Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hijack log/findit

Started by Mrman17mkc , Jan 08 2005 11:54 PM

  • Please log in to reply

#1
Mrman17mkc
Posted 08 January 2005 - 11:54 PM

Mrman17mkc

    New Member

  • Member
  • Pip
  • 4 posts
Ok, so usually i can get this stuff out myself... but this time i ran into alot of problems. I've tried ad-aware and mcaffee. But, once i think i get rid of all the adware.... and nothing looks to be popping up in processes... rundll32 pops up (2-4 instances of it).. the vx2 virus was in here not sure if it still is... but that rundll32... keeps downloading more and more stuff.

On internet start up.... a Umonitor error pops up... and also.... Vbouncer... over and over. I am not sure which adware keeps crashing my computer.... but it sounds like the hard drive powers down and then....... crash. But before that.. a lil box pops up on my computer... i know its adware cause thats the onlything downloading all this stuff... someone please help me out.... :tazz:

But heres the hi jack log:

Logfile of HijackThis v1.97.7
Scan saved at 11:52:55 PM, on 1/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\inKline Global\PC Booster\pcbooster.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\System32\wvwuuo.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetWaiting\NetWaiting.exe
C:\Program Files\HP PhotoSmart\C200 Camera\Registration\Remind32.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\TechSmith\SnagIt\SnagIt32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis[2]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netsc...com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.freeslots.com;64.136.29.30;64.136.21.30;64.136.29.34;freeslots.com;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [msc] C:\WINDOWS\System32\Microsoft.NET\
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\nick\LOCALS~1\Temp\ICD12.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\NetWaiting.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
O4 - Startup: Reminder-hpc40415.lnk = C:\Program Files\HP PhotoSmart\C200 Camera\Registration\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Merriam-Webster (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.co...l-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.c...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo....m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo...t-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.co...p-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.c...ivex/web665.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {7054825C-6BE3-4559-8FAC-6A72393753A9} (AimPrcX Class) - http://www.nehuenmul...apps/aimprc.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned40.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq....yssey_web11.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CB497DA0-F0CF-4420-A255-A908803B04B9} (EyeWonder EyeMax OcxG3 Control) - http://apps.eyewonde...om/sp/OCXG3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v5.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9766FBDF-91AC-404C-9594-8C864566537B}: NameServer = 64.136.28.120 64.136.20.120
  • 0

Advertisements

#2
Mrman17mkc
Posted 09 January 2005 - 12:20 AM

Mrman17mkc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
And heres my FindIt log....:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\unzipped\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is STUFF
Volume Serial Number is 07CF-0901

Directory of C:\WINDOWS\System32

01/08/2005 11:52 PM 698 TBPS.ini
01/08/2005 05:15 PM 223,231 p68qlgl516q.dll
01/08/2005 10:55 AM 223,231 j04olah31d4.dll
01/08/2005 09:26 AM 223,231 mydscli.dll
01/08/2005 08:19 AM 223,231 m4po0e73eh.dll
01/07/2005 02:46 PM 223,231 hr8u05l9e.dll
01/07/2005 01:26 PM 224,347 g0jola131d.dll
01/07/2005 10:54 AM 224,347 uaimdmat.dll
01/03/2005 04:34 AM 223,430 m8rm0i91e8.dll
12/22/2004 01:21 PM 389,120 l?[bleep].exe
12/22/2004 01:17 PM 389,120 ?hkdsk.exe
01/13/2004 09:34 AM 3,591 cexeipat.dat
11/20/2003 12:29 AM 1,682 KGyGaAvL.sys
11/20/2003 12:29 AM 8 8347775B06.sys
11/19/2003 03:02 PM 1,020 Oyl4b.28i
08/15/2003 12:31 PM <DIR> Microsoft
08/15/2003 11:54 AM <DIR> dllcache
15 File(s) 2,573,518 bytes
2 Dir(s) 1,612,972,032 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is STUFF
Volume Serial Number is 07CF-0901

Directory of C:\WINDOWS\System32

12/22/2004 01:21 PM 389,120 l?[bleep].exe
12/22/2004 01:17 PM 389,120 ?hkdsk.exe
01/13/2004 09:34 AM 3,591 cexeipat.dat
11/20/2003 12:29 AM 1,682 KGyGaAvL.sys
11/20/2003 12:29 AM 8 8347775B06.sys
11/19/2003 03:02 PM 1,020 Oyl4b.28i
11/06/2003 12:57 PM 94 zbq_Q1ssg.ini
08/15/2003 12:08 PM 488 WindowsLogon.manifest
08/15/2003 12:08 PM 488 logonui.exe.manifest
08/15/2003 12:08 PM 749 wuaucpl.cpl.manifest
08/15/2003 12:08 PM 749 cdplayer.exe.manifest
08/15/2003 12:08 PM 749 sapi.cpl.manifest
08/15/2003 12:08 PM 749 ncpa.cpl.manifest
08/15/2003 12:08 PM 749 nwc.cpl.manifest
08/15/2003 11:54 AM <DIR> dllcache
04/30/2003 01:10 PM 23,155 folder.htt
15 File(s) 812,511 bytes
1 Dir(s) 1,612,955,648 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is STUFF
Volume Serial Number is 07CF-0901

Directory of C:\WINDOWS\System32

01/08/2005 05:45 PM 223,231 guard.tmp
1 File(s) 223,231 bytes
0 Dir(s) 1,612,939,264 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C is STUFF
Volume Serial Number is 07CF-0901

Directory of C:\WINDOWS\System32

01/08/2005 05:45 PM 223,231 guard.tmp
02/04/2004 09:33 AM 0 OLD2D9.tmp
11/25/2003 07:54 AM 0 OLD2C0.tmp
11/25/2003 01:05 AM 0 OLD349.tmp
11/19/2003 10:22 PM 0 OLD2E2.tmp
11/19/2003 10:22 PM 0 OLD2DE.tmp
08/29/2002 08:14 AM 98,816 SET1E8.tmp
08/29/2002 08:14 AM 91,136 SET1EA.tmp
08/29/2002 08:14 AM 91,136 SET251.tmp
08/29/2002 08:14 AM 1,026,048 SET1F0.tmp
08/29/2002 08:14 AM 574,976 SET1FC.tmp
08/29/2002 08:14 AM 574,976 SET1EF.tmp
08/29/2002 08:14 AM 574,976 SET277.tmp
08/29/2002 08:14 AM 98,816 SET1D0.tmp
08/29/2002 08:14 AM 574,976 SET210.tmp
08/29/2002 08:14 AM 2,786,816 SET1F5.tmp
08/29/2002 08:14 AM 2,786,816 SET27D.tmp
08/29/2002 08:14 AM 2,786,816 SET216.tmp
08/29/2002 08:14 AM 1,350,656 SET218.tmp
08/29/2002 08:14 AM 434,688 SET21A.tmp
08/29/2002 08:14 AM 132,096 SET20F.tmp
08/29/2002 08:14 AM 30,720 SET206.tmp
08/29/2002 08:14 AM 533,504 SET224.tmp
08/29/2002 08:14 AM 533,504 SET299.tmp
08/29/2002 08:14 AM 1,338,368 SET234.tmp
08/29/2002 08:14 AM 22,528 SET236.tmp
08/29/2002 08:14 AM 395,264 SET238.tmp
08/29/2002 08:14 AM 106,496 SET2A3.tmp
08/29/2002 08:14 AM 106,496 SET23C.tmp
08/29/2002 08:14 AM 482,816 SET23E.tmp
08/29/2002 08:14 AM 533,504 SET211.tmp
08/29/2002 08:14 AM 585,728 SET242.tmp
08/29/2002 08:14 AM 62,976 SET1CD.tmp
08/29/2002 08:14 AM 1,026,048 SET257.tmp
08/29/2002 08:14 AM 62,976 SET1EE.tmp
08/29/2002 08:14 AM 2,786,816 SET202.tmp
08/29/2002 08:14 AM 98,816 SET1C7.tmp
08/29/2002 08:14 AM 91,136 SET1C9.tmp
08/29/2002 08:14 AM 68,608 SET22A.tmp
08/29/2002 08:14 AM 62,976 SET1D6.tmp
08/29/2002 08:14 AM 1,338,368 SET29B.tmp
08/29/2002 08:14 AM 1,026,048 SET1CF.tmp
08/29/2002 08:14 AM 22,528 SET29D.tmp
08/29/2002 08:14 AM 1,338,368 SET213.tmp
08/29/2002 08:14 AM 22,528 SET215.tmp
08/29/2002 08:14 AM 395,264 SET217.tmp
08/29/2002 08:14 AM 585,728 SET235.tmp
08/29/2002 08:14 AM 106,496 SET22F.tmp
08/29/2002 08:14 AM 106,496 SET21B.tmp
08/29/2002 08:14 AM 482,816 SET21D.tmp
08/29/2002 08:14 AM 258,048 SET21F.tmp
08/29/2002 08:14 AM 585,728 SET221.tmp
08/29/2002 08:14 AM 91,136 SET1D2.tmp
08/29/2002 08:14 AM 395,264 SET29F.tmp
08/29/2002 08:14 AM 482,816 SET2A5.tmp
08/29/2002 08:14 AM 258,048 SET2A7.tmp
08/29/2002 08:14 AM 585,728 SET2A9.tmp
08/29/2002 08:14 AM 533,504 SET232.tmp
08/29/2002 08:14 AM 395,264 SET22B.tmp
08/29/2002 08:14 AM 258,048 SET240.tmp
08/29/2002 08:14 AM 1,026,048 SET1D8.tmp
08/29/2002 08:14 AM 1,350,656 SET204.tmp
08/29/2002 08:14 AM 59,904 SET212.tmp
08/29/2002 08:14 AM 1,338,368 SET226.tmp
08/29/2002 08:14 AM 482,816 SET231.tmp
08/29/2002 08:14 AM 258,048 SET233.tmp
08/29/2002 08:14 AM 98,816 SET24F.tmp
08/29/2002 06:00 AM 1,122,304 ~GLH001a.TMP
08/23/2001 02:00 PM 2,577 CONFIG.TMP
09/17/1999 10:54 AM 21,264 TBMB205.TMP
70 File(s) 38,165,280 bytes
0 Dir(s) 1,612,922,880 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{EF7CC40D-6114-412C-8302-67E6C37CEF21}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Screen Savers]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\m4po0e73eh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tapiexec]
"DllName"="tapiexec.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\SYSTEM32\eieppu.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\hlhuum.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\clcuuz.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\wvwuuo.exe: .aspack
C:\WINDOWS\SYSTEM32\sfarkxt.dll: .aspack
C:\WINDOWS\SYSTEM32\pwpuuy.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hkhggp.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\WinPatrol.exe"
"LogonStudio"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"msc"="C:\\WINDOWS\\System32\\Microsoft.NET\\ "
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"PC Booster"="C:\\Program Files\\inKline Global\\PC Booster\\pcbooster.exe"
"WildTangent CDA"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\G001-1.0.24.0\\gnotify.exe"
"USB controller"="\"C:\\DOCUME~1\\nick\\LOCALS~1\\Temp\\ICD12.tmp\\svcmm32.exe\" /startup"
"Narrator"="C:\\WINDOWS\\System32\\wvwuuo.exe"
"VBouncer"="C:\\PROGRA~1\\VBOUNCER\\VirtualBouncer.exe"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#3
Mrman17mkc
Posted 09 January 2005 - 06:11 PM

Mrman17mkc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I forgot to add... that it has now... taken over my mozilla....
i get pop ups and uh.... like when your trying to go to a page
it takes you to an ad page instead

It was to my understanding that firefox couldnt have ads... :\
but yea... guess they found a way...

i would greatly appreciate your help guys :\
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP