Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

UMonitor won't go away.

Started by slbinff , Jan 24 2005 05:00 PM

  • Please log in to reply

#1
slbinff
Posted 24 January 2005 - 05:00 PM

slbinff

    Member

  • Member
  • PipPip
  • 13 posts
Hello!

I'm hoping to get some assistance with UMonitor .dll popup messages on boot and and obnoxious number of popup ads while on the internet.

I've run AdAware & Spybot S&D, but UMonitor problems still remain. I tried to run HijackThis, but kept getting an error at launch that caused it to shut itself down. I did successfully run l2mxfix - here's the log:

Thanks in advance!!

L2MFIX find log 1.02
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\m0jula191d.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8FF883E9-FA93-47B7-83A7-E68CFAD53415}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
@="CorelDRAW Shell Extension Component"
"{CE433D33-14CB-42EB-B666-ECBF98C80DD2}"="Draw Property Sheet"
"{6A1122A1-6D55-11D0-9E64-0000C04E5143}"="Mls shell extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{7D5C4BDD-B015-4401-8731-1507B87DE297}"="QBVersionTool"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}"="Allaire FTP & RDS"
"{DF503FD0-B424-439B-826B-A2B28B25B711}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DF503FD0-B424-439B-826B-A2B28B25B711}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF503FD0-B424-439B-826B-A2B28B25B711}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF503FD0-B424-439B-826B-A2B28B25B711}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DF503FD0-B424-439B-826B-A2B28B25B711}\InprocServer32]
@="C:\\WINNT\\system32\\lkhsvc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
ciodm.dll Thu Nov 4 2004 8:41:52p ..... 68,880 67.27 K
e2jm0c~1.dll Mon Jan 24 2005 2:30:00p ..S.R 223,232 218.00 K
hypertrm.dll Tue Nov 16 2004 2:47:02a ..... 576,784 563.27 K
iepppp.dll Mon Jan 24 2005 10:55:30a A.... 24,576 24.00 K
ihign32.dll Mon Jan 24 2005 2:09:00p ..S.R 223,232 218.00 K
irrsl5~1.dll Mon Jan 24 2005 10:54:32a ..S.R 225,027 219.75 K
lcuuuu.dll Mon Jan 3 2005 9:33:54a A.... 5,632 5.50 K
lkhsvc.dll Mon Jan 24 2005 2:33:42p ..... 223,232 218.00 K
lv2u09~1.dll Mon Jan 3 2005 9:47:04a ..S.R 224,161 218.91 K
m0jula~1.dll Mon Jan 24 2005 2:14:00p ..S.R 223,232 218.00 K
mf43dmod.dll Mon Jan 24 2005 2:21:56p ..S.R 223,232 218.00 K
shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
sp3res.dll Thu Dec 2 2004 6:27:18a ..... 6,272,512 5.98 M
user32.dll Wed Dec 29 2004 1:14:10a A.... 380,688 371.77 K

14 items found: 14 files (6 H/S), 0 directories.
Total of file sizes: 10,226,644 bytes 9.75 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Mon Jan 24 2005 2:35:44p A.... 223,232 218.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 223,232 bytes 218.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B8C6-530C

Directory of C:\WINNT\System32

01/24/2005 02:29p 223,232 e2jm0c11ef.dll
01/24/2005 02:21p 223,232 mf43dmod.dll
01/24/2005 02:13p 223,232 m0jula191d.dll
01/24/2005 02:08p 223,232 ihign32.dll
01/24/2005 10:54a 225,027 irrsl5971.dll
01/24/2005 09:32a <DIR> dllcache
01/03/2005 09:47a 224,161 lv2u09f9e.dll
6 File(s) 1,342,116 bytes
1 Dir(s) 3,846,844,416 bytes free
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 24 January 2005 - 06:02 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

-=jonnyrotten=- :tazz:
  • 0

#3
slbinff
Posted 24 January 2005 - 08:19 PM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK - Ran Opt 2. Here is the output:


L2Mfix 1.02

Running From:
C:\Documents and Settings\britton.SLBRITTON\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\britton.SLBRITTON\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\britton.SLBRITTON\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1184 'explorer.exe'
Killing PID 1184 'explorer.exe'
Error 0x5 : Access is denied.


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\irrsl5971.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lv2u09f9e.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\u2ru0c99ef.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\irrsl5971.dll
Successfully Deleted: C:\WINNT\system32\irrsl5971.dll
deleting: C:\WINNT\system32\lv2u09f9e.dll
Successfully Deleted: C:\WINNT\system32\lv2u09f9e.dll
deleting: C:\WINNT\system32\u2ru0c99ef.dll
Successfully Deleted: C:\WINNT\system32\u2ru0c99ef.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: irrsl5971.dll (152 bytes security) (deflated 4%)
adding: lv2u09f9e.dll (152 bytes security) (deflated 4%)
adding: u2ru0c99ef.dll (152 bytes security) (deflated 3%)
adding: guard.tmp (152 bytes security) (deflated 3%)
adding: cecho.reg (152 bytes security) (deflated 2%)
adding: clear.reg (152 bytes security) (deflated 46%)
adding: echo.reg (152 bytes security) (deflated 9%)
adding: desktop.ini (152 bytes security) (deflated 13%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 74%)
adding: readme.txt (152 bytes security) (deflated 48%)
adding: report.txt (152 bytes security) (deflated 69%)
adding: test.txt (152 bytes security) (deflated 52%)
adding: test2.txt (152 bytes security) (deflated 27%)
adding: xfind.txt (152 bytes security) (deflated 45%)
adding: backregs/DF503FD0-B424-439B-826B-A2B28B25B711.reg (152 bytes security) (deflated 70%)
adding: backregs/FD77AF95-F29C-45F2-84D4-7F66D27D1A87.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 64%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: irrsl5971.dll
deleting local copy: lv2u09f9e.dll
deleting local copy: u2ru0c99ef.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINNT\system32\irrsl5971.dll
C:\WINNT\system32\lv2u09f9e.dll
C:\WINNT\system32\u2ru0c99ef.dll
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DF503FD0-B424-439B-826B-A2B28B25B711}"=-
"{ABD0BD8C-C12E-4A47-81A0-EE4F8D15C073}"=-
"{FD77AF95-F29C-45F2-84D4-7F66D27D1A87}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DF503FD0-B424-439B-826B-A2B28B25B711}]
[-HKEY_CLASSES_ROOT\CLSID\{ABD0BD8C-C12E-4A47-81A0-EE4F8D15C073}]
[-HKEY_CLASSES_ROOT\CLSID\{FD77AF95-F29C-45F2-84D4-7F66D27D1A87}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8FF883E9-FA93-47B7-83A7-E68CFAD53415}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{8FF883E9-FA93-47B7-83A7-E68CFAD53415}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Classid's found from regsearch:
****************************************************************************
  • 0

#4
slbinff
Posted 24 January 2005 - 08:54 PM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
No joy in running HighjackThis - still get a fatal error & app shuts itself down.

Here is the Win error log:

Application exception occurred:
App: (pid=2584)
When: 1/24/2005 @ 18:49:35.138
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: SLBRITTON
User Name: britton
Number of Processors: 1
Processor Type: x86 Family 6 Model 8 Stepping 10
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: 3
Current Type: Uniprocessor Free
Registered Organization: Home System
Registered Owner: Susan Britton

*----> Task List <----*
0 Idle.exe
8 System.exe
160 smss.exe
184 csrss.exe
204 WINLOGON.exe
232 services.exe
244 LSASS.exe
424 svchost.exe
452 LEXBCES.exe
480 spoolsv.exe
488 LEXPPS.exe
576 Ati2evxx.exe
592 cfserver.exe
616 cfexec.exe
628 cfrdsservice.ex.exe
716 jrunsvc.exe
732 swagent.exe
740 jrun.exe
752 swstrtr.exe
760 swsoc.exe
776 svchost.exe
796 GHOSTS~2.exe
892 AppServices.exe
924 mcvsrte.exe
952 MpfService.exe
1076 regsvc.exe
1120 winmgmt.exe
1148 svchost.exe
1160 ADService.exe
1216 inetinfo.exe
996 explorer.exe
1628 mcagent.exe
1644 mcvsshld.exe
1656 DadApp.exe
1684 McVSEscn.exe
1688 SynTPLpr.exe
1696 dadtray.exe
1616 SynTPEnh.exe
1712 atiptaxx.exe
1732 GhostStartTrayA.exe
1744 ADUserMon.exe
1776 Imgicon.exe
1820 realsched.exe
1872 Autolaunch.exe
1892 MotiveSB.exe
1900 MpfTray.exe
1916 ViewMgr.exe
1928 jusched.exe
1936 vwuuuu.exe
2132 dtsc.exe
2160 WZQKPICK.exe
2176 WPC11Cfg.exe
1944 McShield.exe
2292 MpfAgent.exe
2308 mpbtn.exe
1376 wuauclt.exe
1844 MSIMN.exe
1208 IEXPLORE.exe
2584 HijackThis.exe
2284 drwtsn32.exe
0 _Total.exe

(00400000 - 004DB000)
(77F80000 - 77FFD000)
(7C570000 - 7C623000)
(66000000 - 66153000)
(77E10000 - 77E6F000)
(77F40000 - 77F7B000)
(7C2D0000 - 7C332000)
(77D30000 - 77DA1000)
(77A50000 - 77B3F000)
(779B0000 - 77A4B000)
(10000000 - 10020000)
(63000000 - 63014000)
(77820000 - 77827000)
(759B0000 - 759B6000)
(749A0000 - 749C4000)
(30000000 - 30047000)
(782F0000 - 78535000)
(63180000 - 631E9000)
(78000000 - 78046000)
(71710000 - 71794000)
(02130000 - 0214C000)
(75030000 - 75043000)
(75020000 - 75028000)
(02160000 - 02169000)
(77920000 - 77943000)
(02170000 - 02206000)
(7C740000 - 7C7C7000)
(77430000 - 77440000)

State Dump for Thread Id 0x884

eax=00162df0 ebx=660d63ab ecx=00000001 edx=00000000 esi=00000000 edi=00162df0
eip=77fbdb24 esp=0012f1fc ebp=0012f408 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202


function: RtlMoveMemory
77fbdb0a 57 push edi
77fbdb0b 8b742410 mov esi,[esp+0x10] ss:0100c7cf=????????
77fbdb0f 8b7c240c mov edi,[esp+0xc] ss:0100c7cf=????????
77fbdb13 8b4c2414 mov ecx,[esp+0x14] ss:0100c7cf=????????
77fbdb17 fc cld
77fbdb18 3bf7 cmp esi,edi
77fbdb1a 761a jbe RtlConvertUlongToLargeInteger+0x8961 (77fc6636)
77fbdb1c 8bd1 mov edx,ecx
77fbdb1e 83e203 and edx,0x3
77fbdb21 c1e902 shr ecx,0x2
FAULT ->77fbdb24 f3a5 rep movsd ds:00000000=???????? es:00162df0=00000000
77fbdb26 0bca or ecx,edx
77fbdb28 7505 jnz RtlConvertUlongToLargeInteger+0x5d5a (77fc3a2f)
77fbdb2a 5f pop edi
77fbdb2b 5e pop esi
77fbdb2c c20c00 ret 0xc
77fbdb2f f3a4 rep movsb ds:00000000=?? es:00162df0=00
77fbdb31 5f pop edi
77fbdb32 5e pop esi
77fbdb33 c20c00 ret 0xc
77fbdb36 74f9 jz RtlConvertUlongToLargeInteger+0x8a5c (77fc6731)
77fbdb38 8bc7 mov eax,edi

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0012F408 0048554C 0012F4B8 00000007 00000006 00000001 ntdll!RtlMoveMemory
0012F4E8 004620AE 00000000 0013A790 66024FD4 0109B8E4 !<nosymbols>
0012F594 0044D56D 00000000 0013A790 66024FD4 00000000 !<nosymbols>
0012F720 0043DE0F 0013A790 0012F77C 0012F84C 00000001 !<nosymbols>
0012F770 6602AD73 0013A790 0012F78C 0040D193 0013A894 !<nosymbols>
0012F77C 0040D193 0013A894 0040C16C 0012F7D8 6602AD50 MSVBVM60!BASIC_CLASS_Invoke
0012F78C 6602AD50 0040D193 0012F848 00000002 00000000 !<nosymbols>
0012F7D8 66023023 0012F888 0012F848 00000002 01091C3C MSVBVM60!BASIC_CLASS_Invoke
0012F8AC 66022EB2 01091C3C 0108FB94 01085710 00000002 MSVBVM60!EVENT_SINK_AddRef
0012F8D0 660C21F2 01091C3C 00000000 00000000 01091C3C MSVBVM60!EVENT_SINK_AddRef
0012F900 66021269 01091C3C 00010368 00002111 00000008 MSVBVM60!DllCanUnloadNow
0012F928 66020341 01091C3C 00010368 00002111 00000008 MSVBVM60!EVENT_SINK_AddRef
0012F984 6607A250 00010368 00002111 00000008 00010368 MSVBVM60!EVENT_SINK_AddRef
0012F9A8 66036323 010912F4 0001035A 00000111 00000008 MSVBVM60!IID_IVbaHost
0012FA14 660BD1AA 01085300 0001035A 00000111 00000008 MSVBVM60!Zombie_QueryInterface
0012FA8C 66021269 010912F4 0001035A 00000111 00000008 MSVBVM60!DllCanUnloadNow
0012FAB4 66020341 010912F4 0001035A 00000111 00000008 MSVBVM60!EVENT_SINK_AddRef
0012FB10 77E3A420 0001035A 00000111 00000008 00010368 MSVBVM60!EVENT_SINK_AddRef
0012FB30 77E16381 66020297 0001035A 00000111 00000008 user32!SetWindowPlacement
0012FB60 77E17361 005A9860 00000111 00000008 00010368 user32!IsWindowVisible
0012FB80 77E30A23 0001035A 00000111 00000008 00010368 user32!SendMessageW
0012FC20 77E2E138 00010368 00000202 00000000 0014008D user32!CreatePopupMenu
0012FC44 77E3A420 00010368 00000202 00000000 0014008D user32!LoadMenuA
0012FC64 77E16B41 77E2E0EF 00010368 00000202 00000000 user32!SetWindowPlacement
0012FC88 77E16B64 77E2E0EF 00010368 00000202 00000000 user32!ScreenToClient
0012FCA8 66035B47 77E2E0EF 00010368 00000202 00000000 user32!CallWindowProcA
0012FD14 660C24C8 01085710 00010368 00000202 00000000 MSVBVM60!Zombie_QueryInterface
0012FD3C 66021269 01091C3C 00010368 00000202 00000000 MSVBVM60!DllCanUnloadNow
0012FD64 66020341 01091C3C 00010368 00000202 00000000 MSVBVM60!EVENT_SINK_AddRef
0012FDC0 77E3A420 00010368 00000202 00000000 0014008D MSVBVM60!EVENT_SINK_AddRef
0012FDE0 77E14605 66020297 00010368 00000202 00000000 user32!SetWindowPlacement
0012FE6C 77E15B77 0012FE90 00000001 6601496C 0012FE90 user32!TranslateMessageEx
0012FEB8 660148A5 FFFFFFFF 0108374C 01080000 01083744 user32!DispatchMessageA
0012FEFC 66014783 0108381C FFFFFFFF 00000A18 FFFFFFFF MSVBVM60!_vbaInStr
6601A340 66010E00 6601178A 660D40C8 660D40F3 66010E93 MSVBVM60!_vbaInStr
660D3416 0C2474FF FF0C408B 8B0C2474 11FF5008 8B000CC2 MSVBVM60!BASIC_CLASS_QueryInterface
0424448B 00000000 00000000 00000000 00000000 00000000 <nosymbols>

*----> Raw Stack Dump <----*
0012f1fc bc 15 0e 66 00 00 00 00 - 4a e2 4c 00 f0 2d 16 00 ...f....J.L..-..
0012f20c 00 00 00 00 04 00 00 00 - 24 53 02 66 5b 46 02 66 ........$S.f[F.f
0012f21c b5 45 01 66 0c c1 15 00 - 4c f2 12 00 33 b6 0e 66 .E.f....L...3..f
0012f22c 0c c1 15 00 df 00 05 66 - 2a 00 00 00 00 00 00 00 .......f*.......
0012f23c 74 08 00 00 00 00 00 00 - 48 f3 12 00 01 00 00 00 t.......H.......
0012f24c 1c f3 12 00 00 00 00 00 - 0c c1 15 00 2a 00 00 00 ............*...
0012f25c cc 59 05 66 00 00 00 00 - 54 0b 16 00 00 00 00 00 .Y.f....T.......
0012f26c 00 00 00 00 00 00 00 00 - 14 f3 12 00 70 5f 0e 66 ............p_.f
0012f27c 00 00 00 00 00 00 00 00 - a4 45 42 00 00 00 00 00 .........EB.....
0012f28c ec 48 18 00 00 00 00 00 - 00 01 00 00 ec 48 18 00 .H...........H..
0012f29c 40 90 9d 77 00 00 00 00 - f4 2d 16 00 a0 92 13 00 @..w.....-......
0012f2ac 20 00 00 00 00 00 00 00 - a4 cc fc 77 a4 cc fc 77 ..........w...w
0012f2bc 00 00 13 00 00 00 00 00 - 01 00 00 00 a0 92 13 00 ................
0012f2cc fc f2 12 00 00 00 00 00 - a4 cc fc 77 00 00 13 00 ...........w....
0012f2dc e0 48 18 00 00 00 00 00 - a0 92 13 00 18 f3 12 00 .H..............
0012f2ec 09 2b a7 77 00 00 00 00 - 00 00 00 00 e8 48 18 00 .+.w.........H..
0012f2fc 0f f9 a0 77 00 00 00 00 - e8 48 18 00 f4 48 18 00 ...w.....H...H..
0012f30c e8 48 18 00 00 00 00 00 - 20 00 00 00 fc f3 12 00 .H...... .......
0012f31c 67 92 9d 77 00 00 00 00 - 10 00 00 00 10 92 9d 77 g..w...........w
0012f32c 71 70 04 66 00 00 00 00 - 24 53 02 66 5b 46 02 66 qp.f....$S.f[F.f
  • 0

#5
-=jonnyrotten=-
Posted 24 January 2005 - 09:10 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Try running the previous version of Hijack This, download it here:

http://www.download....tml?tag=lst-0-1

Be sure to delete the version you have so as not to get them confused, or just move it to it's own folder.

Close all running programs, scan with hijack this, save the log and paste the contents back here.

-=jonnyrotten=- :tazz:
  • 0

#6
slbinff
Posted 24 January 2005 - 09:28 PM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK - got a good HijackThis run - Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 7:24:44 PM, on 1/24/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\vwuuuu.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 149.138.5.81 sqmain
O1 - Hosts: 157.232.9.4 exsb
O1 - Hosts: 157.232.9.25 sb-docs
O1 - Hosts: 157.232.9.22 sb-services sbweb
O1 - Hosts: 157.232.9.27 sb-dc
O1 - Hosts: 157.232.9.23 sb-bu
O1 - Hosts: 157.232.11.15 clearcase-sb-1
O1 - Hosts: 157.232.9.22 clearcase-build
O1 - Hosts: 157.232.9.6 hds-app1
O1 - Hosts: 157.232.9.7 hds-app2
O1 - Hosts: 157.232.9.11 hds6
O1 - Hosts: 157.232.9.12 hds3
O1 - Hosts: 157.232.9.13 hds7
O1 - Hosts: 157.232.9.14 hds8
O1 - Hosts: 157.232.9.15 hds2
O1 - Hosts: 157.232.9.18 hds5
O1 - Hosts: 157.232.9.21 hds9
O1 - Hosts: 157.232.9.65 ps-sun1
O1 - Hosts: 157.232.9.66 ps-sun2
O1 - Hosts: 157.232.9.67 ps-sun3
O1 - Hosts: 157.232.9.68 sun4
O1 - Hosts: 157.232.10.150 hds10
O1 - Hosts: 157.232.10.151 hds11
O1 - Hosts: 157.232.10.152 hds12
O1 - Hosts: 157.232.10.153 hds13
O1 - Hosts: 157.232.10.154 hds14
O1 - Hosts: 157.232.10.155 hds15
O1 - Hosts: 157.232.10.159 hds16
O1 - Hosts: 157.232.10.160 hds17
O1 - Hosts: 157.232.10.161 hds18
O1 - Hosts: 157.232.10.164 hds21
O1 - Hosts: 157.232.10.166 perse-app1
O1 - Hosts: 157.232.10.167 perse-app2
O1 - Hosts: 157.232.12.200 hds-demo1
O1 - Hosts: 157.232.10.207 persewl
O1 - Hosts: 157.232.13.3 persehl2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\vwuuuu.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: khgggg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.co...22/ComCtl32.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFI...sses/CFJava.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTFind.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1EEBFE70-1CE8-11D6-8C81-00D0B7E72554} (MailClient Class) - http://condor.hosp.m...tMailClient.cab
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - http://condor.hosp.m.../siebelhtml.cab
O16 - DPF: {3295909D-35BF-40EF-9464-341FDD66CD1E} (Siebel Option Pack for IE 7.5.2) - http://condor.hosp.m...lOptionPack.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - http://nighthawk.hos...lOptionPack.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} (GMS Angular Gauge ActiveX Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\AGaugeM.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\edt32x20.CAB
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanChevron.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanViewer.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanSSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTree.CAB
  • 0

#7
-=jonnyrotten=-
Posted 24 January 2005 - 09:44 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Wow! Ok, lets do this first.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.


Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

You have a number of randomonly named files on your system. We like to start with an online virus and trojan scan. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here: Needs to be run with Internet Explorer.
http://www.pandasoft...n_principal.htm

And a free trojan scan here: (you will have to download the 30 day trial of "The Cleaner" here)
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

-=jonnyrotten=- :tazz:
  • 0

#8
slbinff
Posted 24 January 2005 - 09:45 PM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here's a cleaned up version of HijackThis (I removed the healthcare sys servers & entries - that project is wrapped up so their stuff was no longer needed on the home system.) Thanks for taking a look at this:

Logfile of HijackThis v1.98.2
Scan saved at 7:41:04 PM, on 1/24/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\vwuuuu.exe
C:\hijackthis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 149.138.5.81 sqmain
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\vwuuuu.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: khgggg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.co...22/ComCtl32.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFI...sses/CFJava.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTFind.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} (GMS Angular Gauge ActiveX Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\AGaugeM.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\edt32x20.CAB
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanChevron.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanViewer.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanSSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTree.CAB
  • 0

#9
-=jonnyrotten=-
Posted 24 January 2005 - 10:26 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Did you run the online virus scan and "The Cleaner" from Moosoft?

-=jonnyrotten=- :tazz:
  • 0

#10
slbinff
Posted 24 January 2005 - 11:19 PM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Still runnung the online scan now. Looks like it could be awhile yet.
  • 0

Advertisements

#11
-=jonnyrotten=-
Posted 25 January 2005 - 01:12 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ya, it could take awhile, especially "The Cleaner", but well worth it. Post a log when they're both done. We'll clean it up for ya :tazz:

-=jonnyrotten=- ;)
  • 0

#12
slbinff
Posted 25 January 2005 - 08:49 AM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK -

Ran DelDomains.
Reset Hosts to default.
Online scan came up with no viruses.
Moosoft came up with no trojans.
Re-ran Ad-Aware.
Re-ran Spybot S&D.
Rebooted.

New HijackThis Log:

Logfile of HijackThis v1.98.2
Scan saved at 6:24:20 AM, on 1/25/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khgggg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: Usage Information:
O1 - Hosts: Save Changes - Save any changes you make to hosts file
O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
O1 - Hosts: _________________________________________________________________
O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
O1 - Hosts: _________________________________________________________________
O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
O1 - Hosts: _________________________________________________________________
O1 - Hosts: By Option^Explicit, [email protected]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.co...22/ComCtl32.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFI...sses/CFJava.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTFind.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} (GMS Angular Gauge ActiveX Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\AGaugeM.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\edt32x20.CAB
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanChevron.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanViewer.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanSSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTree.CAB





Note:

The UMonitor popups on boot appear to be gone now.

I'm still getting an obnoxious amount of popups - even though Verizon DSL, McAfee & Google Toolbar are all set to block them.

I'm no longer using any of the VanTree stuff that I see in the Hijack log - but there's nothing to remove in the Control Panel's add/remove software that references VanTree.

I'm not sure what the ViewPoint stuff is??? Or the khgggg.exe or wuauclt.exe??


Thanks for the assist!
  • 0

#13
-=jonnyrotten=-
Posted 25 January 2005 - 12:46 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You can uninstall any Viewpoint stuff you can find.

I'm not sure what the ViewPoint stuff is??? Or the khgggg.exe or wuauclt.exe??


Is khgggg.exe in add/remove programs? Or are you talking about seeing it in the process list.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFI...sses/CFJava.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTFind.CAB
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} (GMS Angular Gauge ActiveX Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\AGaugeM.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\edt32x20.CAB
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\vanChevron.CAB
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanViewer.CAB
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanSSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\SLBRIT~1\LOCALS~1\Temp\VanTree.CAB

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khgggg.exe

Reboot normally and post a new log. How is your pc running now?

-=jonnyrotten=- :tazz:
  • 0

#14
slbinff
Posted 25 January 2005 - 06:02 PM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Wow - you rock! It's running much better now!

Here's the lates Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 3:58:23 PM, on 1/25/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\bin\cfexec.exe
C:\CFUSION\bin\CFRDSService.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khgggg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O1 - Hosts: Usage Information:
O1 - Hosts: Save Changes - Save any changes you make to hosts file
O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
O1 - Hosts: _________________________________________________________________
O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
O1 - Hosts: _________________________________________________________________
O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
O1 - Hosts: _________________________________________________________________
O1 - Hosts: By Option^Explicit, [email protected]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.co...22/ComCtl32.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfami...oads/MrSIDI.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
  • 0

#15
slbinff
Posted 25 January 2005 - 06:05 PM

slbinff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I just noticed, tho, that the khgggg.exe is back again??
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP