Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help with ad.yieldmanager popups


  • This topic is locked This topic is locked

#1
powerplay

powerplay

    New Member

  • Member
  • Pip
  • 4 posts
I posted this allready and Loophole was kind enough to start helping me out. Problem is Loophole is not online and my Internet capabilities are pretty much non-exeistent. I am posting my hijack, WinPfind and Track qoo logs. Is there anyone that could possibly help me right away?


Logfile of HijackThis v1.99.1
Scan saved at 10:51:20 AM, on 9/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\medgs1.exe
C:\WINNT\system32\arrpgn.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\BRQIKMON.EXE
C:\WINNT\system32\wuauclt.exe
C:\DOCUME~1\marisolc\LOCALS~1\Temp\InSearch.exe
C:\WINNT\system32\Notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\marisolc\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\system32\WINdirect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MedGS] C:\WINNT\system32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\system32\opr.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\arrpgn.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [System service65] C:\WINNT\etb\pokapoka65.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\system32\WINdirect.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000120.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: nppk.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} (Crystal Print Control 10.0) - https://molcrystal.m...rintControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UC.LOCAL
O17 - HKLM\System\CCS\Services\Tcpip\..\{F70EFFB8-681D-482A-B4D6-C2959EB99302}: NameServer = 168.100.1.9,168.100.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = UC.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = UC.LOCAL
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O21 - SSODL: tQqtUKO - {5CCCC928-F666-6382-FEFF-52D077FC6766} - C:\WINNT\system32\tnnf.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINNT\hosts


Checking %System% folder...
69.59.186.63 9/12/2005 9:41:32 AM 133120 C:\WINNT\SYSTEM32\frreq.dll
209.66.67.134 9/12/2005 9:41:32 AM 133120 C:\WINNT\SYSTEM32\frreq.dll
web-nex 9/12/2005 9:41:32 AM 133120 C:\WINNT\SYSTEM32\frreq.dll
winsync 9/12/2005 9:41:32 AM 133120 C:\WINNT\SYSTEM32\frreq.dll
69.59.186.63 9/12/2005 9:41:32 AM 181760 C:\WINNT\SYSTEM32\ittrxko.dll
209.66.67.134 9/12/2005 9:41:32 AM 181760 C:\WINNT\SYSTEM32\ittrxko.dll
web-nex 9/12/2005 9:41:32 AM 181760 C:\WINNT\SYSTEM32\ittrxko.dll
winsync 9/12/2005 9:41:32 AM 181760 C:\WINNT\SYSTEM32\ittrxko.dll
PTech 7/12/2005 6:04:22 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.dll
UPX! 9/6/2005 10:05:12 AM 121433 C:\WINNT\SYSTEM32\mc-58-12-0000120.exe
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
UPX! 9/6/2005 9:42:08 AM 25105 C:\WINNT\SYSTEM32\MTE2ODM6ODoxNg.exe
Umonitor 6/19/2003 3:05:04 PM 529168 C:\WINNT\SYSTEM32\RASDLG.DLL
winsync 12/7/1999 8:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
69.59.186.63 9/6/2005 11:03:04 AM 30720 C:\WINNT\SYSTEM32\wuauclt.dll
209.66.67.134 9/6/2005 11:03:04 AM 30720 C:\WINNT\SYSTEM32\wuauclt.dll
66.63.167.97 9/6/2005 11:03:04 AM 30720 C:\WINNT\SYSTEM32\wuauclt.dll
66.63.167.77 9/6/2005 11:03:04 AM 30720 C:\WINNT\SYSTEM32\wuauclt.dll
web-nex 9/6/2005 11:03:04 AM 30720 C:\WINNT\SYSTEM32\wuauclt.dll
winsync 9/6/2005 11:03:04 AM 30720 C:\WINNT\SYSTEM32\wuauclt.dll
rec2_run 9/6/2005 11:03:04 AM 30720 C:\WINNT\SYSTEM32\wuauclt.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/12/2005 9:41:28 AM H 54156 C:\WINNT\QTFont.qfn
9/8/2005 2:02:26 PM H 465316 C:\WINNT\ShellIconCache
9/12/2005 10:25:40 AM S 64 C:\WINNT\CSC\00000001
9/8/2005 1:05:16 PM S 64 C:\WINNT\CSC\00000002
9/7/2005 3:50:42 PM S 64 C:\WINNT\CSC\csc1.tmp
9/7/2005 3:22:52 PM H 65 C:\WINNT\Downloaded Program Files\desktop.ini
8/8/2005 9:31:40 AM H 10820 C:\WINNT\Help\nocontnt.GID
9/6/2005 2:32:12 PM H 0 C:\WINNT\inf\oem4.inf
9/7/2005 4:32:10 PM H 0 C:\WINNT\inf\oem5.inf
9/7/2005 3:22:50 PM H 65 C:\WINNT\Offline Web Pages\desktop.ini
9/8/2005 1:05:24 PM H 1024 C:\WINNT\system32\config\default.LOG
9/12/2005 10:34:02 AM H 1024 C:\WINNT\system32\config\SAM.LOG
9/12/2005 10:29:22 AM H 1024 C:\WINNT\system32\config\SECURITY.LOG
9/12/2005 10:36:34 AM H 1024 C:\WINNT\system32\config\software.LOG
9/12/2005 10:25:40 AM H 6 C:\WINNT\Tasks\SA.DAT
9/7/2005 3:22:56 PM H 11083 C:\WINNT\Web\ftp.htt

Checking for CPL files...
Microsoft Corporation 12/7/1999 8:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 12/7/1999 8:00:00 AM 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 8:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 8/26/2002 12:11:40 PM 36864 C:\WINNT\SYSTEM32\odbccp32.cpl
Sun Microsystems 12/8/2004 9:40:24 AM 45175 C:\WINNT\SYSTEM32\plugincpl131_15.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 5/27/2003 12:42:58 PM 295936 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 12/7/1999 8:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
9/6/2005 11:03:06 AM 31744 C:\WINNT\SYSTEM32\vgactl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 7:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/26/2002 12:11:40 PM 36864 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/12/2005 9:13:44 AM 417792 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppk.exe
5/19/2005 8:47:14 AM 1672 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
8/9/2004 2:29:44 PM 1397 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/17/2005 11:27:34 AM 4096 C:\Documents and Settings\All Users\Application Data\ScheduledItems

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
iebar =
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fttnsgqx
{75b307eb-b889-49fc-b6c1-b6a0cf2b7853} = C:\WINNT\system32\frreq.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884}
IEWebCatcher Class = C:\Program Files\DNS\Catcher.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6F431AC3-364A-478b-BBDB-89C7CE1B18F6}
ButtonText = Attach Web page to ACT! contact :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
vptray C:\Program Files\NavNT\vptray.exe
win_upd2.exe C:\WINNT\system32\WINdirect.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
MedGS C:\WINNT\system32\medgs1.exe
opr C:\WINNT\system32\opr.exe
winsync C:\WINNT\system32\arrpgn.exe reg_run
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
System service65 C:\WINNT\etb\pokapoka65.exe
XoftSpy C:\Program Files\XoftSpy\XoftSpy.exe -s

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll
tQqtUKO {5CCCC928-F666-6382-FEFF-52D077FC6766} = C:\WINNT\system32\tnnf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINNT\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify
= PCANotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/12/2005 10:42:42 AM



Trackqoo
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"win_upd2.exe"="C:\\WINNT\\system32\\WINdirect.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MedGS"="C:\\WINNT\\system32\\medgs1.exe"
"opr"="C:\\WINNT\\system32\\opr.exe"
"winsync"="C:\\WINNT\\system32\\arrpgn.exe reg_run"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"System service65"="C:\\WINNT\\etb\\pokapoka65.exe"
"XoftSpy"="C:\\Program Files\\XoftSpy\\XoftSpy.exe -s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- fttnsgqx
{75b307eb-b889-49fc-b6c1-b6a0cf2b7853}
C:\WINNT\system32\frreq.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINNT\System32\docprop2.dll

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINNT\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINNT\System32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

nppk.exe
QuickBooks 2002 Delivery Agent.lnk
WinZip Quick Pick.lnk
==============================
C:\Documents and Settings\marisolc\Start Menu\Programs\Startup

nppk.exe
QuickBooks 2002 Delivery Agent.lnk
WinZip Quick Pick.lnk
==============================
C:\WINNT\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
DESK.CPL Microsoft Corporation
fax.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_15.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sticpl.cpl Microsoft Corporation
SYSDM.CPL Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wuaucpl.cpl Microsoft Corporation
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please be patient here. We have a lot of members here and only so many helpers. Loophole has replied and pretty promptly too if you ask me. So please be patient and wait for a day or two before you go about posting again. If anything, you should have posted back in your own topic. In your case, Loophole replied in the same day (couple of hours or less).

Topic here.

Closed!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP