Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

major issues with my PC

Started by djboston , Dec 26 2004 08:12 PM

Please log in to reply

#1
djboston

Posted 26 December 2004 - 08:12 PM

New Member

Member
6 posts

so my comp has been acting really screwy for the last few days. now it keeps re-installing bargain buddy on its own and some random game, either pacman.exe or tetris.exe.

before that, it would randomly re-boot on its own if i left it idle. same goes for pop-up ads. now, i ran ad-aware SE, and it literally found hundreds of files. it would go to quarantine the items, then delete, but WOULDN'T delete the items! i've had this PC for too long as it is, but need to extend the life of it a couple more months.

i am running Win ME on this PC

here is the hijack this log:

Logfile of HijackThis v1.98.2
Scan saved at 9:11:27 PM, on 12/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne2.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM302.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\RECOMMENDED HOTFIX - 421701D\V15\RH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\PROGRAM FILES\COMMON FILES\JUSTDO\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE027.DLL
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx...erInstaller.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.side...00719/sb01f.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.ho...ex/HMAtchmt.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgr...ayx_vp6_mp3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vto_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)

-walt

#2
djboston

Posted 26 December 2004 - 08:33 PM

New Member

Topic Starter
Member
6 posts

okay, now, i just installed hijack this V.1.99 and re-scanned my system....so my apologies for a second log, but i did notice differences:

Logfile of HijackThis v1.99.0
Scan saved at 9:35:45 PM, on 12/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ERRORGUARD\ERRORGUARD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne2.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne2.attbb.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\PROGRAM FILES\COMMON FILES\JUSTDO\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE027.DLL
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx...erInstaller.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.side...00719/sb01f.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.ho...ex/HMAtchmt.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgr...ayx_vp6_mp3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct4_x.cab
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vto_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)

-walt

#3
Metallica

Posted 27 December 2004 - 05:17 AM

Spyware Veteran

GeekU Moderator
33,101 posts

First see if you can uninstall SufSideKick and New.Net in Add/Remove Software.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"

O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.side...00719/sb01f.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)

Download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of aklsp.dll and new.net, and move them to the "Remove" pane.
Then click Finish.

Reboot into safe mode
and delete:
C:\Program Files\Internet Optimizer <= entire folder
C:\Program Files\BullsEye Network <= entire folder
C:\Program Files\VBouncer <= entire folder
C:\Program Files\CashBack <= entire folder
C:\PROGRAM FILES\SED <= entire folder

Download finditnt2000xp.zip.
Unzip the contents of finditnt2000xp.zip to a convenient location.
Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.
Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

Regards,

Pieter

Edited by Metallica, 27 December 2004 - 05:20 AM.

#4
djboston

Posted 27 December 2004 - 11:54 AM

New Member

Topic Starter
Member
6 posts

per your request:

---------------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM32

14,909.69 MB free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM32

14,909.66 MB free

---------- Files Named "Guard" -------------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM32

14,909.63 MB free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM32

14,909.59 MB free

---------------- User Agent ------------

------------ Keys Under Notify ------------

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

thank you for all the help!

-walt

#5
djboston

Posted 27 December 2004 - 01:11 PM

New Member

Topic Starter
Member
6 posts

okay, i am still getting one popup.

this is the site

i am wondering if anything from above would give this away and help me to delete it. thanks!

-walt

#6
admin

Posted 27 December 2004 - 08:23 PM

Founder Geek

Community Leader
24,639 posts

Let's try this version of Find_it for Win9X systems:
http://www.geekstogo...=download&id=42

Same instructions as above.

#7
djboston

Posted 27 December 2004 - 08:45 PM

New Member

Topic Starter
Member
6 posts

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM32

14,898.03 MB free

------- Hidden Files in System32 Directory -------

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM

OTE2 DLL 217,088 12-26-04 8:45p OTE2.DLL
SWORAGE DLL 217,088 12-26-04 8:45p SWORAGE.DLL
LAPNG80N DLL 217,088 12-26-04 8:45p LAPNG80N.DLL
RDCLTCCM DLL 217,088 12-26-04 8:45p RDCLTCCM.DLL
MJCO30 DLL 217,088 12-26-04 8:45p MJCO30.DLL
MPJINT40 DLL 217,088 12-26-04 8:45p MPJINT40.DLL
RUFRATE DLL 217,088 12-26-04 8:45p RUFRATE.DLL
SKORAGE DLL 217,088 12-26-04 8:45p SKORAGE.DLL
MATKT32 DLL 217,088 12-26-04 8:45p matkt32.dll
LBFIL13N DLL 217,088 12-26-04 8:45p lbfil13n.dll
MWMPEG DLL 217,088 12-26-04 8:45p mwmpeg.dll
CNRVIDCC DLL 217,088 12-26-04 8:45p cnrvidcc.DLL
NHRSFR DLL 217,088 12-26-04 8:45p NHRSFR.dll
FAH1Q5 EXE 253,968 12-22-04 11:16p Fah1q5.exe
WDCOW0 EXE 253,968 12-22-04 11:16p WdcOW0.exe
RRMFLL EXE 389,120 12-22-04 2:23p rrmfll.exe
CCC413~1 SYS 56 10-16-04 11:22p CCC413E3FC.sys
KGYGAAVL SYS 1,890 10-16-04 11:22p KGyGaAvL.sys
ARCHLIB DLL 196,608 04-09-03 3:30p archlib.dll
MMF SYS 713 01-06-02 6:47a mmf.sys
20 file(s) 3,918,467 bytes
0 dir(s) 14,906.56 MB free

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM32

14,898.03 MB free

---------- Files Named "Guard" -------------

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM

VX3 NLS 8,192 12-26-04 9:10p VX3.NLS
VX3X NLS 8,192 12-26-04 9:10p VX3X.NLS
VX0 NLS 8,192 12-26-04 8:46p VX0.NLS
VX1 NLS 8,192 12-26-04 8:46p VX1.NLS
VX1X NLS 8,192 12-26-04 8:46p VX1X.NLS
FAH1Q5 EXE 253,968 12-22-04 11:16p Fah1q5.exe
WDCOW0 EXE 253,968 12-22-04 11:16p WdcOW0.exe
RRMFLL EXE 389,120 12-22-04 2:23p rrmfll.exe
CCC413~1 SYS 56 10-16-04 11:22p CCC413E3FC.sys
KGYGAAVL SYS 1,890 10-16-04 11:22p KGyGaAvL.sys
CLEANE~1 EXE 22,528 05-20-04 6:58p cleaner12.exe
LXAE9XDH GID 32,432 09-23-03 11:28a Lxae9xdh.GID
IETIE DLL 73,728 05-15-03 9:46p IETie.dll
WUP_W1~1 INI 94 12-23-02 4:24p wup_W1ssg.ini
WS306782 OCX 515 04-24-02 2:41p ws306782.ocx
MMF SYS 713 01-06-02 6:47a mmf.sys
FOLDER HTT 23,155 06-20-00 4:37p folder.htt
DESKTOP INI 271 06-20-00 4:37p desktop.ini
18 file(s) 1,093,398 bytes
0 dir(s) 14,906.56 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DE59F9AC-8DD4-4585-9A5C-6ED86960CCF7}"=""

No matches found.

------------ Strings.exe Qoologic Results ------------

No matches found.

------------ Strings.exe Qoologic Results ------------

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
ote2.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
kgygaavl.sys Sat Oct 16 2004 11:22:28p A.SH. 1,890 1.84 K
ccc413~1.sys Sat Oct 16 2004 11:22:30p ..SHR 56 0.05 K
rrmfll.exe Wed Dec 22 2004 2:23:16p ..SHR 389,120 380.00 K
fah1q5.exe Wed Dec 22 2004 11:16:44p ..SH. 253,968 248.02 K
vx3.nls Sun Dec 26 2004 9:10:40p ...HR 8,192 8.00 K
vx3x.nls Sun Dec 26 2004 9:10:40p ...HR 8,192 8.00 K
wdcow0.exe Wed Dec 22 2004 11:16:44p ..SH. 253,968 248.02 K
sworage.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
lapng80n.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
vx1.nls Sun Dec 26 2004 8:46:00p ...HR 8,192 8.00 K
rdcltccm.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
mjco30.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
vx1x.nls Sun Dec 26 2004 8:46:00p ...HR 8,192 8.00 K
mpjint40.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
rufrate.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
vx0.nls Sun Dec 26 2004 8:46:06p ...HR 8,192 8.00 K
skorage.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
matkt32.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
lbfil13n.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
mwmpeg.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
cnrvidcc.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
nhrsfr.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K

23 items found: 23 files, 0 directories.
Total of file sizes: 3,762,106 bytes 3.59 M

-------------- Strings.exe Aspack Results -------------

-------------- Strings.exe Aspack Results -------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\lpt$vpn.319: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.319: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.319: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.319: TROJ_QOOLOGIC.A

----------------- HKLM Run Key ------------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\pav.sig: .aspack
C:\WINDOWS\SYSTEM\pav.sig: :.aspackze
C:\WINDOWS\SYSTEM\pav.sig: .aspack.text
C:\WINDOWS\SYSTEM\pav.sig: H.aspack.text
C:\WINDOWS\SYSTEM\pav.sig: .aspack.text
C:\WINDOWS\SYSTEM\pav.sig: 4.aspack
C:\WINDOWS\SYSTEM\pav.sig: F<SW.aspack
C:\WINDOWS\SYSTEM\pav.sig: [.aspack
C:\WINDOWS\SYSTEM\pav.sig: .aspack0
C:\WINDOWS\SYSTEM\pav.sig: .aspack
C:\WINDOWS\SYSTEM\pav.sig: .aspack
C:\WINDOWS\SYSTEM\pav.sig: [email protected]
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\OTE2.DLL: UMonitor
C:\WINDOWS\SYSTEM\SWORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\LAPNG80N.DLL: UMonitor
C:\WINDOWS\SYSTEM\RDCLTCCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MJCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\Npdscsi.dll: UMonitor
C:\WINDOWS\SYSTEM\MPJINT40.DLL: UMonitor
C:\WINDOWS\SYSTEM\RUFRATE.DLL: UMonitor
C:\WINDOWS\SYSTEM\SKORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\matkt32.dll: UMonitor
C:\WINDOWS\SYSTEM\lbfil13n.dll: UMonitor
C:\WINDOWS\SYSTEM\mwmpeg.dll: UMonitor
C:\WINDOWS\SYSTEM\cnrvidcc.DLL: UMonitor
C:\WINDOWS\SYSTEM\NHRSFR.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vshwin32EXE"="C:\\PROGRAM FILES\\NETWORK ASSOCIATES\\MCAFEE VIRUSSCAN\\VSHWIN32.EXE"
"RCScheduleCheck"="C:\\PROGRAM FILES\\VCOM\\RECOVERY COMMANDER\\RCSCHED.EXE -CHECK"
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"mswspl"=""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

-walt

#8
admin

Posted 27 December 2004 - 10:49 PM

Founder Geek

Community Leader
24,639 posts

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\OTE2.DLL
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:
- C:\WINDOWS\System32\SWORAGE.DLL
- C:\WINDOWS\System32\LAPNG80N.DLL
- C:\WINDOWS\System32\RDCLTCCM.DLL
- C:\WINDOWS\System32\MJCO30.DLL
- C:\WINDOWS\System32\MPJINT40.DLL
- C:\WINDOWS\System32\RUFRATE.DLL
- C:\WINDOWS\System32\SKORAGE.DLL
- C:\WINDOWS\System32\matkt32.dll
- C:\WINDOWS\System32\lbfil13n.dll
- C:\WINDOWS\System32\mwmpeg.dll
- C:\WINDOWS\System32\cnrvidcc.DLL
- C:\WINDOWS\System32\NHRSFR.dll
- C:\WINDOWS\System32\Fah1q5.exe
- C:\WINDOWS\System32\WdcOW0.exe
- C:\WINDOWS\System32\rrmfll.exe
- C:\WINDOWS\System32\vsapi32.dll
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\Guard.tmp
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.
Double-click on find.bat and post the new output.txt.

#9
djboston

Posted 28 December 2004 - 12:24 AM

New Member

Topic Starter
Member
6 posts

okay, when i open that pocket killbox, i get an "ok" or "cancel" on the "replace at reboot" but nothing saying anything of the sort "pending operations" (which i assume reboots the computer, right?)

so i followed the rest, anyhow, and it looks like it didn't get rid of ANY of these files. here's the output:

--------------------------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM

LIKODAK DLL 217,088 12-26-04 8:45p LIKODAK.DLL
MAANG DLL 217,088 12-26-04 8:45p MAANG.DLL
OTE2 DLL 217,088 12-26-04 8:45p OTE2.DLL
SIEM0409 DLL 217,088 12-26-04 8:45p SIEM0409.DLL
SWORAGE DLL 217,088 12-26-04 8:45p SWORAGE.DLL
LAPNG80N DLL 217,088 12-26-04 8:45p LAPNG80N.DLL
RDCLTCCM DLL 217,088 12-26-04 8:45p RDCLTCCM.DLL
MJCO30 DLL 217,088 12-26-04 8:45p MJCO30.DLL
MPJINT40 DLL 217,088 12-26-04 8:45p MPJINT40.DLL
RUFRATE DLL 217,088 12-26-04 8:45p RUFRATE.DLL
SKORAGE DLL 217,088 12-26-04 8:45p SKORAGE.DLL
MATKT32 DLL 217,088 12-26-04 8:45p matkt32.dll
LBFIL13N DLL 217,088 12-26-04 8:45p lbfil13n.dll
MWMPEG DLL 217,088 12-26-04 8:45p mwmpeg.dll
CNRVIDCC DLL 217,088 12-26-04 8:45p cnrvidcc.DLL
NHRSFR DLL 217,088 12-26-04 8:45p NHRSFR.dll
FAH1Q5 EXE 253,968 12-22-04 11:16p Fah1q5.exe
WDCOW0 EXE 253,968 12-22-04 11:16p WdcOW0.exe
RRMFLL EXE 389,120 12-22-04 2:23p rrmfll.exe
CCC413~1 SYS 56 10-16-04 11:22p CCC413E3FC.sys
KGYGAAVL SYS 1,890 10-16-04 11:22p KGyGaAvL.sys
ARCHLIB DLL 196,608 04-09-03 3:30p archlib.dll
MMF SYS 713 01-06-02 6:47a mmf.sys
23 file(s) 4,569,731 bytes
0 dir(s) 14,958.66 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM

VX3 NLS 8,192 12-26-04 9:10p VX3.NLS
VX3X NLS 8,192 12-26-04 9:10p VX3X.NLS
VX0 NLS 8,192 12-26-04 8:46p VX0.NLS
VX1 NLS 8,192 12-26-04 8:46p VX1.NLS
VX1X NLS 8,192 12-26-04 8:46p VX1X.NLS
FAH1Q5 EXE 253,968 12-22-04 11:16p Fah1q5.exe
WDCOW0 EXE 253,968 12-22-04 11:16p WdcOW0.exe
RRMFLL EXE 389,120 12-22-04 2:23p rrmfll.exe
CCC413~1 SYS 56 10-16-04 11:22p CCC413E3FC.sys
KGYGAAVL SYS 1,890 10-16-04 11:22p KGyGaAvL.sys
CLEANE~1 EXE 22,528 05-20-04 6:58p cleaner12.exe
LXAE9XDH GID 32,432 09-23-03 11:28a Lxae9xdh.GID
IETIE DLL 73,728 05-15-03 9:46p IETie.dll
WUP_W1~1 INI 94 12-23-02 4:24p wup_W1ssg.ini
WS306782 OCX 515 04-24-02 2:41p ws306782.ocx
MMF SYS 713 01-06-02 6:47a mmf.sys
FOLDER HTT 23,155 06-20-00 4:37p folder.htt
DESKTOP INI 271 06-20-00 4:37p desktop.ini
18 file(s) 1,093,398 bytes
0 dir(s) 14,958.63 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DE59F9AC-8DD4-4585-9A5C-6ED86960CCF7}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
likodak.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
maang.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
ote2.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
siem0409.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
kgygaavl.sys Sat Oct 16 2004 11:22:28p A.SH. 1,890 1.84 K
ccc413~1.sys Sat Oct 16 2004 11:22:30p ..SHR 56 0.05 K
rrmfll.exe Wed Dec 22 2004 2:23:16p ..SHR 389,120 380.00 K
fah1q5.exe Wed Dec 22 2004 11:16:44p ..SH. 253,968 248.02 K
vx3.nls Sun Dec 26 2004 9:10:40p ...HR 8,192 8.00 K
vx3x.nls Sun Dec 26 2004 9:10:40p ...HR 8,192 8.00 K
wdcow0.exe Wed Dec 22 2004 11:16:44p ..SH. 253,968 248.02 K
sworage.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
lapng80n.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
vx1.nls Sun Dec 26 2004 8:46:00p ...HR 8,192 8.00 K
rdcltccm.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
mjco30.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
vx1x.nls Sun Dec 26 2004 8:46:00p ...HR 8,192 8.00 K
mpjint40.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
rufrate.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
vx0.nls Sun Dec 26 2004 8:46:06p ...HR 8,192 8.00 K
skorage.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
matkt32.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
lbfil13n.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
mwmpeg.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
cnrvidcc.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K
nhrsfr.dll Sun Dec 26 2004 8:45:14p ..S.R 217,088 212.00 K

26 items found: 26 files, 0 directories.
Total of file sizes: 4,413,370 bytes 4.21 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\lpt$vpn.319: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.319: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.319: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.319: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\pav.sig: .aspack
C:\WINDOWS\SYSTEM\pav.sig: :.aspackze
C:\WINDOWS\SYSTEM\pav.sig: .aspack.text
C:\WINDOWS\SYSTEM\pav.sig: H.aspack.text
C:\WINDOWS\SYSTEM\pav.sig: .aspack.text
C:\WINDOWS\SYSTEM\pav.sig: 4.aspack
C:\WINDOWS\SYSTEM\pav.sig: F<SW.aspack
C:\WINDOWS\SYSTEM\pav.sig: [.aspack
C:\WINDOWS\SYSTEM\pav.sig: .aspack0
C:\WINDOWS\SYSTEM\pav.sig: .aspack
C:\WINDOWS\SYSTEM\pav.sig: .aspack
C:\WINDOWS\SYSTEM\pav.sig: [email protected]
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\LIKODAK.DLL: UMonitor
C:\WINDOWS\SYSTEM\MAANG.DLL: UMonitor
C:\WINDOWS\SYSTEM\OTE2.DLL: UMonitor
C:\WINDOWS\SYSTEM\SIEM0409.DLL: UMonitor
C:\WINDOWS\SYSTEM\SWORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\LAPNG80N.DLL: UMonitor
C:\WINDOWS\SYSTEM\RDCLTCCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MJCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\Npdscsi.dll: UMonitor
C:\WINDOWS\SYSTEM\MPJINT40.DLL: UMonitor
C:\WINDOWS\SYSTEM\RUFRATE.DLL: UMonitor
C:\WINDOWS\SYSTEM\SKORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\matkt32.dll: UMonitor
C:\WINDOWS\SYSTEM\lbfil13n.dll: UMonitor
C:\WINDOWS\SYSTEM\mwmpeg.dll: UMonitor
C:\WINDOWS\SYSTEM\cnrvidcc.DLL: UMonitor
C:\WINDOWS\SYSTEM\NHRSFR.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vshwin32EXE"="C:\\PROGRAM FILES\\NETWORK ASSOCIATES\\MCAFEE VIRUSSCAN\\VSHWIN32.EXE"
"RCScheduleCheck"="C:\\PROGRAM FILES\\VCOM\\RECOVERY COMMANDER\\RCSCHED.EXE -CHECK"
"tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"mswspl"=""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

-walt