Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Search Inqwire/Random Restarts


  • This topic is locked This topic is locked

#1
FHiL

FHiL

    Member

  • Member
  • PipPip
  • 15 posts
So uh Search Inqwire has been annoying me for the past few days, and I thought I had gotten rid of it, well, I may have, but now I have a problem with random restarts. Here's my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:51:16 AM, on 11/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM+\AIM+.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_11_0.DLL
O2 - BHO: BoomBar class - {C4D99500-4C77-11D4-93B7-0040950570BA} - C:\WINDOWS\BOOMBAR.DLL
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM\HDBHO.DLL
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_11_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - Startup: iTouch.exe.lnk = C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ComcastHSI - {C7DBF3A0-FC58-11D5-A1ED-000102CA780E} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {C7DBF3A1-FC58-11D5-A1ED-000102CA780E} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C7DBF3A2-FC58-11D5-A1ED-000102CA780E} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .sco: C:\PROGRA~1\INTERN~1\PLUGINS\NPSibelius.dll
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .rpm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppl3260.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for : C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPOJI610.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npwinamp.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ials/ymmapi.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_4_0.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0036.exe
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


Thanks in advance.

Edited by FHiL, 26 November 2005 - 08:57 AM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
FHiL

FHiL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
thanks sam, ok here's the deal, through a combination of avast, avg, trojan hunter, ad-aware, spy doctor, panda active scan, housecall, and ccleaner, i still haven't been able to fix the problem, but have received possible trojans/virus/etc such as trojan_scthoughts.c (not positive on that name) and peeper.120.. here is an updated hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 5:12:40 PM, on 11/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.search/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: iTouch.exe.lnk = C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .sco: C:\PROGRA~1\INTERN~1\PLUGINS\NPSibelius.dll
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .rpm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppl3260.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for : C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPOJI610.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npwinamp.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's do some digging and see what turns up.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.search/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm



Please download CWShredder and run it. Be sure to click "Fix".



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#5
FHiL

FHiL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
thank you for the advice, sadly...
ran cwshredder, nothing found.
ran avast, found some stuff, fixed it.
can not run kaspersky online scanner, had it running for 2 hours, got about 25% done when the computer restarted on it's own again.
computer was down for like 3 hours where i could not get it to the logon screen before it restarted.
empited temp, temp internet, and downloaded prog files in safe mode
computer loses the mouse settings every few restarts and can't use my microsoft intellimouse explorer w/o reinstalling it first.

fixed the item's listed above, although i could not find 2-3 of them.

here's a current hjt log, any other suggestions would be mighty helpful, i'll try kaspersky again, who knows how long the computer will stay on.

Logfile of HijackThis v1.99.1
Scan saved at 7:32:16 AM, on 11/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: iTouch.exe.lnk = C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Block this popup - C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Anti-Spyware\blockpopups.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-SPYWARE\IESHIELD.DLL
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\ANTI-SPYWARE\IESHIELD.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .sco: C:\PROGRA~1\INTERN~1\PLUGINS\NPSibelius.dll
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .rpm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppl3260.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for : C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPOJI610.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npwinamp.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Some questions...

You said that Avast found some stuff. What did it find? Is there a log that you can post here?

This line in your hijackthis log is unusual. Is there a reason why you have this running on startup?
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

Do you run regular maintenance(scandisc and defrag) on this computer?
  • 0

#7
FHiL

FHiL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
11/28/05 5:17:15 PM Default 4293450573 Sign of "Win32:Ruledor [Trj]" has been found in "c:\WINDOWS\SYSTEM\IAicemm.dll\[UPX]" file.
11/28/05 5:18:12 PM Default 4293450573 Sign of "Win32:CTX" has been found in "c:\WINDOWS\SYSTEM\ActiveScan\pskavs.dll" file.
11/28/05 6:36:41 PM Default 4292874277 AAVM - scanning warning: x_AavmCheckFileDirectEx: C:\PROGRAM FILES\AMERICA ONLINE 8.0\idb\sap.dat (C:\PROGRAM FILES\AMERICA ONLINE 8.0\idb\sap.dat) returning error, 0000A477.

housecall i think it was found "peeper.120" accessing one of my ports.

restarts more frequent when using aim, y! messenger or internet explorer.
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
This line in your hijackthis log is unusual. Is there a reason why you have this running on startup?
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

Do you run regular maintenance(scandisc and defrag) on this computer?
  • 0

#9
FHiL

FHiL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
wmencagt has been on the computer for probably as long as i can remember, i'd say a good 2+ years. yes to both scandisk and defrag, both stock versions.
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm not questioning whether it's malware or not. I know it's legit. But it's an unnecessary startup item. Being that your computer is running poorly right now it would make sense to eliminate any unnecessary background processes. Unless you have a reason for it to run automatically, please fix this line with Hijackthis.

O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE


Now let's dig a little deeper and see if we can turn up any real malware.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

Advertisements


#11
FHiL

FHiL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 11/27/05 11:11:18 PM 16603479 c:\windows\VPTNFILE.971
qoologic 11/27/05 11:11:18 PM 16603479 c:\windows\VPTNFILE.971
SAHAgent 11/27/05 11:11:18 PM 16603479 c:\windows\VPTNFILE.971

Items found in c:\windows\HOSTS
127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 stech.web-nexus.net
127.0.0.1 www.web-nexus.net
127.0.0.1 agentq.vpptechnologies.com
127.0.0.1 main.vpptechnologies.com #[IE-SpyAd]
127.0.0.1 media-0.vpptechnologies.com
127.0.0.1 media-1.vpptechnologies.com
127.0.0.1 media-4.vpptechnologies.com
127.0.0.1 media-5.vpptechnologies.com
127.0.0.1 media-6.vpptechnologies.com
127.0.0.1 media-a.vpptechnologies.com
127.0.0.1 media-b.vpptechnologies.com
127.0.0.1 media-c.vpptechnologies.com
127.0.0.1 media-d.vpptechnologies.com
127.0.0.1 media-e.vpptechnologies.com
127.0.0.1 media-f.vpptechnologies.com
127.0.0.1 msxml.vpptechnologies.com
127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
127.0.0.1 thumbs.vpptechnologies.com
127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede][Troj/Dloader-IG]
127.0.0.1 www.ad-w-a-r-e.com #[AdWare.Win32.Look2Me.ab]
127.0.0.1 abetterinternet.com #[Downloader.Stubby.A][Adware.Aurora]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 st.abetterinternet.com
127.0.0.1 static.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]

PECompact2 11/27/05 11:11:18 PM 16603479 c:\windows\lpt$vpn.971
qoologic 11/27/05 11:11:18 PM 16603479 c:\windows\lpt$vpn.971
SAHAgent 11/27/05 11:11:18 PM 16603479 c:\windows\lpt$vpn.971
UPX! 11/27/05 11:11:20 PM 1044560 c:\windows\vsapi32.dll
aspack 11/27/05 11:11:20 PM 1044560 c:\windows\vsapi32.dll
KavSvc 11/29/05 11:01:56 AM RH 10104864 c:\windows\SYSTEM.DAT
UPX! 11/27/05 11:11:20 PM 170053 c:\windows\tsc.exe
aspack 11/27/04 10:42:34 PM 6618647 c:\windows\180ax_kyf.dat
PTech 11/27/04 10:42:34 PM 6618647 c:\windows\180ax_kyf.dat

