Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Probable infection

Started by rprather , Dec 29 2004 12:28 PM

Please log in to reply

#1
rprather

Posted 29 December 2004 - 12:28 PM

Member

Member
14 posts

At boot-up, I get a Rundll error messagte that an exception occurred when trying to run .....umonitor. Occassionally, I get a fatal error for no apparent reason that causes a shut-down.

Logfile of HijackThis v1.99.0
Scan saved at 12:23:03 PM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\ZipToA.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\qoquii.exe
E:\Program Files\Dell\Solution Center\service.exe
E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
E:\PROGRA~1\Adaptec\DirectCD\directcd.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\WINNT\System32\MsiExec.exe
E:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
E:\Program Files\Microsoft Money\System\mnyexpr.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\Palm\hotsync.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\12Ghosts\12popup.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\WINNT\system32\rundll32.exe
E:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - E:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DellSC] E:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [Iomega Startup Options] E:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] E:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [CreateCD] E:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MoneyAgent] "E:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: HotSync Manager.lnk = E:\Palm\hotsync.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: 12Ghosts Popup-Killer.lnk = E:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager 2.0.lnk = E:\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - E:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - E:\WINNT\System32\IomegaAccess.exe
O23 - Service: SymWMI Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - E:\WINNT\System32\ZipToA.exe

#2
-=jonnyrotten=-

Posted 29 December 2004 - 02:03 PM

Member 2k

Retired Staff
2,678 posts

Download

finditnt2000xp.zip.
Unzip the contents of finditnt2000xp.zip to a convenient location.
Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.
Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

-=jonnyrotten=- :tazz:

#3
rprather

Posted 29 December 2004 - 02:30 PM

Member

Topic Starter
Member
14 posts

Download

finditnt2000xp.zip.

Unzip the contents of finditnt2000xp.zip to a convenient location.

Navigate to the Find It NT-2K-XP folder and double-click on find.bat.

A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.

Copy the entire contents of output.txt into your next post.
-=jonnyrotten=-

#4
rprather

Posted 29 December 2004 - 03:28 PM

Member

Topic Starter
Member
14 posts

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: E:\Documents and Settings\administrator\Desktop\041229 GeeksToGo\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 09:50a 223,073 o2ro0c93ef.dll
12/28/2004 09:59p 223,073 h82olif3182.dll
12/28/2004 09:51p 223,073 gpl6l33s1.dll
12/28/2004 09:32p 223,073 lvj4091qe.dll
12/28/2004 09:29p 223,602 lv2q09f5e.dll
12/25/2004 10:01a 223,073 fpj2031oe.dll
12/25/2004 09:23a 224,891 mv6ml9j11.dll
12/22/2004 01:18a 224,389 q4ps0e77eh.dll
12/22/2004 01:01a 225,710 iysetup.dll
12/22/2004 12:40a 224,986 dsdlgs.dll
12/21/2004 11:29p 225,671 nqtevent.dll
12/21/2004 08:55p 225,671 hitplug.dll
12/21/2004 08:49p 223,880 MZVBVM60.DLL
12/21/2004 07:07p 512 Cjp9g.y89
12/08/2004 09:43a 389,120 ?hkdsk.exe
06/06/2003 09:32p <DIR> dllcache
15 File(s) 3,303,797 bytes
1 Dir(s) 15,185,346,560 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 12:19p 22,507 FFASTLOG.TXT
12/21/2004 07:07p 512 Cjp9g.y89
12/08/2004 09:43a 389,120 ?hkdsk.exe
12/13/2003 04:53p 4,212 zllictbl.dat
06/06/2003 10:00p <DIR> GroupPolicy
06/06/2003 09:52p 271 desktop.ini
06/06/2003 09:52p 21,692 folder.htt
06/06/2003 09:32p <DIR> dllcache
6 File(s) 438,314 bytes
2 Dir(s) 15,185,330,176 bytes free

---------- Files Named "Guard" -------------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 12:20p 223,073 guard.tmp
1 File(s) 223,073 bytes
0 Dir(s) 15,185,313,792 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 12:20p 223,073 guard.tmp
11/11/2004 11:20p 1,332,224 SET23.tmp
10/25/2004 10:39a 450,048 SET25.tmp
10/25/2004 10:39a 2,693,120 SET26.tmp
08/20/2004 02:01p 422,912 SET24.tmp
08/29/2002 02:41a 569,344 VIS82a5.TMP
08/23/2001 03:00p 17,920 VIS83ef.TMP
08/23/2001 03:00p 106,496 VIS834f.TMP
12/07/1999 06:00p 2,577 CONFIG.TMP
9 File(s) 5,817,714 bytes
0 Dir(s) 15,185,297,408 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{37336945-3689-4770-9A37-966987A724E7}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]
"Asynchronous"=dword:00000000
"DllName"="E:\\WINNT\\system32\\h82olif3182.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------
------------ Strings.exe Qoologic Results ------------

E:\WINNT\system32\suspoo.dll: updates.qoologic.com
E:\WINNT\system32\xmxuzz.exe: updates.qoologic.com
E:\WINNT\system32\iziuyy.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

E:\WINNT\system32\qoquii.exe: .aspack
E:\WINNT\system32\gyguaa.dat: .aspack
E:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fpfguu.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"DellSC"="E:\\Program Files\\Dell\\Solution Center\\service.exe"
"Iomega Startup Options"="E:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="E:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"LoadQM"="loadqm.exe"
"Adaptec DirectCD"="E:\\PROGRA~1\\Adaptec\\DirectCD\\directcd.exe"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"E:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="E:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"SStb.exe"="SStb.exe"
"WinPatrol"="E:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"Narrator"="E:\\WINNT\\system32\\qoquii.exe"
"CreateCD"="E:\\PROGRA~1\\Adaptec\\EASYCD~1\\CreateCD\\createcd.exe -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#5
-=jonnyrotten=-

Posted 29 December 2004 - 10:07 PM

Member 2k

Retired Staff
2,678 posts

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- E:\WINNT\System32\o2ro0c93ef.dll
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:
- E:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\fpfguu.exe
- E:\WINNT\System32\h82olif3182.dll
- E:\WINNT\System32\gpl6l33s1.dll
- E:\WINNT\System32\lvj4091qe.dll
- E:\WINNT\System32\lv2q09f5e.dll
- E:\WINNT\System32\fpj2031oe.dll
- E:\WINNT\System32\mv6ml9j11.dll
- E:\WINNT\System32\q4ps0e77eh.dll
- E:\WINNT\System32\iysetup.dll
- E:\WINNT\System32\dsdlgs.dll
- E:\WINNT\System32\nqtevent.dll
- E:\WINNT\System32\hitplug.dll
- E:\WINNT\System32\MZVBVM60.DLL
- E:\WINNT\System32\Cjp9g.y89
- E:\WINNT\System32\?hkdsk.exe
- E:\WINNT\System32\zllictbl.dat
- E:\WINNT\System32\suspoo.dll
- E:\WINNT\System32\xmxuzz.exe
- E:\WINNT\System32\iziuyy.dll
- E:\WINNT\System32\qoquii.exe
- E:\WINNT\System32\gyguaa.dat
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\System32\Guard.tmp
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.
You may get this message>>>"Pending File Rename Operations Registry Data has been Removed by External Process!" This is okay, you will just have to manually restart your pc.
Double-click on find.bat and post the new output.txt.

-=jonnyrotten=- :tazz:

#6
rprather

Posted 30 December 2004 - 01:48 AM

Member

Topic Starter
Member
14 posts

Thanks for the help
Here is the killbox output

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: E:\Documents and Settings\administrator\Desktop\041229 GeeksToGo\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/08/2004 09:43a 389,120 ?hkdsk.exe
06/06/2003 09:32p <DIR> dllcache
1 File(s) 389,120 bytes
1 Dir(s) 15,180,234,752 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/30/2004 01:36a 22,541 FFASTLOG.TXT
12/08/2004 09:43a 389,120 ?hkdsk.exe
06/06/2003 10:00p <DIR> GroupPolicy
06/06/2003 09:52p 271 desktop.ini
06/06/2003 09:52p 21,692 folder.htt
06/06/2003 09:32p <DIR> dllcache
4 File(s) 433,624 bytes
2 Dir(s) 15,180,218,368 bytes free

---------- Files Named "Guard" -------------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 12:20p 223,073 guard.tmp
1 File(s) 223,073 bytes
0 Dir(s) 15,180,201,984 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 12:20p 223,073 guard.tmp
11/11/2004 11:20p 1,332,224 SET23.tmp
10/25/2004 10:39a 450,048 SET25.tmp
10/25/2004 10:39a 2,693,120 SET26.tmp
08/20/2004 02:01p 422,912 SET24.tmp
08/29/2002 02:41a 569,344 VIS82a5.TMP
08/23/2001 03:00p 17,920 VIS83ef.TMP
08/23/2001 03:00p 106,496 VIS834f.TMP
12/07/1999 06:00p 2,577 CONFIG.TMP
9 File(s) 5,817,714 bytes
0 Dir(s) 15,180,185,600 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{37336945-3689-4770-9A37-966987A724E7}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="E:\\WINNT\\system32\\o2ro0c93ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"DellSC"="E:\\Program Files\\Dell\\Solution Center\\service.exe"
"Iomega Startup Options"="E:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="E:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"LoadQM"="loadqm.exe"
"Adaptec DirectCD"="E:\\PROGRA~1\\Adaptec\\DirectCD\\directcd.exe"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"E:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="E:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"SStb.exe"="SStb.exe"
"WinPatrol"="E:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"CreateCD"="E:\\PROGRA~1\\Adaptec\\EASYCD~1\\CreateCD\\createcd.exe -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#7
-=jonnyrotten=-

Posted 30 December 2004 - 02:48 AM

Member 2k

Retired Staff
2,678 posts

Remove these 2 with the killbox in the same manner.

E:\WINNT\System32\?hkdsk.exe
E:\WINNT\System32\folder.htt

Next:

Copy and paste the quoted text below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to

your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post

Platform]
"{37336945-3689-4770-9A37-966987A724E7}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]

Reboot and post new log.

-=jonnyrotten=- :tazz:

#8
rprather

Posted 30 December 2004 - 03:35 AM

Member

Topic Starter
Member
14 posts

So far, so good.
Here is the output:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: E:\Documents and Settings\administrator\Desktop\041229 GeeksToGo\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/08/2004 09:43a 389,120 ?hkdsk.exe
06/06/2003 09:32p <DIR> dllcache
1 File(s) 389,120 bytes
1 Dir(s) 15,179,972,608 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/30/2004 03:27a 22,609 FFASTLOG.TXT
12/08/2004 09:43a 389,120 ?hkdsk.exe
06/06/2003 10:00p <DIR> GroupPolicy
06/06/2003 09:52p 271 desktop.ini
06/06/2003 09:32p <DIR> dllcache
3 File(s) 412,000 bytes
2 Dir(s) 15,179,956,224 bytes free

---------- Files Named "Guard" -------------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 12:20p 223,073 guard.tmp
1 File(s) 223,073 bytes
0 Dir(s) 15,179,939,840 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive E is WINDOWS2000
Volume Serial Number is 28F3-E896

Directory of E:\WINNT\System32

12/29/2004 12:20p 223,073 guard.tmp
11/11/2004 11:20p 1,332,224 SET23.tmp
10/25/2004 10:39a 450,048 SET25.tmp
10/25/2004 10:39a 2,693,120 SET26.tmp
08/20/2004 02:01p 422,912 SET24.tmp
08/29/2002 02:41a 569,344 VIS82a5.TMP
08/23/2001 03:00p 17,920 VIS83ef.TMP
08/23/2001 03:00p 106,496 VIS834f.TMP
12/07/1999 06:00p 2,577 CONFIG.TMP
9 File(s) 5,817,714 bytes
0 Dir(s) 15,179,923,456 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{37336945-3689-4770-9A37-966987A724E7}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"DellSC"="E:\\Program Files\\Dell\\Solution Center\\service.exe"
"Iomega Startup Options"="E:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="E:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"LoadQM"="loadqm.exe"
"Adaptec DirectCD"="E:\\PROGRA~1\\Adaptec\\DirectCD\\directcd.exe"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"E:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="E:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"SStb.exe"="SStb.exe"
"WinPatrol"="E:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"CreateCD"="E:\\PROGRA~1\\Adaptec\\EASYCD~1\\CreateCD\\createcd.exe -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#9
admin

Posted 30 December 2004 - 10:31 AM

Founder Geek

Community Leader
24,639 posts

Copy and paste the code below into a text editor such as Notepad.

Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{37336945-3689-4770-9A37-966987A724E7}"=-

Finally, we'll fix the Recycle Bin, clear the hosts file, and empty the temp files.

Download VX2Finder.
Double-click on VX2Finder.exe.
Click "Restore Policy".
In the File menu click "Exit".
Double-click on KillBox.exe.
In the File menu click "Delete all Dummy files".
In the Tools menu click "Delete Temp Files".
Choose "Standard File Kill" if not already selected.
Paste these files one by one into the top "Full Path of File to Delete" box.
- C:\RECYCLER\desktop.ini
- C:\WINDOWS\System32\drivers\etc\HOSTS
Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Confirm Delete prompt.
It should give you a successful "File was deleted" prompt for each one.

Let's see a fresh Hijack This log when finished.

#10
rprather

Posted 30 December 2004 - 11:07 AM

Member

Topic Starter
Member
14 posts

The last two files you asked me to remove in killbox were not found.

Here is the HiJackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 11:09:08 AM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\ZipToA.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Dell\Solution Center\service.exe
E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
E:\PROGRA~1\Adaptec\DirectCD\directcd.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
E:\Program Files\Microsoft Money\System\mnyexpr.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\Palm\hotsync.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Documents and Settings\administrator\Desktop\041229 GeeksToGo\VX2Finder.exe
E:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - E:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DellSC] E:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [Iomega Startup Options] E:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] E:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CreateCD] E:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MoneyAgent] "E:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: HotSync Manager.lnk = E:\Palm\hotsync.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager 2.0.lnk = E:\Palm\hotsync.exe
O4 - Global Startup: strings.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - E:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: e:\winnt\system32\calsp.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - E:\WINNT\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - E:\WINNT\System32\ZipToA.exe

#11
-=jonnyrotten=-

Posted 30 December 2004 - 12:40 PM

Member 2k

Retired Staff
2,678 posts

Please Download LSPFix from http://www.cexx.org/lspfix.htm Just hang on to it for now, don't use it.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - Global Startup: strings.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

Sstb.exe
strings.exe<<<<<<Both will most likely be fount in E:\winnt\system32 or E:\winnt If found at all.

Run LSP Fix (the Program you downloaded a bit ago). Check the "I know what I'm doing" Button and remove all traces of calsp.dll. Reboot and post a new Hijack This log.

-=jonnyrotten=- :tazz:

#12
rprather

Posted 30 December 2004 - 10:51 PM

Member

Topic Starter
Member
14 posts

All seemed to go well

Here is the HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 10:52:27 PM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\ZipToA.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Dell\Solution Center\service.exe
E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
E:\PROGRA~1\Adaptec\DirectCD\directcd.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
E:\Program Files\Microsoft Money\System\mnyexpr.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\Palm\hotsync.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\HijackThis\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - E:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DellSC] E:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [Iomega Startup Options] E:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] E:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CreateCD] E:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MoneyAgent] "E:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: HotSync Manager.lnk = E:\Palm\hotsync.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager 2.0.lnk = E:\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - E:\Program Files\Microsoft Money\System\mnyside.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - E:\WINNT\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - E:\WINNT\System32\ZipToA.exe