
9/3/2005 2:27:56 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\KJQF2XK3\desktop.ini
9/3/2005 2:28:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\KXIRCDQJ\desktop.ini
9/3/2005 2:30:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\BBS8A5SD\desktop.ini
9/3/2005 2:30:56 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\KBK5STG5\desktop.ini
9/8/2005 7:25:16 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\O5650DWL\desktop.ini
7/20/2005 10:51:26 PM HS 96 C:\WINDOWS\All Users\Application Data\Trymedia\data\{03134AAF-A1B3-690E-9D31-CDE1663EC12E}
8/17/2005 8:28:24 AM HS 118 C:\WINDOWS\Recent\Desktop.ini

Checking for CPL files...
Microsoft Corporation 8/29/2002 7:07:38 AM 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 62464 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 104368 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 5/31/2000 1:17:14 PM 15152 C:\WINDOWS\SYSTEM\WUAUCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 250128 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 111616 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 9/15/2000 5:03:10 PM 389920 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 6/8/2000 5:00:00 PM 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL
PCtel, Inc. 12/19/2000 2:30:58 PM 56320 C:\WINDOWS\SYSTEM\PTCTRL.CPL
Compaq Computer Corporation 10/25/1999 8:27:44 PM 110592 C:\WINDOWS\SYSTEM\UICONFIG.cpl
Compaq Computer Corporation 11/30/2000 4:30:10 PM 385024 C:\WINDOWS\SYSTEM\DIGDASH.cpl
7/27/2000 2:31:26 PM 106496 C:\WINDOWS\SYSTEM\cch.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM\QuickTime.cpl
9/8/2005 9:03:30 PM 31744 C:\WINDOWS\SYSTEM\vgactl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/7/2005 12:06:12 AM 573 C:\WINDOWS\Start Menu\Programs\StartUp\Compaq Knowledge Center.lnk
4/4/2005 7:48:20 PM 585 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk
9/13/2005 7:06:52 PM 417792 C:\WINDOWS\Start Menu\Programs\StartUp\pudc.exe

Checking files in %USERPROFILE%\Application Data folder...
7/26/2004 1:25:38 AM 0 C:\WINDOWS\Application Data\dm.ini
8/30/2005 3:07:30 AM 448479 C:\WINDOWS\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}
CeresObj Class = C:\WINDOWS\CERES.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D05-8F11-11d2-804F-00105A133818}
ButtonText = Translate :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D02-8F11-11d2-804F-00105A133818}
MenuText = &Find Pages Linking to this URL :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D03-8F11-11d2-804F-00105A133818}
MenuText = Find Other Pages on this &Host :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D04-8F11-11d2-804F-00105A133818}
MenuText = AV Live :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
ButtonText = PartyPoker.com : C:\Program Files\PartyPoker\PartyPoker.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL


SystemTray SysTray.Exe



HiJackThis
Logfile of HijackThis v1.99.1
Scan saved at 7:44:18 PM, on 9/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RGNZUD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\BHAT\TBAR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\CONNECTIONMANAGER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\SYSTEM\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\nlkumh.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rgnzud.exe reg_run
O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Reoe] C:\Program Files\bhat\tbar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: pudc.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
  • 0

#6
loophole
Posted 13 September 2005 - 06:09 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Please download L2m9xfix here:
http://swandog46.gee...om/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat
  • 0

#7
YourStudent
Posted 13 September 2005 - 06:27 PM

YourStudent

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK. Here is the new HJT log and other.

Logfile of HijackThis v1.99.1
Scan saved at 8:23:55 PM, on 9/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RGNZUD.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\SYSTEM\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\nlkumh.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rgnzud.exe reg_run
O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Reoe] C:\Program Files\bhat\tbar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: pudc.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab

END OF HJT LOG


og of L2M9XFix v1.01a

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\AFIFILE.DLL
C:\WINDOWS\system\AGRACE.DLL
C:\WINDOWS\system\AIRESX32.DLL
C:\WINDOWS\system\ALHOOK.DLL
C:\WINDOWS\system\ANNPS2.dll
C:\WINDOWS\system\AOIFIL32.DLL
C:\WINDOWS\system\AVTXPRXY.DLL
C:\WINDOWS\system\CDET16.DLL
C:\WINDOWS\system\CGGMGR32.DLL
C:\WINDOWS\system\CYGMGR32.DLL
C:\WINDOWS\system\DAMODEMX.DLL
C:\WINDOWS\system\DCMV2CLT.DLL
C:\WINDOWS\system\DEUSIC.DLL
C:\WINDOWS\system\DKDXOF.DLL
C:\WINDOWS\system\DNWSOCK.DLL
C:\WINDOWS\system\DOUSIC16.DLL
C:\WINDOWS\system\DTBENG.DLL
C:\WINDOWS\system\DVDIM.DLL
C:\WINDOWS\system\DYRAW.DLL
C:\WINDOWS\system\DZDIM.DLL
C:\WINDOWS\system\DZEML.DLL
C:\WINDOWS\system\FCNTEXT.DLL
C:\WINDOWS\system\HQAGENT.DLL
C:\WINDOWS\system\ieetcomm.dll
C:\WINDOWS\system\IEIGN32.DLL
C:\WINDOWS\system\ILDll300.dll
C:\WINDOWS\system\IOSCONFG.DLL
C:\WINDOWS\system\iqfxsrvc.dll
C:\WINDOWS\system\IRSCONFG.DLL
C:\WINDOWS\system\IYM32.DLL
C:\WINDOWS\system\IZNPSTUB.DLL
C:\WINDOWS\system\JVAW400.DLL
C:\WINDOWS\system\JWAW400.DLL
C:\WINDOWS\system\JYCRIPT.DLL
C:\WINDOWS\system\ljeps11n.dll
C:\WINDOWS\system\lmwmf11n.dll
C:\WINDOWS\system\lneps11n.dll
C:\WINDOWS\system\lytga11n.dll
C:\WINDOWS\system\lzbmp11n.dll
C:\WINDOWS\system\MDRLE32.DLL
C:\WINDOWS\system\MDXDM.DLL
C:\WINDOWS\system\MEIDLE.DLL
C:\WINDOWS\system\MHCANS32.DLL
C:\WINDOWS\system\MIUNI11.DLL
C:\WINDOWS\system\MMDEMUI.DLL
C:\WINDOWS\system\MNIDLE.DLL
C:\WINDOWS\system\mnpatcha.dll
C:\WINDOWS\system\MO3216.DLL
C:\WINDOWS\system\mpvbvm60.dll
C:\WINDOWS\system\MQTIME.DLL
C:\WINDOWS\system\MRNP32.DLL
C:\WINDOWS\system\MXXML.DLL
C:\WINDOWS\system\NGTOS.DLL
C:\WINDOWS\system\NOINST32.DLL
C:\WINDOWS\system\NTSWAN16.DLL
C:\WINDOWS\system\NXTAPI32.DLL
C:\WINDOWS\system\nYbapi32.dll
C:\WINDOWS\system\OFESVR.DLL
C:\WINDOWS\system\OLCOM400.DLL
C:\WINDOWS\system\ORBCCR32.DLL
C:\WINDOWS\system\OSDBSE32.DLL
C:\WINDOWS\system\OSEAUT32.DLL
C:\WINDOWS\system\OTBCCU32.DLL
C:\WINDOWS\system\PMNMAP.DLL
C:\WINDOWS\system\QUDIT.DLL
C:\WINDOWS\system\QVVD.DLL
C:\WINDOWS\system\RCAUI.DLL
C:\WINDOWS\system\RLVPSP.DLL
C:\WINDOWS\system\RYUTETAB.DLL
C:\WINDOWS\system\SBI_CI.DLL
C:\WINDOWS\system\SCC.DLL
C:\WINDOWS\system\SGC.DLL
C:\WINDOWS\system\SGDOCVW.DLL
C:\WINDOWS\system\SIRMDLL.DLL
C:\WINDOWS\system\SJI_CI.DLL
C:\WINDOWS\system\SNGR.DLL
C:\WINDOWS\system\SPFTPUB.DLL
C:\WINDOWS\system\UNL.DLL
C:\WINDOWS\system\VVODEC32.DLL
C:\WINDOWS\system\WDNTRUST.DLL
C:\WINDOWS\system\WFV3IS.DLL
C:\WINDOWS\system\WKW32.DLL
C:\WINDOWS\system\WQ5INF32.DLL
C:\WINDOWS\system\WTADRVUD.DLL
C:\WINDOWS\system\WVERRENU.DLL
C:\WINDOWS\system\WWNASPI.DLL
C:\WINDOWS\system\WYNTRUST.DLL
C:\WINDOWS\system\YXRWin32.dll

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{6DA9E520-7DE9-4F98-BE19-39E53B1C0EE4}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\CGGMGR32.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{86352701-C9EC-E5D5-EECD-1BE10BA64B51}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!
  • 0

#8
Swandog46
Posted 14 September 2005 - 12:30 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hi YourStudent :tazz:

I have asked loophole if I can step in here and help you, because I would like to test a new fix for this infection on you, if you would not mind. In the interests of full disclosure, if you are uncomfortable being a 'beta-tester' for a new removal method, I understand completely. I cannot 100% assure you that something will go wrong, although nothing has, thus far, in any of my tests.

If you are willing, I thank you, and here's what to do:

Please download the file attached to the bottom of this post.
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please open the QooFix9x folder and run the RunThis.bat. Follow the prompts. When it is finished, restart your computer back into normal mode, and post a new HijackThis log along with the contents of log.txt which should be found within the QooFix9x folder. :)

Attached Files


  • 0

#9
YourStudent
Posted 14 September 2005 - 04:31 PM

YourStudent

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK. I did what you asked! :tazz: Lets see what you think. Below are the logs.

Log of QooFix9x v1

************

Running from directory:
C:\WINDOWS\Desktop\QooFix9x\QooFix9x

************

Files found:

c:\windows\system\wuauclt.dll
c:\windows\system\vgactl.cpl
c:\windows\rgnzud.exe
c:\windows\rxcqodc.exe
c:\windows\rqgkl.dll
c:\windows\txknolk.dll
c:\windows\system\wuauclt.dll
c:\windows\startm~1\programs\startup\pudc.exe
c:\windows\nlkumh.exe
c:\windows\lebwpn.dat
c:\windows\system\vgactl.cpl
c:\windows\ru.exe

************

Deleting files:

Deletion of c:\windows\system\wuauclt.dll succeeded!
Deletion of c:\windows\system\vgactl.cpl succeeded!
Deletion of c:\windows\rgnzud.exe succeeded!
Deletion of c:\windows\rxcqodc.exe succeeded!
Deletion of c:\windows\rqgkl.dll succeeded!
Deletion of c:\windows\txknolk.dll succeeded!
Deletion of c:\windows\system\wuauclt.dll succeeded!
Deletion of c:\windows\startm~1\programs\startup\pudc.exe succeeded!
Deletion of c:\windows\nlkumh.exe succeeded!
Deletion of c:\windows\lebwpn.dat succeeded!
Deletion of c:\windows\system\vgactl.cpl succeeded!
Deletion of c:\windows\ru.exe succeeded!

************

Removing registry entries:

Done!

Finished!


Logfile of HijackThis v1.99.1
Scan saved at 6:27:23 PM, on 9/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\BHAT\TBAR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\SYSTEM\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Reoe] C:\Program Files\bhat\tbar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
  • 0

#10
Swandog46
Posted 14 September 2005 - 05:20 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Hey, pretty good! Thanks! :tazz:

I'd actually like copies of those files for my testing if you wouldn't mind --- can you please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\wuauclt.dll
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\vgactl.cpl
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\rgnzud.exe
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\rxcqodc.exe
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\rqgkl.dll
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\txknolk.dll
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\pudc.exe
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\nlkumh.exe
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\lebwpn.dat
C:\WINDOWS\Desktop\QooFix9x\QooFix9x\backups\ru.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at Swandog46[AT]go[DOT]com (replace [AT] with @ and [DOT] with .)

Then you can delete the QooFix9x folder from the desktop. :) Please make sure to empty the recycle bin, because those backups are still live malware (I am still not finished refining this tool), and so they need to be deleted!

Thank you! :)

Now let's remove the generic stuff that remains --- please run HijackThis, click Scan, and check:

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [zpfujj] c:\windows\system\zpfujj.exe
O4 - HKCU\..\Run: [Reoe] C:\Program Files\bhat\tbar.exe

Close all open windows and click Fix Checked.

Delete the file:

c:\windows\system\zpfujj.exe

Also delete the folder:

C:\Program Files\bhat

Restart your computer and please post a new HijackThis log. :)
  • 0

Advertisements

#11
YourStudent
Posted 14 September 2005 - 06:30 PM

YourStudent

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Did you get the e-mail with the CAB file? Hope it helps! :)
Followed the instructions, here is a new HJT log.
When looking for file, noticed - Hookpopup.dll- anything to be
concerned with?

Logfile of HijackThis v1.99.1
Scan saved at 8:27:08 PM, on 9/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\SYSTEM\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
:tazz:
  • 0

#12
Swandog46
Posted 14 September 2005 - 06:46 PM

Swandog46

    Malware Expert

  • Member
  • PipPipPipPip
  • 1,026 posts
  • MVP
Yes, thank you, I got the CAB file and I believe it will help very much. :tazz:

When looking for file, noticed - Hookpopup.dll- anything to be
concerned with?


I don't know what you mean by this --- where did you find this file?

Can you also describe your symptoms --- how does it seem to be running? Your log looks great to me. :)
  • 0

#13
YourStudent
Posted 14 September 2005 - 07:33 PM

YourStudent

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
:) That's great news! The file I was refering to was found in C"/windows/system , I saw it when looking for zpfujj.exe to delete. The name sounded fishy, Hookpopup.dll. I looked at date last modified and saw a few things, just curious.
Thanks a ton! and Loophole too! :tazz:
Is there anything else I need to do?
  • 0

#14
loophole
Posted 14 September 2005 - 08:01 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
One last step

Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

Thanks :tazz:
  • 0

#15
YourStudent
Posted 14 September 2005 - 08:57 PM

YourStudent

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
:tazz:

Incident Status Location

Adware:adware/popmonster No disinfected C:\WINDOWS\Favorites\SHOPPING\Ebay.url
Adware:adware/purityscan No disinfected C:\WINDOWS\TEMP\!update.exe
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe
Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM\HookPopup.dll
Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM\Searchx.htm
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\Application Data\Sskknwrd.dll
Adware:adware/transponder No disinfected C:\WINDOWS\INF\CERES.INF
Spyware:spyware/betterinet No disinfected C:\WINDOWS\CERES.DLL
Adware:adware/cws No disinfected C:\WINDOWS\Favorites\Health
Adware:adware/elitebar No disinfected C:\WINDOWS\Favorites\Casino & Carrers
Adware:adware/afaenhance No disinfected Windows Registry
Adware:Adware/Midaddle No disinfected C:\WINDOWS\SYSTEM\tbar.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/404Search No disinfected C:\WINDOWS\SYSTEM\exclean.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\HookPopup.dll
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\IEHost30.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\IEDll300.dll
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\uninstal.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM\pinstaller.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF
Possible Virus. No disinfected C:\WINDOWS\TEMP\!update.exe
Virus:Trj/Agent.AKT Disinfected C:\WINDOWS\TEMP\tm7665.exe
Virus:Trj/Agent.AKT Disinfected C:\WINDOWS\TEMP\tm19705.exe
Possible Virus. No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\KPQ3KTAZ\!update-2554[1].0000
Virus:Trj/Agent.AKT Disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\KPQ3KTAZ\rcverlib[1].exe
Virus:Trj/Agent.AKT Disinfected C:\WINDOWS\bgqyv.dat
Possible Virus. No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/AdUrl No disinfected C:\WINDOWS\icont.exe
Adware:Adware/PurityScan No disinfected C:\My Documents\HJT\backups\backup-20050913-182008-265.dll
Possible Virus. No disinfected C:\My Documents\HJT\backups\backup-20050914-201236-714.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\InetGet\mc-110-12-0000079.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0052046.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0052080.CPY
Adware:Adware/Look2Me No disinfected C:\_RESTORE\TEMP\A0052081.CPY


Logfile of HijackThis v1.99.1
Scan saved at 10:54:16 PM, on 9/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE
C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\SYSTEM\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [Panda_cleaner_204787] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 204787
O4 - HKLM\..\RunOnce: [Panda_cleaner_207417] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 207417
O4 - HKLM\..\RunOnce: [Panda_cleaner_200595] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 200595
O4 - HKLM\..\RunOnce: [Panda_cleaner_160624] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 160624
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP