Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

winfixer Strikes again

Started by frankxa , Oct 05 2005 12:38 AM

Please log in to reply

#1
frankxa

Posted 05 October 2005 - 12:38 AM

New Member

Member
7 posts

I too tried to read the other posts, but am unable to determine what file name to specify on the C:\WINDOWS\system32 input.

Here is my log. Thanks for you help.

Logfile of HijackThis v1.99.1
Scan saved at 11:26:23 PM, on 10/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\Documents and Settings\frank.HOME\Local Settings\Temporary Internet Files\Content.IE5\LCOT7X6Z\HijackThis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmkjh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awtqo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\SYSTEM32\pmkjh.dll
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#2
Wizard

Posted 05 October 2005 - 08:58 AM

Retired Staff

Retired Staff
5,661 posts

Hi frankxa and Welcome to GeekstoGo!

This may take several passes to clear up so please be patient!

Go to Add\Remove Programs and Remove

Media Tickets
Windows ServeAd
Windows Service Ads

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.13 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
At this point press enter one time.
Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):
- C:\WINDOWS\system32\awtqo.dll
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\oqtwa.*
This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
The fix will run then HijackThis will open.
In HiJackThis, please place a check next to the following items and click FIX CHECKED:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmkjh.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awtqo.dll

O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe

O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll

O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll

O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll

O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll

O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll

O20 - Winlogon Notify: pmkjh - C:\WINDOWS\SYSTEM32\pmkjh.dll

O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll
After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#3
frankxa

Posted 05 October 2005 - 10:04 AM

New Member

Topic Starter
Member
7 posts

Hi,

I'm at work now but will begin cleanup of my home computer tonight. But there was one other question I had. When I attempted to reboot in safe mode, the desktop icons disappear. But if I reboot in SAFE mode with networking option, the desktop icon are present. Is networking OK or do I need to run KILLVUNDO.BAT from a command prompt?

Thanks,
Frank

#4
Wizard

Posted 05 October 2005 - 01:00 PM

Retired Staff

Retired Staff
5,661 posts

Now you dont tell no one I said this,but Safe Mode with Networking is fine,just dont use any browsers or try to surf the net at all,the pc is wide open in that mode since no av or firewall is operable! :tazz:

#5
frankxa

Posted 06 October 2005 - 09:42 PM

New Member

Topic Starter
Member
7 posts

Hi,

Well that took some time. Follow your instructions as best as I could. Couple of the files you asked to remove were not there. Ran Vundofix. Ran Cleanup, which deleted almost 61k files, wow. Lastly ran activescan and hijak scan again. Here are the logs.

Thanks,
Frank
++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 8:32:03 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\frank.HOME\Local Settings\Temporary Internet Files\Content.IE5\G58DSZE9\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
++++++++++++++++++++++++++++++++++++++++++++++++++

Incident Status Location
Adware:adware/gator No disinfected C:\WINDOWS\GatorPdpLoudInstaller.log
Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevant
Spyware:spyware/dyfuca No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\frank.HOME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-76038858-3447114e.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\frank.HOME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-76038858-3447114e.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\frank.HOME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-76038858-3447114e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\frank.HOME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-76038858-3447114e.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\frank.HOME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc_.jar-742dd5c3-6b33b90b.zip[Jvb.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\frank.HOME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc_.jar-742dd5c3-6b33b90b.zip[MainApp.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-5e541ea8-22e9a5a0.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-5e541ea8-22e9a5a0.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-5e541ea8-22e9a5a0.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-5e541ea8-22e9a5a0.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-5e541ea8-22e9a5a0.zip[Xeyond.class]
Virus:Trj/Downloader.YC Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-5e541ea8-22e9a5a0.zip[web.exe]
Virus:Trj/Mitglieder.CP Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5641fff1-78f9bbbc.zip[javautil.zip]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5641fff1-78f9bbbc.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5641fff1-78f9bbbc.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5641fff1-78f9bbbc.zip[NudeBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5641fff1-78f9bbbc.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\missy.home\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-5641fff1-78f9bbbc.zip[Worker.class]
Adware:Adware/IST.SideFind No disinfected C:\Program Files\Common Files\ifom\ifoma.exe
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\ifom\ifomd\ifomc.dll
Adware:Adware/IST.SideFind No disinfected C:\Program Files\Common Files\ifom\ifoml.exe
Adware:Adware/IST.SideFind No disinfected C:\Program Files\Common Files\ifom\ifomm.exe
Adware:Adware/IST.SideFind No disinfected C:\Program Files\Common Files\ifom\ifomp.exe
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevant\SearchRelevant.dll
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevant\uninstall.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\nem220.dll_tobedeleted
Virus:Trj/ShellHook.E Disinfected C:\WINDOWS\system32\awtsr.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awvvs.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\ddayx.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\mljgf.dll
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\pmkjh.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\vturr.dll :tazz:

#6
Wizard

Posted 07 October 2005 - 03:38 AM

Retired Staff

Retired Staff
5,661 posts

Starting to look much better now!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy!

C:\WINDOWS\GatorPdpLoudInstaller.log
C:\WINDOWS\nem220.dll_tobedeleted
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\vturr.dll

Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!

Reboot into SAFE MODE(Tap F8 when restarting)

Once in Safe Mode-> Run each of these entries through Killbox to confirm they are gone!

C:\WINDOWS\GatorPdpLoudInstaller.log
C:\WINDOWS\nem220.dll_tobedeleted
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\vturr.dll
C:\PROGRAM FILES\SearchRelevant
C:\Program Files\Common Files\ifom

As you paste each into Killbox-> Place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete!

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Restart Normal and have one more Online Scan here
http://support.f-sec.../home/ols.shtml

Post back with a fresh HijackThis log and the reports from WinPFind and F-Secure!

#7
frankxa

Posted 08 October 2005 - 08:57 AM

New Member

Topic Starter
Member
7 posts

Hi,

Round 2 completed, but F-secure log had this to say:

++++++++++++++++++++++++++++++++++++
: 16 viruses found

Scanned files: 444917 Warning: 16 file(s) still infected!

C:\!KillBox\awvvs.dll Trojan.Win32.Crypt.o

C:\!KillBox\ddayx.dll Trojan.Win32.Crypt.o

C:\!KillBox\mljgf.dll Trojan.Win32.Crypt.o

C:\!KillBox\pmkjh.dll Trojan-Downloader.Win32.Small.bpk

C:\!KillBox\vturr.dll Trojan.Win32.Crypt.o

C:\Documents and Settings\TEMP\Local Settings\Temporary Internet

Files\Content.IE5\6HCZUZ0H\ibar[1].js Trojan-Downloader.JS.IstBar.ad

C:\Documents and Settings\TEMP\Local Settings\Temporary Internet

Files\Content.IE5\YZ2HIB69\ysb_prompt[1].htm

Trojan-Downloader.JS.IstBar.j

C:\Program Files\Common Files\ifom\ifoma.exe

Trojan-Downloader.Win32.TSUpdate.l

C:\Program Files\Common Files\ifom\ifoml.exe

Trojan-Downloader.Win32.TSUpdate.j

C:\Program Files\Common Files\ifom\ifomm.exe

Trojan-Downloader.Win32.TSUpdate.k

C:\System Volume

Information\_restore{45D9AA45-F7B0-4B95-9D8E-4D458DC514A8}\RP313\A00389

97.dll Trojan.Win32.Crypt.o

C:\System Volume

Information\_restore{45D9AA45-F7B0-4B95-9D8E-4D458DC514A8}\RP316\A00402

96.dll Trojan.Win32.Crypt.o

C:\System Volume

Information\_restore{45D9AA45-F7B0-4B95-9D8E-4D458DC514A8}\RP316\A00402

97.dll Trojan.Win32.Crypt.o

C:\System Volume

Information\_restore{45D9AA45-F7B0-4B95-9D8E-4D458DC514A8}\RP316\A00402

98.dll Trojan.Win32.Crypt.o

C:\System Volume

Information\_restore{45D9AA45-F7B0-4B95-9D8E-4D458DC514A8}\RP316\A00402

99.dll Trojan-Downloader.Win32.Small.bpk

C:\System Volume

Information\_restore{45D9AA45-F7B0-4B95-9D8E-4D458DC514A8}\RP316\A00403

00.dll Trojan.Win32.Crypt.o
++++++++++++++++++++++++++++++++++++++++++++

And now here is the WinPFind report:

++++++++++++++++++++++++++++++++++++++++++++
WARNING: not all files found by this scanner are bad. Consult with a

knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can

ignore it. Windows somethimes displays this message due to the high

volume of disk I/O. As long as the hard disk light is flashing, the

program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2

Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders

»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 9/23/2003 9:23:00 PM 41397

C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/14/1997 10:24:14 PM 197171

C:\WINDOWS\SYSTEM32\Dwapilib.tlb
PTech 8/3/2005 10:33:42 AM 520456

C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 8:08:28 PM 1997664

C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 8:08:28 PM 1997664

C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:36 AM 708096

C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:44 AM 657920

C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/23/2003 9:02:00 PM 1309184

C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184

C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files

within the last 60 days...
10/7/2005 11:33:10 PM S 2048

C:\WINDOWS\bootstat.dat
10/7/2005 11:33:14 PM S 64

C:\WINDOWS\CSC\00000001
10/7/2005 11:33:14 PM S 64

C:\WINDOWS\CSC\00000002
10/4/2005 10:22:46 PM S 64

C:\WINDOWS\CSC\csc1.tmp
9/4/2005 1:19:50 PM HS 303

C:\WINDOWS\system32\fgjlm.ini
9/5/2005 1:24:18 PM HS 303

C:\WINDOWS\system32\rrutv.ini
9/6/2005 12:18:08 PM HS 180847

C:\WINDOWS\system32\svvwa.bak2
9/5/2005 6:24:22 PM HS 182154

C:\WINDOWS\system32\svvwa.ini
9/6/2005 1:37:28 PM HS 180869

C:\WINDOWS\system32\svvwa.ini2
9/5/2005 6:24:34 PM HS 182026

C:\WINDOWS\system32\svvwa.tmp
9/3/2005 10:52:58 AM HS 178718

C:\WINDOWS\system32\xyadd.bak1
9/4/2005 12:07:14 AM HS 180256

C:\WINDOWS\system32\xyadd.ini
10/7/2005 11:33:04 PM H 8192

C:\WINDOWS\system32\config\default.LOG
10/7/2005 11:33:26 PM H 1024

C:\WINDOWS\system32\config\SAM.LOG
10/7/2005 11:33:12 PM H 16384

C:\WINDOWS\system32\config\SECURITY.LOG
10/7/2005 11:35:48 PM H 364544

C:\WINDOWS\system32\config\software.LOG
10/7/2005 11:33:30 PM H 1130496

C:\WINDOWS\system32\config\system.LOG
9/19/2005 9:57:38 PM H 1024

C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
9/5/2005 2:08:22 PM HS 388

C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b56b4a5b-7edf-4568-

a611-f92c8cd7d421
9/5/2005 2:08:22 PM HS 24

C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/7/2005 11:32:14 PM H 6

C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608

C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/13/2003 3:24:20 AM 10435584

C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 549888

C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592

C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168

C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384

C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136

C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/7/2003 8:14:30 AM 94208

C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400

C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536

C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416

C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608

C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 10/27/2003 8:50:26 PM 53352

C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/24/2003 7:40:00 AM 187904

C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496

C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/23/2003 9:06:00 PM 35840

C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600

C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024

C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 8/19/2003 3:56:00 AM 143360

C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 9/23/2003 10:23:00 PM 36864

C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768

C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688

C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 3:12:42 PM 323072

C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496

C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/24/2003 5:25:00 AM 28160

C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208

C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480

C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360

C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/24/2003 7:40:00 AM 187904

C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/23/2003 9:06:00 PM 35840

C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/23/2003 10:23:00 PM 36864

C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 9/24/2003 5:25:00 AM 28160

C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360

C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 4/7/2003 8:14:30 AM 94208

C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl
NVIDIA Corporation 8/19/2003 3:56:00 AM 143360

C:\WINDOWS\SYSTEM32\ReinstallBackups\0022\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders

»»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/9/2005 10:31:08 AM 1768

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe

Reader Speed Launch.lnk
2/13/2004 11:42:56 PM 842

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America

Online 9.0 Tray Icon.lnk
10/27/2003 7:29:54 PM HS 84

C:\Documents and Settings\All Users\Start

Menu\Programs\Startup\desktop.ini
10/27/2003 9:30:44 PM 1808

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP

Digital Imaging Monitor.lnk
10/27/2003 10:25:06 PM 675

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken

Scheduled Updates.lnk
2/13/2004 11:44:26 PM 1865

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates

from HP.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/27/2003 11:22:58 AM HS 62

C:\Documents and Settings\All Users\Application Data\desktop.ini
10/27/2003 9:45:04 PM 868

C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
10/27/2003 7:29:54 PM HS 84

C:\Documents and Settings\frank.HOME\Start

Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2/9/2005 10:29:04 AM 1215

C:\Documents and Settings\frank.HOME\Application Data\AdobeDLM.log
10/27/2003 11:22:58 AM HS 62

C:\Documents and Settings\frank.HOME\Application Data\desktop.ini
2/9/2005 10:29:04 AM 0

C:\Documents and Settings\frank.HOME\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys

»»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} =

%SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} =

%SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} =

%SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program

Files\Network Associates\VirusScan\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-970

8-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers

]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program

Files\Network Associates\VirusScan\shext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandl

ers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandle

rs\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} =

%SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandle

rs\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} =

%SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandle

rs\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandle

rs\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program

Files\Network Associates\VirusScan\shext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E

74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F1

4F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F1

4F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6674

2402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB

5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar

2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program

files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer

Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer

Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
= :
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View :

c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar :

C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google :

c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program

Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer

Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer

Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer

Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View :

c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View :

c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links :

%SystemRoot%\system32\SHELL32.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address :

%SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google :

c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
CamMonitor c:\Program Files\HP\Digital

Imaging\Unload\hpqcmon.exe
HPHUPD05 c:\Program

Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
KBD C:\HP\KBD\KBD.EXE
UpdateManager "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
VTTimer VTTimer.exe
NvCplDaemon RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet /keeploaded /nodetect
AlcxMonitor ALCXMNTR.EXE
CTHelper CTHELPER.EXE
PS2 C:\WINDOWS\system32\ps2.exe
Sunkist2k C:\Program Files\Multimedia Card

Reader\shwicon2k.exe
CTSysVol C:\Program Files\Creative\SBAudigy2\Surround

Mixer\CTSysVol.exe
CTDVDDet C:\Program

Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
HPDJ Taskbar Utility

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
mmtask C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe"

-atboottime
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
ShStatEXE "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
Network Associates Error Reporting Service "C:\Program

Files\Common Files\Network Associates\TalkBack\TBMon.exe"
ViewMgr C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
TkBellExe "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
HostManager C:\Program Files\Common

Files\AOL\1124684468\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optio

nalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServic

es]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServic

esOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RecordNow!
NVIEW rundll32.exe nview.dll,nViewLoadHook
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
SpySweeper C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe /0
BackupNotify c:\Program Files\HP\Digital

Imaging\bin\backupnotify.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService

s]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService

sOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\N

onEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} =

C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\R

atings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\s

ystem
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ex

plorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServ

iceObjectDelayLoad]
PostBootReminder

{7849596a-48ea-486e-8937-a2a3009f31a9} =

%SystemRoot%\system32\SHELL32.dll
CDBurn

{fbeb8a05-beee-4442-804e-409d6c4515e9} =

%SystemRoot%\system32\SHELL32.dll
WebCheck

{E6FB5E20-DE35-11CF-9C87-00AA005127ED} =

%SystemRoot%\System32\webcheck.dll
SysTray

{35CEC8A3-2BE6-11D2-8773-92E220524153} =

C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind

folder.
Scan completed on 10/7/2005 11:49:57 PM
+++++++++++++++++++++++++++++++++++++++++++++++++++

And last a fresh HiJackThis Log

+++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 7:52:25 AM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

++++++++++++++++++++++++++++++++++++++++++++++++++++

#8
Wizard

Posted 08 October 2005 - 09:47 AM

Retired Staff

Retired Staff
5,661 posts

Lets killbox all these in Safe Mode just as before

C:\Program Files\Common Files\ifom\ifoma.exe
C:\Program Files\Common Files\ifom\ifoml.exe
C:\Program Files\Common Files\ifom\ifomm.exe
C:\Program Files\Common Files\ifom
C:\Documents and Settings\TEMP\Local Settings\Temporary Internet Files\Content.IE5\6HCZUZ0H\ibar[1].js
C:\Documents and Settings\TEMP\Local Settings\Temporary Internet Files\Content.IE5\YZ2HIB69\ysb_prompt[1].htm
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\svvwa.bak2
C:\WINDOWS\system32\svvwa.ini
C:\WINDOWS\system32\svvwa.ini2
C:\WINDOWS\system32\svvwa.tmp
C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\xyadd.ini

Remeber to place a tick by any of these selections available as you paste each entry into Killbox

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete!

Make sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp

Make sure this folder is deleted

C:\Program Files\Common Files\ifom

Please let me know if any of these entries wont delete!

Post back with a fresh HijackThis log and let me know how it goes?

#9
frankxa

Posted 08 October 2005 - 11:32 AM

New Member

Topic Starter
Member
7 posts

Hi,

Round 3 results are in. Here is the killbox log followed by hijackthis log:

Killbox log - Note that I had to wait till the end to delete the IFROM folder.

+++++++++++++++++++++++++++++++++++++++++++++++++
Pocket Killbox version 2.0.0.265
Running on Windows XP As an Administrator
was started @ Saturday, October 08, 2005, 10:10 AM

# 1 [Files to Delete]
Path = C:\Program Files\Common Files\ifom\ifoma.exe
*File Was Deleted

# 2 [Files to Delete]
Path = C:\Program Files\Common Files\ifom\ifoml.exe
*File Was Deleted

# 3 [Files to Delete]
Path = C:\Program Files\Common Files\ifom\ifomm.exe
*File Was Deleted

# 4 [Files to Delete]
Path = C:\Program Files\Common Files\ifom
*This File could not be Deleted

# 5 [Files to Delete]
Path = C:\Program Files\Common Files\ifom
*This File could not be Deleted

# 6 [Files to Delete]
Path = C:\Documents and Settings\TEMP\Local Settings\Temporary Internet
*This file does not seem to exist

# 7 [Files to Delete]
Path = C:\Documents and Settings\TEMP\Local Settings\Temporary Internet
*This file does not seem to exist

# 8 [Files to Delete]
Path = C:\Documents and Settings\TEMP\Local Settings\Temporary Internet Files\Content.IE5\6HCZUZ0H\ibar[1].js
*File Was Deleted

# 9 [Files to Delete]
Path = C:\Documents and Settings\TEMP\Local Settings\Temporary Internet Files\Content.IE5\YZ2HIB69\ysb_prompt[1].htm
*File Was Deleted

# 10 [Files to Delete]
Path = C:\WINDOWS\system32\fgjlm.ini
*File Was Deleted

# 11 [Files to Delete]
Path = C:\WINDOWS\system32\rrutv.ini
*File Was Deleted

# 12 [Files to Delete]
Path = C:\WINDOWS\system32\svvwa.bak2
*File Was Deleted

# 13 [Files to Delete]
Path = C:\WINDOWS\system32\svvwa.ini
*File Was Deleted

# 14 [Files to Delete]
Path = C:\WINDOWS\system32\svvwa.ini2
*File Was Deleted

# 15 [Files to Delete]
Path = C:\WINDOWS\system32\svvwa.tmp
*File Was Deleted

# 16 [Files to Delete]
Path = C:\WINDOWS\system32\xyadd.bak1
*File Was Deleted

# 17 [Files to Delete]
Path = C:\WINDOWS\system32\xyadd.ini
*File Was Deleted

# 18 [Files to Delete]
Path = C:\Program Files\Common Files\ifom
*File Was Deleted
++++++++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 10:31:18 AM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1124684468\ee\AOLServiceHost.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\temp\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124684468\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10
Wizard

Posted 08 October 2005 - 12:54 PM

Retired Staff

Retired Staff
5,661 posts

Whoops!

Edited by Cretemonster, 08 October 2005 - 12:56 PM.

#11
Wizard

Posted 08 October 2005 - 12:55 PM

Retired Staff

Retired Staff
5,661 posts

Excellent work my friend! :tazz:

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...p2002/hosts.htm

Made Easy
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?

#12
frankxa

Posted 08 October 2005 - 02:44 PM

New Member

Topic Starter
Member
7 posts

Hi,

1. Installed SpywareBlaster:
2. Copied WinHelp2002 Hosts File to Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Does it matter if the HOST file name is uppercase? The old one in the directory was lowercase.
3. Is the URL for "made easy" correct. It seems to point to a HLML page for WINHELP2002 Host file

Thanks,
Frank

#13
Wizard

Posted 08 October 2005 - 03:00 PM

Retired Staff

Retired Staff
5,661 posts

Made easy is suppose to do the exact same thing you did manually but somewhat automated!

So no need to worry about that!

Go ahead and renable System Restore,this will flush out all old nasty Restore Points and once you restart,it will create a nice new clean fresh one for you to fall back on if ever you need it!

Read through those 3 little black links in my signature to get some more ideas on how to avoid this in the future!

If ever you need us again,you know where to find us! :tazz: