Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware Help


  • Please log in to reply

#1
Falcon32

Falcon32

    New Member

  • Member
  • Pip
  • 5 posts
Can someone please review my hijack this log and advise how I can get rid of continuous pop ups? Thanks
Logfile of HijackThis v1.98.0
Scan saved at 9:02:41 PM, on 12/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\iugyri.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Documents and Settings\Michael\Desktop\Spyware Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Off\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell...iler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c106.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...73/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned34.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...ab/dlaccell.CAB
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFCC00A3-B363-45E1-8BE5-D6244FA24937}: NameServer = 166.102.165.13,166.102.165.11
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi alcon32

(1)Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

(2) After you have followed all intructions and the setup for Ad-aware se

(3) Please reboot into safe mode –
How do I boot into "Safe" mode?

Be sure you're able to view hidden files and folders

(4) Please run Ad-aware

(5) Reboot back to normal mode and post a new HJT.Log

Thank You

kc :tazz:
  • 0

#3
Falcon32

Falcon32

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you. I ran everything and this is my most current Hijack This log
Logfile of HijackThis v1.98.0
Scan saved at 7:45:15 PM, on 12/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\iugyri.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Documents and Settings\Michael\Desktop\Spyware Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Off\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell...iler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c106.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...73/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned34.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...ab/dlaccell.CAB
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFCC00A3-B363-45E1-8BE5-D6244FA24937}: NameServer = 166.102.165.13,166.102.165.11
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location. (This has to be on your C:\ drive)
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Regards,

Pieter
  • 0

#5
Falcon32

Falcon32

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location. (This has to be on your C:\ drive)
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Regards,

Pieter

View Post


  • 0

#6
Falcon32

Falcon32

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you again for your help. Here is the output from it.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Michael\Desktop\Spyware Stuff\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32

12/27/2004 08:28 AM 222,889 ltcalspl.dll
12/27/2004 08:27 AM 224,950 i2lolc331f.dll
12/26/2004 07:41 PM 222,889 gp6ol3j31.dll
12/26/2004 06:03 PM 224,950 kjdfi1.dll
12/26/2004 07:33 AM 224,950 WQAVUSD.DLL
12/25/2004 03:28 PM 224,950 m8640ijqe8oe0.dll
12/25/2004 05:02 AM 224,950 h2l2lc3o1f.dll
12/25/2004 04:47 AM 224,950 i4060edseh060.dll
12/25/2004 04:42 AM 224,950 hp4023hmg.dll
12/24/2004 10:26 PM 224,950 d40mled11h0.dll
12/24/2004 09:53 PM 222,933 m6640gjqe6oe0.dll
12/24/2004 08:42 PM 222,933 pvrfos.dll
12/24/2004 05:39 AM 224,950 dznlobby.dll
12/24/2004 05:31 AM 225,507 jtnq0755e.dll
12/24/2004 01:00 AM 223,105 m428lefu1h28.dll
12/23/2004 04:04 PM 224,355 gp2ml3f11.dll
12/23/2004 03:49 PM 223,232 CI60LMON.DLL
12/23/2004 03:49 PM 224,613 en8ol1l31.dll
12/23/2004 11:40 AM 223,599 jt6o07j3e.dll
12/23/2004 05:14 AM 223,354 f22m0cf1ef2.dll
12/22/2004 04:05 PM 223,753 dn2q01f5e.dll
12/22/2004 01:24 PM 223,544 g2jo0c13ef.dll
12/22/2004 12:38 PM 223,356 f42m0ef1eh2.dll
12/22/2004 12:19 AM 224,924 r2r6lc9s1f.dll
12/21/2004 10:05 PM 223,478 i6420ghoe64c0.dll
12/21/2004 08:51 PM 223,585 fpno0353e.dll
12/21/2004 05:09 PM 223,694 m2640cjqefoe0.dll
12/21/2004 12:31 PM 224,854 k226lcfs1f26.dll
12/21/2004 12:24 PM 224,160 n82u0if9e82.dll
12/20/2004 06:57 PM 224,074 o2480chuef480.dll
12/20/2004 08:10 AM 223,232 gp4ul3h91.dll
12/18/2004 05:33 PM 223,232 wddmps.dll
12/18/2004 04:43 PM 223,232 tKembed.dll
12/16/2004 06:26 AM 223,232 wccsvc.dll
12/16/2004 06:26 AM 223,669 jtl4073qe.dll
12/16/2004 06:06 AM 223,450 f8j20i1oe8.dll
12/16/2004 05:53 AM 224,513 en82l1lo1.dll
12/16/2004 05:35 AM 224,966 m4lsle371h.dll
12/15/2004 01:50 PM 223,232 p2p6lc7s1f.dll
12/15/2004 01:45 PM 223,232 f62mlgf1162.dll
12/15/2004 04:18 AM <DIR> DLLCACHE
04/28/2003 03:01 PM <DIR> Microsoft
40 File(s) 8,959,371 bytes
2 Dir(s) 42,796,470,272 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32

12/27/2004 06:27 AM 20,355 ffastlog.txt
12/15/2004 04:18 AM <DIR> DLLCACHE
09/03/2002 08:57 AM 488 logonui.exe.manifest
09/03/2002 08:57 AM 488 WindowsLogon.manifest
09/03/2002 08:57 AM 749 nwc.cpl.manifest
09/03/2002 08:57 AM 749 sapi.cpl.manifest
09/03/2002 08:57 AM 749 ncpa.cpl.manifest
09/03/2002 08:57 AM 749 cdplayer.exe.manifest
09/03/2002 08:57 AM 749 wuaucpl.cpl.manifest
8 File(s) 25,076 bytes
1 Dir(s) 42,796,470,272 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32

08/29/2002 05:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 42,796,462,080 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{046776FA-46A8-4DD3-8DE0-A42BEBA8B88F}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp6ol3j31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\opnzbo.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\yuqgoy.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\zuapwz.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\aukqba.dat: .aspack
C:\WINDOWS\SYSTEM32\iugyri.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ugiytu.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"nwiz"="nwiz.exe /install"
"CookiePatrol"="c:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr_.exe"
"Narrator"="C:\\WINDOWS\\system32\\iugyri.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#7
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\ltcalspl.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 4-8 above for these files:
    • C:\WINDOWS\System32\i2lolc331f.dll
    • C:\WINDOWS\System32\gp6ol3j31.dll
    • C:\WINDOWS\System32\kjdfi1.dll
    • C:\WINDOWS\System32\WQAVUSD.DLL
    • C:\WINDOWS\System32\m8640ijqe8oe0.dll
    • C:\WINDOWS\System32\h2l2lc3o1f.dll
    • C:\WINDOWS\System32\i4060edseh060.dll
    • C:\WINDOWS\System32\hp4023hmg.dll
    • C:\WINDOWS\System32\d40mled11h0.dll
    • C:\WINDOWS\System32\m6640gjqe6oe0.dll
    • C:\WINDOWS\System32\pvrfos.dll
    • C:\WINDOWS\System32\dznlobby.dll
    • C:\WINDOWS\System32\jtnq0755e.dll
    • C:\WINDOWS\System32\m428lefu1h28.dll
    • C:\WINDOWS\System32\gp2ml3f11.dll
    • C:\WINDOWS\System32\CI60LMON.DLL
    • C:\WINDOWS\System32\en8ol1l31.dll
    • C:\WINDOWS\System32\jt6o07j3e.dll
    • C:\WINDOWS\System32\f22m0cf1ef2.dll
    • C:\WINDOWS\System32\dn2q01f5e.dll
    • C:\WINDOWS\System32\g2jo0c13ef.dll
    • C:\WINDOWS\System32\f42m0ef1eh2.dll
    • C:\WINDOWS\System32\r2r6lc9s1f.dll
    • C:\WINDOWS\System32\i6420ghoe64c0.dll
    • C:\WINDOWS\System32\fpno0353e.dll
    • C:\WINDOWS\System32\m2640cjqefoe0.dll
    • C:\WINDOWS\System32\k226lcfs1f26.dll
    • C:\WINDOWS\System32\n82u0if9e82.dll
    • C:\WINDOWS\System32\o2480chuef480.dll
    • C:\WINDOWS\System32\gp4ul3h91.dll
    • C:\WINDOWS\System32\wddmps.dll
    • C:\WINDOWS\System32\tKembed.dll
    • C:\WINDOWS\System32\wccsvc.dll
    • C:\WINDOWS\System32\jtl4073qe.dll
    • C:\WINDOWS\System32\f8j20i1oe8.dll
    • C:\WINDOWS\System32\en82l1lo1.dll
    • C:\WINDOWS\System32\m4lsle371h.dll
    • C:\WINDOWS\System32\p2p6lc7s1f.dll
    • C:\WINDOWS\System32\f62mlgf1162.dll
    • C:\WINDOWS\System32\opnzbo.dll
    • C:\WINDOWS\System32\yuqgoy.dll
    • C:\WINDOWS\System32\zuapwz.exe
    • C:\WINDOWS\System32\aukqba.dat
    • C:\WINDOWS\System32\iugyri.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\Guard.tmp
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer.
  • Double-click on find.bat and post the new output.txt.

  • 0

#8
Falcon32

Falcon32

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I ran as directed. Follows is the most current log
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Michael\Desktop\Spyware Stuff\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32

12/31/2004 06:19 PM 225,400 k0lqla351d.dll
12/31/2004 08:06 AM 225,400 NDSMsg.DLL
12/31/2004 08:06 AM 222,878 en4ol1h31.dll
12/31/2004 06:59 AM 226,288 s8880ilue8q80.dll
12/30/2004 10:59 PM 225,400 p8r4li9q18.dll
12/30/2004 10:57 PM 225,400 aoivvaxx.dll
12/27/2004 12:07 PM 225,400 m246lchs1f46.dll
12/27/2004 10:27 AM 225,400 c800lidm180a.dll
12/27/2004 09:44 AM 224,950 irlol5331.dll
12/24/2004 09:53 PM 222,933 m6640gjqe6oe0.dll
12/24/2004 08:42 PM 222,933 pvrfos.dll
12/24/2004 05:39 AM 224,950 dznlobby.dll
12/24/2004 05:31 AM 225,507 jtnq0755e.dll
12/24/2004 01:00 AM 223,105 m428lefu1h28.dll
12/23/2004 04:04 PM 224,355 gp2ml3f11.dll
12/23/2004 03:49 PM 223,232 CI60LMON.DLL
12/23/2004 03:49 PM 224,613 en8ol1l31.dll
12/23/2004 11:40 AM 223,599 jt6o07j3e.dll
12/23/2004 05:14 AM 223,354 f22m0cf1ef2.dll
12/22/2004 04:05 PM 223,753 dn2q01f5e.dll
12/22/2004 01:24 PM 223,544 g2jo0c13ef.dll
12/22/2004 12:38 PM 223,356 f42m0ef1eh2.dll
12/22/2004 12:19 AM 224,924 r2r6lc9s1f.dll
12/21/2004 10:05 PM 223,478 i6420ghoe64c0.dll
12/21/2004 08:51 PM 223,585 fpno0353e.dll
12/21/2004 05:09 PM 223,694 m2640cjqefoe0.dll
12/21/2004 12:31 PM 224,854 k226lcfs1f26.dll
12/21/2004 12:24 PM 224,160 n82u0if9e82.dll
12/20/2004 06:57 PM 224,074 o2480chuef480.dll
12/20/2004 08:10 AM 223,232 gp4ul3h91.dll
12/18/2004 05:33 PM 223,232 wddmps.dll
12/18/2004 04:43 PM 223,232 tKembed.dll
12/16/2004 06:26 AM 223,232 wccsvc.dll
12/16/2004 06:26 AM 223,669 jtl4073qe.dll
12/16/2004 06:06 AM 223,450 f8j20i1oe8.dll
12/16/2004 05:53 AM 224,513 en82l1lo1.dll
12/16/2004 05:35 AM 224,966 m4lsle371h.dll
12/15/2004 01:50 PM 223,232 p2p6lc7s1f.dll
12/15/2004 01:45 PM 223,232 f62mlgf1162.dll
12/15/2004 04:18 AM <DIR> DLLCACHE
04/28/2003 03:01 PM <DIR> Microsoft
39 File(s) 8,740,509 bytes
2 Dir(s) 42,235,400,192 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32

12/31/2004 09:13 PM 21,512 ffastlog.txt
12/15/2004 04:18 AM <DIR> DLLCACHE
09/03/2002 08:57 AM 488 logonui.exe.manifest
09/03/2002 08:57 AM 488 WindowsLogon.manifest
09/03/2002 08:57 AM 749 nwc.cpl.manifest
09/03/2002 08:57 AM 749 sapi.cpl.manifest
09/03/2002 08:57 AM 749 ncpa.cpl.manifest
09/03/2002 08:57 AM 749 cdplayer.exe.manifest
09/03/2002 08:57 AM 749 wuaucpl.cpl.manifest
8 File(s) 26,233 bytes
1 Dir(s) 42,235,400,192 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32

12/31/2004 06:53 PM 222,878 guard.tmp
1 File(s) 222,878 bytes
0 Dir(s) 42,235,396,096 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 2431-FDDC

Directory of C:\WINDOWS\System32

12/31/2004 06:53 PM 222,878 guard.tmp
08/29/2002 05:00 AM 2,577 CONFIG.TMP
2 File(s) 225,455 bytes
0 Dir(s) 42,235,392,000 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{046776FA-46A8-4DD3-8DE0-A42BEBA8B88F}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4ol1h31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM32\opnzbo.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\yuqgoy.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\zuapwz.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM32\aukqba.dat: .aspack
C:\WINDOWS\SYSTEM32\iugyri.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ugiytu.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"nwiz"="nwiz.exe /install"
"CookiePatrol"="c:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr_.exe"
"Narrator"="C:\\WINDOWS\\system32\\iugyri.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP