Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help in clearing worms/spywares [RESOLVED]


  • This topic is locked This topic is locked

#1
sxs1004

sxs1004

    Member

  • Member
  • PipPip
  • 63 posts
Hi al,
I am frustrated with my computer problems and would appreciate if anyone can help me out on this.
As soon as I login, processes stsrt by itself. i am flodded with pop ups all the time and computer performance is very poor.

Here is the log generated from Hijack this.Please help me out..

---------

Logfile of HijackThis v1.99.1
Scan saved at 7:32:56 AM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RGFu\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\khwykuib\qpfwac.exe
C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\bztpmmi.exe
C:\Program Files\Bpt\bpt.exe
C:\program files\tvs\tvs_b.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\exp.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\qyshb\eqvbhs.exe
C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
C:\WINDOWS\System32\lfunt\vyedsv.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\rtocw\rtamimmu.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\WINDOWS\System32\fsvhfh\pcpm.exe
C:\WINDOWS\System32\kvmcln\svmiqm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Nxrxgw.exe
C:\WINDOWS\System32\r7aul9oo.exe
C:\WINDOWS\System32\robbyu.exe
C:\WINDOWS\System32\robbyu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\medgs1.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\system32\??stem32\ping.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Documents and Settings\ABC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 213.222.11.6 auto.search.msn.com
O1 - Hosts: 213.222.11.6 ieautosearch
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {3AAFF6CF-6773-48A8-2B73-3DB67844F6B8} - C:\WINDOWS\System32\rjururnx.dll
O2 - BHO: SDWin32 Class - {51616755-2D8F-4480-8BD7-EE4416991288} - C:\WINDOWS\System32\hxqky.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Dan\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [Mbluvmz] C:\Program Files\Tufa\Npkxjs.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\gdg4xs.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [xhenew] C:\WINDOWS\System32\mflyemb\xhenew.exe
O4 - HKLM\..\Run: [xpnxci] C:\WINDOWS\System32\vmgof\xpnxci.exe
O4 - HKLM\..\Run: [dmes] C:\WINDOWS\System32\xdvhdvaj\dmes.exe
O4 - HKLM\..\Run: [exjv] C:\WINDOWS\System32\fkbu\exjv.exe
O4 - HKLM\..\Run: [dfsbouud] C:\WINDOWS\System32\xrfj\dfsbouud.exe
O4 - HKLM\..\Run: [nvoqkexu] C:\WINDOWS\System32\kdugcj\nvoqkexu.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [qpfwac] C:\WINDOWS\System32\khwykuib\qpfwac.exe
O4 - HKLM\..\Run: [eqvbhs] C:\WINDOWS\System32\qyshb\eqvbhs.exe
O4 - HKLM\..\Run: [gbwseyvw] C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
O4 - HKLM\..\Run: [vyedsv] C:\WINDOWS\System32\lfunt\vyedsv.exe
O4 - HKLM\..\Run: [pcpm] C:\WINDOWS\System32\fsvhfh\pcpm.exe
O4 - HKLM\..\Run: [rtamimmu] C:\WINDOWS\System32\rtocw\rtamimmu.exe
O4 - HKLM\..\Run: [svmiqm] C:\WINDOWS\System32\kvmcln\svmiqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [psjjpc] C:\WINDOWS\System32\psjjpc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\ltgdocc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Nxrxgw.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [r7aul9oo] C:\WINDOWS\System32\r7aul9oo.exe
O4 - HKLM\..\Run: [ematoim] C:\WINDOWS\System32\bztpmmi.exe r
O4 - HKLM\..\Run: [hxqkyc] C:\WINDOWS\System32\hxqkyc.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [robbyu] C:\WINDOWS\System32\robbyu.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - HKCU\..\Run: [Huudit] C:\WINDOWS\System32\??stem32\ping.exe
O4 - HKCU\..\RunOnce: [robbyu] C:\WINDOWS\System32\robbyu.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.qoolaid.c...4/installer.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0016.exe
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\drnhpast.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: qpfwackhwykuib - Unknown owner - C:\WINDOWS\System32\khwykuib\qpfwac.exe
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Send All Qualified App (Service1) - Unknown owner - C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: xpnxcivmgof - Unknown owner - C:\WINDOWS\System32\vmgof\xpnxci.exe
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
HI and wlecome sxs1004
You have quite a few issues here,
this will take some work but stay with us and we will get you cleaned up,

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there,Please run the following tool, NewDotNet Removal tool.

(ONLY if you can't find the New.Net in Add/Remove programs).

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet.. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.


Next

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
sxs1004

sxs1004

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi
Thanks for your help. It took little while as I had to struggle with all the pop ups while trying to complete the process.
Attached is report from l2mfix.

Just to let you know: I could not download LSPFix.exe earlier. Reason being that I cannot hit on any link in the webpage that directs the new child browser to open in a new window.

So, as long as the new browser contents are in same window, I can open it, otherwise my internet explorer throws an error.

Hence, I could download from http://www.atribune....oads/l2mfix.exe (which is a URL I can type in) but cannot download from "LSPFix.exe" link as it directs a new window.

Please consider and send me complete URLs instead of links in future communications.

Thanks for your help...Hope you can get me home !!





L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\drnhpast.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4F7C2AFD-146D-5B7C-52BB-8E55177F0AAD}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{B1A89BD1-F149-11cf-9DFE-00A0241E7227}"="ClearCase Shell Extension Base for Context Menus"
"{4DBE8D51-F5EA-11cf-9F20-00A0241E7227}"="ClearCase Shell Extension Dispatcher for Context Menus"
"{B1A89BD2-F149-11cf-9DFE-00A0241E7227}"="ClearCase Shell Extension Base for Property Pages"
"{4DBE8D52-F5EA-11cf-9F20-00A0241E7227}"="ClearCase Shell Extension Dispatcher for Property Pages"
"{d1539480-f6cc-11ce-b60e-0000c04f79ba}"="MKS Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{47C0B270-5653-4042-A798-370B57C159B0}"=""
"{8EC432A4-0506-4029-AC31-B7D7047390EA}"=""
"{601E57C8-7741-4B57-8068-C8E2B414A6E5}"=""
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{32986636-9EFC-47CC-809A-9C1BC7FA1033}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{47C0B270-5653-4042-A798-370B57C159B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47C0B270-5653-4042-A798-370B57C159B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47C0B270-5653-4042-A798-370B57C159B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47C0B270-5653-4042-A798-370B57C159B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\wadtrace.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8EC432A4-0506-4029-AC31-B7D7047390EA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EC432A4-0506-4029-AC31-B7D7047390EA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EC432A4-0506-4029-AC31-B7D7047390EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8EC432A4-0506-4029-AC31-B7D7047390EA}\InprocServer32]
@="C:\\WINDOWS\\system32\\jpsd400.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{601E57C8-7741-4B57-8068-C8E2B414A6E5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{601E57C8-7741-4B57-8068-C8E2B414A6E5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{601E57C8-7741-4B57-8068-C8E2B414A6E5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{601E57C8-7741-4B57-8068-C8E2B414A6E5}\InprocServer32]
@="C:\\WINDOWS\\system32\\wvn32spl.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{32986636-9EFC-47CC-809A-9C1BC7FA1033}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32986636-9EFC-47CC-809A-9C1BC7FA1033}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32986636-9EFC-47CC-809A-9C1BC7FA1033}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{32986636-9EFC-47CC-809A-9C1BC7FA1033}\InprocServer32]
@="C:\\WINDOWS\\system32\\rIsadhlp.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Volume in drive C has no label.
Volume Serial Number is 28EC-A4B1

Directory of C:\WINDOWS\System32

09/10/2005 09:59 AM 417,792 rIsadhlp.dll
09/10/2005 08:58 AM 417,792 wvn32spl.dll
09/09/2005 07:23 PM 417,792 oqbcji32.dll
09/09/2005 03:25 PM 417,792 jpsd400.dll
09/08/2005 07:52 PM 417,792 wadtrace.dll
09/08/2005 07:50 PM <DIR> dllcache
09/08/2005 07:46 PM 417,792 guard.tmp
09/08/2005 07:38 PM 417,792 drnhpast.dll
09/03/2005 11:16 PM 143,067 68chtbn.exe
09/03/2005 11:00 PM 220,822 9ebneh.exe
09/03/2005 11:00 PM 326,153 imz.sys
09/03/2005 11:00 PM 430,486 eo8.dll
09/03/2005 11:00 PM 267,361 ym606r.exe
06/12/2005 05:07 AM 0 5mb10y.exe
04/08/2005 03:50 PM 475 qkyhh.dll
09/02/2004 02:52 PM <DIR> Microsoft
14 File(s) 4,312,908 bytes
2 Dir(s) 10,960,637,952 bytes free
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
sxs1004

sxs1004

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
HERE IS THE REPORT FROM l2mfix.bat---------------------------->>>>>>>



Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1940 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2012 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\cfdial32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cfdial32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\drnhpast.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\drnhpast.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jpsd400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jpsd400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oqbcji32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oqbcji32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wadtrace.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wadtrace.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wvn32spl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wvn32spl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\cfdial32.dll
Successfully Deleted: C:\WINDOWS\system32\cfdial32.dll
deleting: C:\WINDOWS\system32\cfdial32.dll
Successfully Deleted: C:\WINDOWS\system32\cfdial32.dll
deleting: C:\WINDOWS\system32\drnhpast.dll
Successfully Deleted: C:\WINDOWS\system32\drnhpast.dll
deleting: C:\WINDOWS\system32\drnhpast.dll
Successfully Deleted: C:\WINDOWS\system32\drnhpast.dll
deleting: C:\WINDOWS\system32\jpsd400.dll
Successfully Deleted: C:\WINDOWS\system32\jpsd400.dll
deleting: C:\WINDOWS\system32\jpsd400.dll
Successfully Deleted: C:\WINDOWS\system32\jpsd400.dll
deleting: C:\WINDOWS\system32\oqbcji32.dll
Successfully Deleted: C:\WINDOWS\system32\oqbcji32.dll
deleting: C:\WINDOWS\system32\oqbcji32.dll
Successfully Deleted: C:\WINDOWS\system32\oqbcji32.dll
deleting: C:\WINDOWS\system32\wadtrace.dll
Successfully Deleted: C:\WINDOWS\system32\wadtrace.dll
deleting: C:\WINDOWS\system32\wadtrace.dll
Successfully Deleted: C:\WINDOWS\system32\wadtrace.dll
deleting: C:\WINDOWS\system32\wvn32spl.dll
Successfully Deleted: C:\WINDOWS\system32\wvn32spl.dll
deleting: C:\WINDOWS\system32\wvn32spl.dll
Successfully Deleted: C:\WINDOWS\system32\wvn32spl.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: cfdial32.dll (188 bytes security) (deflated 48%)
adding: drnhpast.dll (188 bytes security) (deflated 48%)
adding: jpsd400.dll (188 bytes security) (deflated 48%)
adding: oqbcji32.dll (188 bytes security) (deflated 48%)
adding: wadtrace.dll (188 bytes security) (deflated 48%)
adding: wvn32spl.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 51%)
adding: lo2.txt (188 bytes security) (deflated 84%)
adding: test.txt (188 bytes security) (deflated 82%)
adding: test2.txt (188 bytes security) (deflated 33%)
adding: test3.txt (188 bytes security) (deflated 33%)
adding: test5.txt (188 bytes security) (deflated 33%)
adding: tmp.txt (188 bytes security) (deflated 57%)
adding: xfind.txt (188 bytes security) (deflated 79%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: cfdial32.dll
deleting local copy: cfdial32.dll
deleting local copy: drnhpast.dll
deleting local copy: drnhpast.dll
deleting local copy: jpsd400.dll
deleting local copy: jpsd400.dll
deleting local copy: oqbcji32.dll
deleting local copy: oqbcji32.dll
deleting local copy: wadtrace.dll
deleting local copy: wadtrace.dll
deleting local copy: wvn32spl.dll
deleting local copy: wvn32spl.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\cfdial32.dll
C:\WINDOWS\system32\cfdial32.dll
C:\WINDOWS\system32\drnhpast.dll
C:\WINDOWS\system32\drnhpast.dll
C:\WINDOWS\system32\jpsd400.dll
C:\WINDOWS\system32\jpsd400.dll
C:\WINDOWS\system32\oqbcji32.dll
C:\WINDOWS\system32\oqbcji32.dll
C:\WINDOWS\system32\wadtrace.dll
C:\WINDOWS\system32\wadtrace.dll
C:\WINDOWS\system32\wvn32spl.dll
C:\WINDOWS\system32\wvn32spl.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{47C0B270-5653-4042-A798-370B57C159B0}"=-
"{8EC432A4-0506-4029-AC31-B7D7047390EA}"=-
"{601E57C8-7741-4B57-8068-C8E2B414A6E5}"=-
"{32986636-9EFC-47CC-809A-9C1BC7FA1033}"=-
[-HKEY_CLASSES_ROOT\CLSID\{47C0B270-5653-4042-A798-370B57C159B0}]
[-HKEY_CLASSES_ROOT\CLSID\{8EC432A4-0506-4029-AC31-B7D7047390EA}]
[-HKEY_CLASSES_ROOT\CLSID\{601E57C8-7741-4B57-8068-C8E2B414A6E5}]
[-HKEY_CLASSES_ROOT\CLSID\{32986636-9EFC-47CC-809A-9C1BC7FA1033}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************





HERE IS THE REZPORT FROM hijickthis------------------------------------------->

Logfile of HijackThis v1.99.1
Scan saved at 2:22:43 PM, on 9/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RGFu\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\khwykuib\qpfwac.exe
C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wkeauay.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\robbyu.exe
C:\WINDOWS\System32\robbyu.exe
C:\Documents and Settings\ABC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 213.222.11.6 auto.search.msn.com
O1 - Hosts: 213.222.11.6 ieautosearch
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {3AAFF6CF-6773-48A8-2B73-3DB67844F6B8} - C:\WINDOWS\System32\rjururnx.dll
O2 - BHO: SDWin32 Class - {51616755-2D8F-4480-8BD7-EE4416991288} - C:\WINDOWS\System32\hxqky.dll
O2 - BHO: (no name) - {5B408D61-19D6-360E-DE99-43D19E6AC4BB} - C:\WINDOWS\System32\smd.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Dan\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [Mbluvmz] C:\Program Files\Tufa\Npkxjs.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\gdg4xs.exe reg_run
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [xhenew] C:\WINDOWS\System32\mflyemb\xhenew.exe
O4 - HKLM\..\Run: [xpnxci] C:\WINDOWS\System32\vmgof\xpnxci.exe
O4 - HKLM\..\Run: [dmes] C:\WINDOWS\System32\xdvhdvaj\dmes.exe
O4 - HKLM\..\Run: [exjv] C:\WINDOWS\System32\fkbu\exjv.exe
O4 - HKLM\..\Run: [dfsbouud] C:\WINDOWS\System32\xrfj\dfsbouud.exe
O4 - HKLM\..\Run: [nvoqkexu] C:\WINDOWS\System32\kdugcj\nvoqkexu.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [qpfwac] C:\WINDOWS\System32\khwykuib\qpfwac.exe
O4 - HKLM\..\Run: [eqvbhs] C:\WINDOWS\System32\qyshb\eqvbhs.exe
O4 - HKLM\..\Run: [gbwseyvw] C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
O4 - HKLM\..\Run: [vyedsv] C:\WINDOWS\System32\lfunt\vyedsv.exe
O4 - HKLM\..\Run: [pcpm] C:\WINDOWS\System32\fsvhfh\pcpm.exe
O4 - HKLM\..\Run: [rtamimmu] C:\WINDOWS\System32\rtocw\rtamimmu.exe
O4 - HKLM\..\Run: [svmiqm] C:\WINDOWS\System32\kvmcln\svmiqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [psjjpc] C:\WINDOWS\System32\psjjpc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\ltgdocc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Nxrxgw.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [hxqkyc] C:\WINDOWS\System32\hxqkyc.exe
O4 - HKLM\..\Run: [haukyk] C:\WINDOWS\System32\wkeauay.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [robbyu] C:\WINDOWS\System32\robbyu.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Huudit] C:\WINDOWS\System32\??stem32\ping.exe
O4 - HKCU\..\RunOnce: [robbyu] C:\WINDOWS\System32\robbyu.exe
O4 - Global Startup: kckp.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.qoolaid.c...4/installer.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0016.exe
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: qpfwackhwykuib - Unknown owner - C:\WINDOWS\System32\khwykuib\qpfwac.exe
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Send All Qualified App (Service1) - Unknown owner - C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: xpnxcivmgof - Unknown owner - C:\WINDOWS\System32\vmgof\xpnxci.exe



Thanks
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great that took care of one!!! Many more to go however, I will post the URL's for you going forward Let me know when you stop getting redirected :tazz:

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite http://www.ewido.net/en/download


Next, download Lavasoft's Ad-Aware http://www.download....4-10045910.html
and the VX2 Cleaner Plug-in http://www.lavasoft....x2cleaner.shtml
Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.
  • 0

#7
sxs1004

sxs1004

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi
Thanks for your help..
When I finished up performing Ewido system scan, I could not save the report then. I had to shut down. So, on restarting, I went back to Ewido, and got reports "Startup report", "Connection report" and "Process report". I hope you get all the information that is needed. If not, please let me know and I can run the scan again.
Attached are the 3 reports and the hijackthis report.

Also, since restart, Ewido has detected several other trojans, spywares and is cleaning as it finds it...


---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 10:02:56 AM, 9/11/2005
+ Report-Checksum: 3A00D82D

Reg\HKLM\Run svmiqm C:\WINDOWS\System32\kvmcln\svmiqm.exe
Reg\HKLM\Run System service65 C:\WINDOWS\etb\pokapoka65.exe
Reg\HKLM\Run shnin C:\DOCUME~1\ABC\LOCALS~1\Temp\yhfyl.exe
Reg\HKLM\Run SoDA Startup C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
Reg\HKCU\Run Ncao C:\Program Files\nrpn\osoa.exe
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
Reg\HKLM\Run BPT "C:\Program Files\Bpt\bpt.exe"
Reg\HKLM\Run NuTCSetupEnviron C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
Reg\HKLM\Run TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Reg\HKLM\Run DI2 "C:\DOCUME~1\Dan\LOCALS~1\Temp\27.exe\27.exe"
Reg\HKLM\Run tvs_b C:\program files\tvs\tvs_b.exe
Reg\HKLM\Run cfgmgr52 RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
Reg\HKLM\Run msresearch C:\WINDOWS\msresearch.exe
Reg\HKLM\Run Mbluvmz C:\Program Files\Tufa\Npkxjs.exe
Reg\HKLM\Run Dinst C:\WINDOWS\dinst.exe
Reg\HKLM\Run MedGS C:\WINDOWS\System32\medgs1.exe
Reg\HKLM\Run opr C:\WINDOWS\System32\opr.exe
Reg\HKLM\Run C:\WINDOWS\VCMnet11.exe C:\WINDOWS\VCMnet11.exe
Reg\HKLM\Run Windows Incontext C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
Reg\HKLM\Run AUNPS2 RUNDLL32 AUNPS2.DLL,_Run@16
Reg\HKLM\Run SurfSideKick 3 C:\Program Files\SurfSideKick 3\Ssk.exe
Reg\HKLM\Run xpnxci C:\WINDOWS\System32\vmgof\xpnxci.exe
Reg\HKLM\Run dmes C:\WINDOWS\System32\xdvhdvaj\dmes.exe
Reg\HKLM\Run exjv C:\WINDOWS\System32\fkbu\exjv.exe
Reg\HKLM\Run nvoqkexu C:\WINDOWS\System32\kdugcj\nvoqkexu.exe
Reg\HKLM\Run qpfwac C:\WINDOWS\System32\khwykuib\qpfwac.exe
Reg\HKLM\Run gbwseyvw C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
Reg\HKLM\Run vyedsv C:\WINDOWS\System32\lfunt\vyedsv.exe
Reg\HKLM\Run pcpm C:\WINDOWS\System32\fsvhfh\pcpm.exe
Reg\HKLM\Run ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Reg\HKLM\Run vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
Reg\HKLM\Run psjjpc C:\WINDOWS\System32\psjjpc.exe
Reg\HKLM\Run hxqkyc C:\WINDOWS\System32\hxqkyc.exe
Reg\HKCU\Run SurfSideKick 3 C:\Program Files\SurfSideKick 3\Ssk.exe
Reg\HKCU\Run robbyu C:\WINDOWS\System32\robbyu.exe
Reg\HKCU\Run Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Reg\HKCU\Run Huudit C:\WINDOWS\System32\ѕуstem32\ping.exe
Reg\HKLM\Run USB controller "C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
Shell\CommonStartup LoadRunner Agent Process.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadRunner Agent Process.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Shell\CommonStartup WinZip Quick Pick.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk


---------------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 10:03:05 AM, 9/11/2005
+ Report-Checksum: 7B306420

TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1044 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1046 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1052 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1056 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1059 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1066 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:50500 0.0.0.0:0 LISTENING
TCP 0.0.0.0:54345 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 192.168.1.101:139 0.0.0.0:0 LISTENING
TCP 192.168.1.101:1044 207.46.20.93:80 ESTABLISHED
TCP 192.168.1.101:1046 192.168.1.1:5431 ESTABLISHED
TCP 192.168.1.101:1050 64.34.106.13:80 TIME_WAIT
TCP 192.168.1.101:1052 192.168.1.1:5431 ESTABLISHED
TCP 192.168.1.101:1056 198.65.119.21:80 ESTABLISHED
TCP 192.168.1.101:1059 198.65.119.20:80 ESTABLISHED
TCP 192.168.1.101:1060 66.230.223.73:80 TIME_WAIT
TCP 192.168.1.101:1062 63.251.135.16:80 TIME_WAIT
TCP 192.168.1.101:1065 64.127.103.41:80 TIME_WAIT
TCP 192.168.1.101:1066 216.150.6.75:80 ESTABLISHED
TCP 192.168.1.101:13529 0.0.0.0:0 LISTENING
TCP 192.168.1.101:21389 192.168.1.1:5431 TIME_WAIT
TCP 192.168.1.101:25419 192.168.1.1:5431 TIME_WAIT
TCP 192.168.1.101:39777 192.168.1.1:5431 TIME_WAIT
TCP 192.168.1.101:42164 192.168.1.1:5431 TIME_WAIT
TCP 192.168.1.101:49657 192.168.1.1:5431 TIME_WAIT
TCP 192.168.1.101:54548 192.168.1.1:5431 TIME_WAIT
TCP 192.168.1.101:64862 192.168.1.1:5431 TIME_WAIT
UDP 0.0.0.0:135
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1027
UDP 0.0.0.0:1034
UDP 0.0.0.0:1039
UDP 0.0.0.0:3456
UDP 127.0.0.1:123
UDP 127.0.0.1:1032
UDP 127.0.0.1:1035
UDP 127.0.0.1:1041
UDP 127.0.0.1:1048
UDP 127.0.0.1:1064
UDP 127.0.0.1:1069
UDP 127.0.0.1:1900
UDP 192.168.1.101:123
UDP 192.168.1.101:137
UDP 192.168.1.101:138
UDP 192.168.1.101:1900
UDP 192.168.1.101:14792
UDP 192.168.1.101:22726
---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 10:03:20 AM, 9/11/2005
+ Report-Checksum: D50F09B7

0: System Process
4: System Process
128: C:\Program Files\nrpn\osoa.exe
176: C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
256: C:\WINDOWS\Explorer.exe
512: \SystemRoot\System32\smss.exe
564: \??\C:\WINDOWS\system32\csrss.exe
588: \??\C:\WINDOWS\system32\winlogon.exe
632: C:\WINDOWS\system32\services.exe
644: C:\WINDOWS\system32\lsass.exe
700: C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
804: C:\WINDOWS\system32\svchost.exe
828: C:\WINDOWS\System32\svchost.exe
912: C:\WINDOWS\System32\svchost.exe
980: C:\WINDOWS\System32\svchost.exe
1064: C:\WINDOWS\System32\wbem\wmiapsrv.exe
1076: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1100: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1112: C:\Program Files\WinZip\WZQKPICK.EXE
1232: C:\WINDOWS\system32\spoolsv.exe
1324: C:\WINDOWS\RGFu\command.exe
1356: C:\Program Files\Symantec AntiVirus\DefWatch.exe
1376: C:\Program Files\QuickTime\qttask.exe
1380: C:\Program Files\ewido\security suite\ewidoctrl.exe
1428: C:\Program Files\ewido\security suite\ewidoguard.exe
1460: C:\WINDOWS\System32\inetsrv\inetinfo.exe
1540: C:\WINDOWS\System32\khwykuib\qpfwac.exe
1596: C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
1652: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
1676: C:\WINDOWS\System32\wdfmgr.exe
1780: C:\WINDOWS\System32\nutsrv4.exe
1916: C:\WINDOWS\System32\wuauclt.exe
2132: C:\Program Files\Java\jre1.5.0\bin\jusched.exe
2380: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2624: C:\program files\tvs\tvs_b.exe
2744: C:\WINDOWS\System32\medgs1.exe
2764: C:\WINDOWS\System32\opr.exe
2812: C:\WINDOWS\System32\wuauclt.exe
3032: C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
3100: C:\WINDOWS\System32\lfunt\vyedsv.exe
3276: C:\WINDOWS\System32\fsvhfh\pcpm.exe
3452: C:\WINDOWS\System32\kvmcln\svmiqm.exe
3480: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
3492: C:\PROGRA~1\SYMANT~1\VPTray.exe
3632: C:\DOCUME~1\ABC\LOCALS~1\Temp\yhfyl.exe
3996: C:\Program Files\Messenger\msmsgs.exe
4056: C:\Program Files\ewido\security suite\SecuritySuite.exe
4068: C:\WINDOWS\System32\ѕуstem32\ping.exe
4160: C:\Program Files\Internet Explorer\iexplore.exe
4432: C:\WINDOWS\system32\NOTEPAD.EXE
4608: C:\WINDOWS\system32\NOTEPAD.EXE


------------------------------

HIJACK THIS
------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:04:06 AM, on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RGFu\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\khwykuib\qpfwac.exe
C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\program files\tvs\tvs_b.exe
C:\WINDOWS\System32\medgs1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
C:\WINDOWS\System32\lfunt\vyedsv.exe
C:\WINDOWS\System32\fsvhfh\pcpm.exe
C:\WINDOWS\System32\kvmcln\svmiqm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\DOCUME~1\ABC\LOCALS~1\Temp\yhfyl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\??stem32\ping.exe
C:\Program Files\nrpn\osoa.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\ABC\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O1 - Hosts: 213.222.11.6 auto.search.msn.com
O1 - Hosts: 213.222.11.6 ieautosearch
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3AAFF6BA-6772-3EAA-2B72-4DB67D45F6C8} - C:\WINDOWS\System32\rjururnx.dll
O2 - BHO: (no name) - {3AAFF6CF-6773-48A8-2B73-3DB67844F6B8} - C:\WINDOWS\System32\rjururnx.dll
O2 - BHO: SDWin32 Class - {51616755-2D8F-4480-8BD7-EE4416991288} - C:\WINDOWS\System32\hxqky.dll
O2 - BHO: (no name) - {5B408D61-19D6-360E-DE99-43D19E6AC4BB} - C:\WINDOWS\System32\smd.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Dan\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [Mbluvmz] C:\Program Files\Tufa\Npkxjs.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [xpnxci] C:\WINDOWS\System32\vmgof\xpnxci.exe
O4 - HKLM\..\Run: [dmes] C:\WINDOWS\System32\xdvhdvaj\dmes.exe
O4 - HKLM\..\Run: [exjv] C:\WINDOWS\System32\fkbu\exjv.exe
O4 - HKLM\..\Run: [nvoqkexu] C:\WINDOWS\System32\kdugcj\nvoqkexu.exe
O4 - HKLM\..\Run: [qpfwac] C:\WINDOWS\System32\khwykuib\qpfwac.exe
O4 - HKLM\..\Run: [gbwseyvw] C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
O4 - HKLM\..\Run: [vyedsv] C:\WINDOWS\System32\lfunt\vyedsv.exe
O4 - HKLM\..\Run: [pcpm] C:\WINDOWS\System32\fsvhfh\pcpm.exe
O4 - HKLM\..\Run: [svmiqm] C:\WINDOWS\System32\kvmcln\svmiqm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [psjjpc] C:\WINDOWS\System32\psjjpc.exe
O4 - HKLM\..\Run: [hxqkyc] C:\WINDOWS\System32\hxqkyc.exe
O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\ABC\LOCALS~1\Temp\yhfyl.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [robbyu] C:\WINDOWS\System32\robbyu.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Huudit] C:\WINDOWS\System32\??stem32\ping.exe
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nesunel.mht!http://213.158.119.3.../bridge-c46.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: qpfwackhwykuib - Unknown owner - C:\WINDOWS\System32\khwykuib\qpfwac.exe
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Send All Qualified App (Service1) - Unknown owner - C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: xpnxcivmgof - Unknown owner - C:\WINDOWS\System32\vmgof\xpnxci.exe
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets do some major clean up here,
  • Go to Start | Run and type this in the box services.msc
  • Locate these services, 'qpfwackhwykuiband System Startup Service and xpnxcivmgof then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled
Next
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O1 - Hosts: 213.222.11.6 auto.search.msn.com
O1 - Hosts: 213.222.11.6 ieautosearch
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3AAFF6BA-6772-3EAA-2B72-4DB67D45F6C8} - C:\WINDOWS\System32\rjururnx.dll
O2 - BHO: (no name) - {3AAFF6CF-6773-48A8-2B73-3DB67844F6B8} - C:\WINDOWS\System32\rjururnx.dll
O2 - BHO: SDWin32 Class - {51616755-2D8F-4480-8BD7-EE4416991288} - C:\WINDOWS\System32\hxqky.dll
O2 - BHO: (no name) - {5B408D61-19D6-360E-DE99-43D19E6AC4BB} - C:\WINDOWS\System32\smd.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Dan\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [Mbluvmz] C:\Program Files\Tufa\Npkxjs.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [xpnxci] C:\WINDOWS\System32\vmgof\xpnxci.exe
O4 - HKLM\..\Run: [dmes] C:\WINDOWS\System32\xdvhdvaj\dmes.exe
O4 - HKLM\..\Run: [exjv] C:\WINDOWS\System32\fkbu\exjv.exe
O4 - HKLM\..\Run: [nvoqkexu] C:\WINDOWS\System32\kdugcj\nvoqkexu.exe
O4 - HKLM\..\Run: [qpfwac] C:\WINDOWS\System32\khwykuib\qpfwac.exe
O4 - HKLM\..\Run: [gbwseyvw] C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
O4 - HKLM\..\Run: [vyedsv] C:\WINDOWS\System32\lfunt\vyedsv.exe
O4 - HKLM\..\Run: [pcpm] C:\WINDOWS\System32\fsvhfh\pcpm.exe
O4 - HKLM\..\Run: [svmiqm] C:\WINDOWS\System32\kvmcln\svmiqm.exe
O4 - HKLM\..\Run: [psjjpc] C:\WINDOWS\System32\psjjpc.exe
O4 - HKLM\..\Run: [hxqkyc] C:\WINDOWS\System32\hxqkyc.exe
O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\ABC\LOCALS~1\Temp\yhfyl.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [robbyu] C:\WINDOWS\System32\robbyu.exe
O4 - HKCU\..\Run: [Huudit] C:\WINDOWS\System32\??stem32\ping.exe
O4 - HKCU\..\Run: [Ncao] C:\Program Files\nrpn\osoa.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab <http://download.barg...ARKETING32.cab>
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nesunel.mht!http://213.158.119.3.../bridge-c46.cab
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: qpfwackhwykuib - Unknown owner - C:\WINDOWS\System32\khwykuib\qpfwac.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: xpnxcivmgof - Unknown owner - C:\WINDOWS\System32\vmgof\xpnxci.exe

Close out HJT,

Next
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\DOCUME~1\Dan\LOCALS~1\Temp\27.exe\27.exe
C:\Program Files\Bpt\bpt.exe"
C:\program files\tvs\tvs_b.exe

 C:\WINDOWS\msresearch.exe
 C:\Program Files\Tufa\Npkxjs.exe
 C:\WINDOWS\dinst.exe
 C:\WINDOWS\System32\medgs1.exe
 C:\WINDOWS\System32\opr.exe
 C:\WINDOWS\VCMnet11.exe

 C:\Program Files\SurfSideKick 3\Ssk.exe
C:\WINDOWS\System32\vmgof\xpnxci.exe
 C:\WINDOWS\System32\xdvhdvaj\dmes.exe
 C:\WINDOWS\System32\fkbu\exjv.exe
 C:\WINDOWS\System32\kdugcj\nvoqkexu.exe
 C:\WINDOWS\System32\khwykuib\qpfwac.exe
 C:\WINDOWS\System32\grhxtp\gbwseyvw.exe
 C:\WINDOWS\System32\lfunt\vyedsv.exe
C:\WINDOWS\System32\fsvhfh\pcpm.exe
 C:\WINDOWS\System32\kvmcln\svmiqm.exe 
C:\WINDOWS\System32\psjjpc.exe
 C:\WINDOWS\System32\hxqkyc.exe
 C:\DOCUME~1\ABC\LOCALS~1\Temp\yhfyl.exe
 C:\Program Files\SurfSideKick 3\Ssk.exe
 C:\WINDOWS\System32\robbyu.exe
 C:\WINDOWS\System32\??stem32\ping.exe
 C:\Program Files\nrpn\osoa.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

your computer should restart automatically if not please restart manually,
Post back a fresh log we will see how we made out with those, Have another tool I need you to run but want to get rid of some of the crap on your system
  • 0

#9
sxs1004

sxs1004

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Following are the files that I could not delete as I did not find them in the list.

-4 - HKLM\..\Run: [shnin] C:\DOCUME~1\ABC\LOCALS~1\Temp\yhfyl.exe
-O23 - Service: qpfwackhwykuib - Unknown owner - C:\WINDOWS\System32\khwykuib\qpfwac.exe
-O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
-O23 - Service: xpnxcivmgof - Unknown owner - C:\WINDOWS\System32\vmgof\xpnxci.exe

I deleted everything else.
HJT LOG after the clean up is as follows:


Logfile of HijackThis v1.99.1
Scan saved at 7:08:48 PM, on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RGFu\command.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\ypli\fahmvj.exe
C:\WINDOWS\System32\iyju\iitm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\ABC\LOCALS~1\Temp\uxsdmgmb.exe
C:\WINDOWS\System32\lfboxil\eedlt.exe
C:\WINDOWS\System32\sxyq\kqjc.exe
C:\WINDOWS\System32\kmactxs\iojfxpsc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\ABC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [fahmvj] C:\WINDOWS\System32\ypli\fahmvj.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [iitm] C:\WINDOWS\System32\iyju\iitm.exe
O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\ABC\LOCALS~1\Temp\uxsdmgmb.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ABC\LOCALS~1\Temp\gptu.exe run
O4 - HKLM\..\Run: [iojfxpsc] C:\WINDOWS\System32\kmactxs\iojfxpsc.exe
O4 - HKLM\..\Run: [hxnmtav] C:\WINDOWS\System32\tbjmi\hxnmtav.exe
O4 - HKLM\..\Run: [bcgoscar] C:\WINDOWS\System32\deug\bcgoscar.exe
O4 - HKLM\..\Run: [eedlt] C:\WINDOWS\System32\lfboxil\eedlt.exe
O4 - HKLM\..\Run: [kqjc] C:\WINDOWS\System32\sxyq\kqjc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/download.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0022.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iojfxpsckmactxs - Unknown owner - C:\WINDOWS\System32\kmactxs\iojfxpsc.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Send All Qualified App (Service1) - Unknown owner - C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Better, still some work to do however,

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

iojfxpsckmactxs

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Next
Download LQfix.exe http://users.telenet...tools/LQfix.exe
and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.


Post back a fresh HJT log when done please
  • 0

Advertisements


#11
sxs1004

sxs1004

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
I could not press the stop button in ojfxpsckmactxs .


I get following error message:
"Could not stop the ojfxpsckmactxs on your local computer. The service did not retuen an error. It could be in internal windows error or an internal service error. If problem persists, contact your system administrator."

Again I could not disable it as on hitting the apply button, it rolled back to Automatic.

I ran the LQFIX. Here is the HJT log after the run:
Logfile of HijackThis v1.99.1
Scan saved at 3:39:41 PM, on 9/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RGFu\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\kmactxs\iojfxpsc.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\ypli\fahmvj.exe
C:\WINDOWS\System32\iyju\iitm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\lfboxil\eedlt.exe
C:\WINDOWS\System32\sxyq\kqjc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\ABC\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: 216.39.69.102 view.atdmt.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [fahmvj] C:\WINDOWS\System32\ypli\fahmvj.exe
O4 - HKLM\..\Run: [iitm] C:\WINDOWS\System32\iyju\iitm.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ABC\LOCALS~1\Temp\gptu.exe run
O4 - HKLM\..\Run: [iojfxpsc] C:\WINDOWS\System32\kmactxs\iojfxpsc.exe
O4 - HKLM\..\Run: [hxnmtav] C:\WINDOWS\System32\tbjmi\hxnmtav.exe
O4 - HKLM\..\Run: [bcgoscar] C:\WINDOWS\System32\deug\bcgoscar.exe
O4 - HKLM\..\Run: [eedlt] C:\WINDOWS\System32\lfboxil\eedlt.exe
O4 - HKLM\..\Run: [kqjc] C:\WINDOWS\System32\sxyq\kqjc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\kgbucg.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/download.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0022.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iojfxpsckmactxs - Unknown owner - C:\WINDOWS\System32\kmactxs\iojfxpsc.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Send All Qualified App (Service1) - Unknown owner - C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
We are making progress so stay with me here

Make sure you can view all Hidden Files/Folders


Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [fahmvj] C:\WINDOWS\System32\ypli\fahmvj.exe
O4 - HKLM\..\Run: [iitm] C:\WINDOWS\System32\iyju\iitm.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ABC\LOCALS~1\Temp\gptu.exe run
O4 - HKLM\..\Run: [iojfxpsc] C:\WINDOWS\System32\kmactxs\iojfxpsc.exe
O4 - HKLM\..\Run: [hxnmtav] C:\WINDOWS\System32\tbjmi\hxnmtav.exe
O4 - HKLM\..\Run: [bcgoscar] C:\WINDOWS\System32\deug\bcgoscar.exe
O4 - HKLM\..\Run: [eedlt] C:\WINDOWS\System32\lfboxil\eedlt.exe
O4 - HKLM\..\Run: [kqjc] C:\WINDOWS\System32\sxyq\kqjc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\kgbucg.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - <http://cabs.media-mo...s/download.cab>
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - <http://www.pacimedia...l/pcs_0022.exe>

Next Reboot into SAFE MODE
Search for and delete the Files highlighted in BOLD and the Folders highlighted in Blue

C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\
C:\DOCUME~1\Dan\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [fahmvj] C:\WINDOWS\System32\ypli\
O4 - HKLM\..\Run: [iitm] C:\WINDOWS\System32\iyju\
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ABC\LOCALS~1\Temp\gptu.exe
O4 - HKLM\..\Run: [iojfxpsc] C:\WINDOWS\System32\kmactxs\
O4 - HKLM\..\Run: [hxnmtav] C:\WINDOWS\System32\tbjmi\
O4 - HKLM\..\Run: [bcgoscar] C:\WINDOWS\System32\deug\
O4 - HKLM\..\Run: [eedlt] C:\WINDOWS\System32\lfboxil\
O4 - HKLM\..\Run: [kqjc] C:\WINDOWS\System32\sxyq\
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\kgbucg.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\
C:\Program Files\Web_Rebates\


Again while in safe mode clean out your Temp Folders.
Click Start | Run | type in cleanmgr | OK

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.


Restart your computer,
  • Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
  • Unzip/extract the files inside to a folder on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
  • Then post the results here please, along with the new HijackThis log.

  • 0

#13
sxs1004

sxs1004

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
1.
I could not delete the following files as I could not find them:
C:\DOCUME~1\Dan\LOCALS~1\Temp\ICD1.tmp\
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ABC\LOCALS~1\Temp\gptu.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\kgbucg.exe

2.I could not run findsit.bat file and got an error message as in the attachment 1.jpg.

3. HJT log is as follows


Logfile of HijackThis v1.99.1
Scan saved at 5:26:43 PM, on 9/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\RGFu\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\Documents and Settings\ABC\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iojfxpsckmactxs - Unknown owner - C:\WINDOWS\System32\kmactxs\iojfxpsc.exe (file missing)
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Send All Qualified App (Service1) - Unknown owner - C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great looking a whole lot better !


Try to stop this service again " iojfxpsckmactxs "
Next
Have HJT fix the following and reboot after and post a fresh log please

O23 - Service: iojfxpsckmactxs - Unknown owner - C:\WINDOWS\System32\kmactxs\iojfxpsc.exe (file missing)
  • 0

#15
sxs1004

sxs1004

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
When I went to services.msc and double clicked on iojfxpsckmactxs , it was already marked as disabled.
Also I could not find
O23 - Service: iojfxpsckmactxs - Unknown owner - C:\WINDOWS\System32\kmactxs\iojfxpsc.exe (file missing)

in the HJT log..
Here is the fresh log report:

Logfile of HijackThis v1.99.1
Scan saved at 5:32:37 PM, on 9/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
C:\WINDOWS\RGFu\command.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\ABC\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Send All Qualified App (Service1) - Unknown owner - C:\Program Files\Common Files\Mercury Interactive\TDAPIServer\SendAllQualifiedApp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP