Logfile of HijackThis v1.99.0
Scan saved at 10:53:07 AM, on 12/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\starter.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\hjt\HijackThis.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: hhniut.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dom.duhs.duke.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dom.duhs.duke.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dom.duhs.duke.edu
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BES Client - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
and the next log:
Find.bat is running from: C:\Documents and Settings\Administrator\My Documents\hjt\findit\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 4467-C2F3
Directory of C:\WINNT\System32
12/28/2004 04:58a 224,371 oxbcint.dll
12/28/2004 04:58a 226,257 s688lglu16q8.dll
12/28/2004 04:33a 224,371 fpn2035oe.dll
12/28/2004 03:52a 224,985 jt6s07j7e.dll
12/28/2004 03:34a 224,371 fYxt30.dll
12/28/2004 03:28a 225,966 irrql5951.dll
12/27/2004 11:31p 224,546 dp16gt.dLL
12/27/2004 04:18p 225,460 midtcprx.dll
12/27/2004 01:12p 224,198 mphcp.dll
12/27/2004 12:22p 225,460 dyband.dll
12/15/2004 12:23a 224,198 ktp0l77m1.dll
12/08/2004 04:39p 224,198 IRROP.DLL
12/08/2004 04:39p 225,628 j0l4la3q1d.dll
12/07/2004 10:50p 224,198 k662lgjo16oc.dll
12/06/2004 11:20p 224,198 dnn8015ue.dll
12/06/2004 08:23p 224,198 czc.dll
12/06/2004 08:01p 224,198 n0n6la5s1d.dll
12/06/2004 07:12a 224,198 ktn0l75m1.dll
12/05/2004 11:26p 225,321 gp08l3du1.dll
12/05/2004 12:30p 224,610 en24l1fq1.dll
12/04/2004 11:26p 225,494 dnpm0171e.dll
12/04/2004 06:35p 225,728 hr0405dqe.dll
12/03/2004 12:47a 224,061 lv2809fue.dll
23 File(s) 5,170,213 bytes
0 Dir(s) 32,975,179,776 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 4467-C2F3
Directory of C:\WINNT\System32
06/04/2004 07:24a <DIR> GroupPolicy
06/03/2004 11:48a 21,692 folder.htt
06/03/2004 11:48a 271 desktop.ini
2 File(s) 21,963 bytes
1 Dir(s) 32,975,179,776 bytes free
---------- Files Named "Guard" -------------
Volume in drive C has no label.
Volume Serial Number is 4467-C2F3
Directory of C:\WINNT\System32
--------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is 4467-C2F3
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 32,975,175,680 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{34D55A66-08FF-40FC-ABBC-BF65F07ED51A}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\fpn2035oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
------------------ Locate.com Results ------------------
C:\WINNT\SYSTEM32\
czc.dll Mon Dec 6 2004 8:23:24p ..S.R 224,198 218.94 K
dnn801~1.dll Mon Dec 6 2004 11:20:26p ..S.R 224,198 218.94 K
dnpm01~1.dll Sat Dec 4 2004 11:26:40p ..S.R 225,494 220.21 K
dp16gt.dll Mon Dec 27 2004 11:31:50p ..S.R 224,546 219.28 K
dyband.dll Mon Dec 27 2004 12:22:34p ..S.R 225,460 220.18 K
en24l1~1.dll Sun Dec 5 2004 12:30:42p ..S.R 224,610 219.34 K
fpn203~1.dll Tue Dec 28 2004 4:33:14a ..S.R 224,371 219.11 K
fyxt30.dll Tue Dec 28 2004 3:34:52a ..S.R 224,371 219.11 K
gp08l3~1.dll Sun Dec 5 2004 11:26:26p ..S.R 225,321 220.04 K
hr0405~1.dll Sat Dec 4 2004 6:35:20p ..S.R 225,728 220.44 K
irrop.dll Wed Dec 8 2004 4:39:46p ..S.R 224,198 218.94 K
irrql5~1.dll Tue Dec 28 2004 3:28:10a ..S.R 225,966 220.67 K
j0l4la~1.dll Wed Dec 8 2004 4:39:46p ..S.R 225,628 220.34 K
jt6s07~1.dll Tue Dec 28 2004 3:52:50a ..S.R 224,985 219.71 K
k662lg~1.dll Tue Dec 7 2004 10:50:56p ..S.R 224,198 218.94 K
ktn0l7~1.dll Mon Dec 6 2004 7:12:38a ..S.R 224,198 218.94 K
ktp0l7~1.dll Wed Dec 15 2004 12:23:50a ..S.R 224,198 218.94 K
lv2809~1.dll Fri Dec 3 2004 12:47:08a ..S.R 224,061 218.81 K
midtcprx.dll Mon Dec 27 2004 4:18:10p ..S.R 225,460 220.18 K
mphcp.dll Mon Dec 27 2004 1:12:40p ..S.R 224,198 218.94 K
n0n6la~1.dll Mon Dec 6 2004 8:01:44p ..S.R 224,198 218.94 K
oxbcint.dll Tue Dec 28 2004 4:58:40a ..S.R 224,371 219.11 K
s688lg~1.dll Tue Dec 28 2004 4:58:40a ..S.R 226,257 220.95 K
23 items found: 23 files, 0 directories.
Total of file sizes: 5,170,213 bytes 4.93 M
------------ Strings.exe Qoologic Results ------------
C:\WINNT\system32\ccpqwo.dll: updates.qoologic.com
C:\WINNT\system32\eeanop.dll: updates.qoologic.com
C:\WINNT\system32\hhqazw.exe: updates.qoologic.com
-------------- Strings.exe Aspack Results -------------
C:\WINNT\system32\ppvkab.dat: .aspack
C:\WINNT\system32\wwkcir.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hhniut.exe: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\""
"EnsoniqMixer"="C:\\WINNT\\system32\\starter.exe"
"AtiPTA"="atiptaxx.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"
"Narrator"="C:\\WINNT\\system32\\wwkcir.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Ive tried all sorts of stuff, even buying Adaware. Still didnt help, but I still love Adaware.