Checking %System% folder...
PTech 3/19/02 1:17:00 PM 323584 c:\windows\SYSTEM\DFXG13.DLL
UPX! 11/12/05 9:59:18 AM 473600 c:\windows\SYSTEM\ASWBOOT.EXE
UPX! 6/9/01 9:38:56 AM 53251 c:\windows\SYSTEM\Archive Hentai-uninstall.exe
aspack 6/9/03 12:19:00 AM 208896 c:\windows\SYSTEM\HDBHO.dll
aspack 6/9/03 12:20:00 AM 207360 c:\windows\SYSTEM\NMDll.dll
PTech 8/29/05 1:27:12 PM 520968 c:\windows\SYSTEM\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/29/05 11:01:56 AM RH 1658912 c:\windows\USER.DAT
11/29/05 11:01:56 AM RH 10104864 c:\windows\SYSTEM.DAT
11/29/05 11:00:04 AM H 638585 c:\windows\ShellIconCache
11/28/05 2:53:56 AM H 9793 c:\windows\HELP\WINDOWS.GID
11/26/05 7:55:14 PM HS 274944 c:\windows\All Users\DRM\drmv2.lic
11/26/05 8:08:00 PM HS 30208 c:\windows\All Users\DRM\drmv2.sst
11/26/05 7:55:14 PM HS 10240 c:\windows\All Users\DRM\drmv2.licIndex
11/25/05 9:46:24 PM HS 67 c:\windows\Temporary Internet Files\desktop.ini
11/29/05 4:09:50 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
11/29/05 5:47:36 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\49CLYJ4X\desktop.ini
11/29/05 5:47:52 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\9ZR355GE\desktop.ini
11/29/05 5:48:54 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\9B6HD4E0\desktop.ini
11/29/05 5:48:54 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\T8WFP14D\desktop.ini
11/29/05 5:48:54 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\KXTVEYA7\desktop.ini
11/29/05 5:48:58 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\WL83OJ03\desktop.ini
11/29/05 5:49:26 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\O54PGV41\desktop.ini
11/29/05 5:49:26 AM HS 67 c:\windows\Temporary Internet Files\Content.IE5\EXQJIDQB\desktop.ini
11/29/05 1:56:58 AM H 6 c:\windows\Tasks\SA.DAT
11/28/05 2:15:38 AM H 65 c:\windows\Downloaded Program Files\desktop.ini

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 c:\windows\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 c:\windows\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 c:\windows\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 c:\windows\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 c:\windows\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 c:\windows\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 c:\windows\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 c:\windows\SYSTEM\POWERCFG.CPL
Microsoft Corporation 5/1/02 6:51:36 PM 192512 c:\windows\SYSTEM\JOY.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 c:\windows\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 c:\windows\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 c:\windows\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 c:\windows\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 c:\windows\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 c:\windows\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 c:\windows\SYSTEM\TIMEDATE.CPL
Apple Computer, Inc. 4/8/04 2:12:42 PM 323072 c:\windows\SYSTEM\QuickTime.cpl
Compaq Computer Corporation 10/25/99 8:27:44 PM 110592 c:\windows\SYSTEM\UICONFIG.cpl
PCtel, Inc. 4/11/00 9:29:40 AM 56320 c:\windows\SYSTEM\PTCTRL.CPL
10/14/99 5:27:06 PM 110592 c:\windows\SYSTEM\cch.cpl
Compaq Computer Corporation 3/31/00 12:29:54 PM 372736 c:\windows\SYSTEM\DIGDASH.cpl
1/27/00 1:18:10 PM 65536 c:\windows\SYSTEM\CPQDIAG.CPL
Symantec Corporation 8/13/97 4:34:10 PM 169472 c:\windows\SYSTEM\S32LuCp1.cpl
Kristal Studio 2/25/01 1:57:48 AM 121856 c:\windows\SYSTEM\Mp3cnfg.cpl
Intel Corporation 7/17/02 7:54:10 AM 94208 c:\windows\SYSTEM\igfxcpl.cpl
4/22/04 7:49:44 PM 120832 c:\windows\SYSTEM\lcmmfu.cpl
Sun Microsystems 2/22/04 11:44:42 PM 61555 c:\windows\SYSTEM\jpicpl32.cpl
Microsoft Corporation 7/26/00 11:37:08 AM 41232 c:\windows\SYSTEM\odbccp32.cpl
Adobe Systems, Inc. 8/24/00 3:46:38 PM 266240 c:\windows\SYSTEM\Adobe Gamma.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/3/05 12:50:28 AM H 107 C:\WINDOWS\All Users\Application Data\Ts_infos.ini

Checking files in %USERPROFILE%\Startup folder...
10/30/05 7:03:08 PM 440 C:\WINDOWS\Start Menu\Programs\StartUp\iTouch.exe.lnk

Checking files in %USERPROFILE%\Application Data folder...
6/4/03 2:05:38 AM 121 C:\WINDOWS\Application Data\bottomleft.gif
6/4/03 2:05:38 AM 173 C:\WINDOWS\Application Data\bottomright.gif
7/3/05 12:47:58 AM 618 C:\WINDOWS\Application Data\dw.log
2/22/05 10:20:38 PM 36128 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
6/4/03 2:05:38 AM 5336 C:\WINDOWS\Application Data\main_02.gif
6/4/03 2:05:38 AM 135 C:\WINDOWS\Application Data\mp3search_02.gif
6/4/03 2:05:38 AM 148 C:\WINDOWS\Application Data\newsbarend.gif
6/4/03 2:05:38 AM 1206 C:\WINDOWS\Application Data\searchnow.gif
6/4/03 2:05:38 AM 67 C:\WINDOWS\Application Data\seperateline.gif
6/4/03 2:05:38 AM 66 C:\WINDOWS\Application Data\seperateline1.gif
6/4/03 2:05:38 AM 59 C:\WINDOWS\Application Data\seperateline3.gif
6/4/03 2:05:38 AM 176 C:\WINDOWS\Application Data\topleft.gif
6/4/03 2:05:38 AM 124 C:\WINDOWS\Application Data\topright.gif

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
H010818 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Camouflage
{29557489-990B-11D4-9413-004095490AD4} = C:\PROGRAM FILES\CAMOUFLAGE\CAMSHELL.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087} = C:\Program Files\Norton AntiVirus\navshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\PROGRA~1\GlobalSCAPE\CuteFTP\CuteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PKContextMenuHandler Class
{7414E744-CEFF-11D1-BBE3-0000E8C9F421} = C:\PROGRAM FILES\PKWARE\PKZIPE\PKSHEX.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\HexWorkshopContextMenu
{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA} = C:\Program Files\BreakPoint Software\Hex Workshop 4.2\hwext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\SHELLEX.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NortonAntivirus
{067DF822-EAB6-11cf-B56E-00A0244D5087} = C:\Program Files\Norton AntiVirus\navshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PKContextMenuHandler Class
{7414E744-CEFF-11D1-BBE3-0000E8C9F421} = C:\PROGRAM FILES\PKWARE\PKZIPE\PKSHEX.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\SHELLEX.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\PROGRA~1\GlobalSCAPE\CuteFTP\CuteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{576EB0AD-6980-11D5-A9CD-0001032FEE17}
CheckHO Class = C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\SYSTEM\MSJAVA.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry c:\windows\scanregw.exe /autorun
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SystemTray SysTray.Exe
CountrySelection pctptt.exe
LoadQM loadqm.exe
IgfxTray C:\WINDOWS\SYSTEM\igfxtray.exe
Logitech Hardware Abstraction Layer KHALMNPR.EXE
PTSNOOP ptsnoop.exe
THGuard "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
avast! Web Scanner C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Hidserv Hidserv.exe run
avast! C:\Program Files\Alwil Software\Avast4\ashServ.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
CPQEASYACC C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
EACLEAN C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
CPQInet c:\compaq\CPQInet\CpqInet.exe
Digital Dashboard C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
Service Connection c:\cpqs\bwtools\sccenter.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
LexStart Lexstart.exe
LexmarkPrinTray PrinTray.exe
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
Uninstall0001 "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
spp regedit -s C:\spp.reg
ClrSchLoader \Program Files\ClearSearch\Loader.exe
Tapicfg.exe \tapicfg.exe
KAZAA C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE
TaskMonitor c:\windows\taskmon.exe
Norton Auto-Protect C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
zBrowser Launcher C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
HPDJ Taskbar Utility C:\WINDOWS\SYSTEM\hpztsb03.exe
PTSNOOP ptsnoop.exe
HotKeysCmds C:\WINDOWS\SYSTEM\hkcmd.exe
AdsOff C:\Program Files\AdsOff2\adsoff.exe -startup
AdsOff Startup C:\Program Files\AdsOff2\reset.exe
MSMGT C:\WINDOWS\MSMGT.EXE
kdx C:\WINDOWS\KDX\KHOST.EXE
wcmdmgr C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
b3dUpdate C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p
Mirabilis ICQ C:\Program Files\ICQ\ICQNet.exe
WebInstall2 C:\WINDOWS\TEMP\INS71A3.TMP /R /A
stcloader C:\WINDOWS\SYSTEM\stcloader.exe
MemoryMeter C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
TVTMD C:\WINDOWS\TVTMD.EXE
msbb C:\PROGRAM FILES\NCASE\MSBB.EXE
CSMAQ C:\WINDOWS\CSMAQ.exe
XupiterStartup C:\Program Files\Xupiter\XupiterStartup2003.exe
XupiterCfgLoader C:\Program Files\Xupiter\XTCfgLoader.exe
Launcher C:\Program Files\KFH\cl\launcher.exe /P
SwimSuitNetwork C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe /H
DownloadWare C:\Program Files\DownloadWare\dw.exe /H
OrbitUpdate C:\Program Files\Orbit\update.exe
OrbitView C:\Program Files\Orbit\view.exe
WJQZ C:\WINDOWS\WJQZ.exe
BELT C:\WINDOWS\BELT.exe
P2P NETWORKING C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
AltnetPointsManager c:\program files\altnet\points manager\points manager.exe -s
slmss C:\Program Files\Common Files\slmss\slmss.exe
Mwsvm C:\WINDOWS\mwsvm.exe
absr C:\WINDOWS\mwsvm.exe
AUHXRMT C:\WINDOWS\AUHXRMT.exe
BEHORYFIL C:\WINDOWS\BEHORYFIL.exe
JMTW C:\WINDOWS\JMTW.exe
version C:\WINDOWS\SYSTEM\VERSION.exe
WinEssential C:\WINDOWS\SYSTEM\KEYHOST.exe
Win Server Updt C:\WINDOWS\wupdt.exe
MSVersion C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
AEHKNRU C:\WINDOWS\AEHKNRU.exe
DisableIPC C:\Program Files\SeeMeMe Windows Utilities\DisableIPC.exe
180ax c:\windows\180ax.exe
nydwd C:\WINDOWS\nydwd.exe
mediamotor.exe C:\WINDOWS\mmups.exe
loads.exe C:\WINDOWS\suploads.exe
DealHelperUpdate C:\WINDOWS\DHUpdt.exe
DealHelperBrwsr C:\WINDOWS\dhbrwsr.exe
3kce.exe C:\WINDOWS\TEMP\3KCE.EXE
3MMR@#94N5MQR9 C:\WINDOWS\SYSTEM\Ctbj0i7.exe
iefeatures C:\WINDOWS\SYSTEM\IEFEATURES.exe
SetPoint C:\Program Files\Logitech\SetPoint\KEM.EXE
F-Secure Startup Wizard "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\FSGUI\FSSW.EXE" /reboot
F-Secure Manager "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSM32.EXE" /splash
F-Secure TNB "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
ashMaiSv C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
LicCtrl runservice.exe
SchedulingAgent mstask.exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
KB891711 c:\windows\SYSTEM\KB891711\KB891711.EXE
DkService C:\Program Files\Executive Software\Diskeeper\DkService.exe
F-Secure Management Agent C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSMA32.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Steam

FAST Defrag
MSMSGS C:\Program Files\MSN Messenger\msmsgs.exe
quicken C:\WINDOWS\QUICKEN.EXE
cnet C:\Program Files\Kontiki\bin\kontiki.exe -s cnet -q
RAM Medic C:\Program Files\Iomatic\RAM Medic\RAMMedic.exe
PRRTECT C:\WINDOWS\SYSTEM\PRRTECT.exe
Anbr C:\WINDOWS\Application Data\durr.exe
eZWO C:\PROGRA~1\Web Offer\wo.exe
Ewtzmq C:\WINDOWS\SYSTEM\sye.exe
Yahoo! Pager C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]
QRIA

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
DisablePwdCaching 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions 0
NoCDBurning 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
NoDesktop 0
NoActiveDesktop 0
NoNetHood 0
HideClock 0
NoManageMyComputerVerb 0
NoLowDiskSpaceChecks 0
NoCDBurning 0
NoStartMenuPinnedList 0
NoStartMenuMFUprogramsList 0
NoUserNameInStartMenu 0
StartmenuLogoff 0
NoStartMenuSubFolders 0
NoCommonGroups 0
NoRecentDocsMenu 0
ClearRecentDocsOnExit 0
NoPrinterTabs 0
NoDeletePrinter 0
NoAddPrinter 0
NoPrinters 0
NoNetworkConnections 0
NoFavoritesMenu 0
NoRun 0
NoFind 0
NoClose 0
NoSetFolders 0
NoSMHelp 0
NoChangeStartMenu 0
NoViewContextMenu 0
NoFileMenu 0
NoDrives 0
NoControlPanel 0
NoShellSearchButton 0
NoToolbarCustomize 0
NoRecentDocsNetHood 0
NoChangeAnimation 0
NoChangeKeyboardNavigationIndicators 0
NoThemesTab 0
NoTrayContextMenu 0
NoRecentDocsHistory 0
NoWindowsUpdate 0
NoExpandedNewMenu 0
NoBandCustomize 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoSecCpl 0
DisableChangePassword 0
DisableLockWorkstation 0
NoDispCpl 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispAppearancePage 0
NoDispSettingsPage 0
NoVisualStyleChoice 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
NoEntireNetwork 0
NoNetSetup 0
NoWorkgroupContents 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/29/05 11:15:07 AM
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Are you using msconfig to control your startup items?
If so, please run msconfig, enable all startup items, then reboot and post a new hijackthis log.
  • 0

#13
FHiL

FHiL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
all startup objects re-enabled, computer restarted (the following files were not found during startup, spp.reg, topsearch.dll, fspex.exe), and heres the new hjt log

Logfile of HijackThis v1.99.1
Scan saved at 8:36:22 PM, on 11/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\TOTEM SHARED\UNINSTALL0001\UPD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [spp] regedit -s C:\spp.reg
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [AdsOff] C:\Program Files\AdsOff2\adsoff.exe -startup
O4 - HKLM\..\Run: [AdsOff Startup] C:\Program Files\AdsOff2\reset.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [b3dUpdate] C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\TEMP\INS71A3.TMP /R /A
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.EXE
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [CSMAQ] C:\WINDOWS\CSMAQ.exe
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [Launcher] C:\Program Files\KFH\cl\launcher.exe /P
O4 - HKLM\..\Run: [SwimSuitNetwork] C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe /H
O4 - HKLM\..\Run: [DownloadWare] C:\Program Files\DownloadWare\dw.exe /H
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [WJQZ] C:\WINDOWS\WJQZ.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [AUHXRMT] C:\WINDOWS\AUHXRMT.exe
O4 - HKLM\..\Run: [BEHORYFIL] C:\WINDOWS\BEHORYFIL.exe
O4 - HKLM\..\Run: [JMTW] C:\WINDOWS\JMTW.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\VERSION.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\SYSTEM\KEYHOST.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [AEHKNRU] C:\WINDOWS\AEHKNRU.exe
O4 - HKLM\..\Run: [DisableIPC] C:\Program Files\SeeMeMe Windows Utilities\DisableIPC.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [nydwd] C:\WINDOWS\nydwd.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [loads.exe] C:\WINDOWS\suploads.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [3kce.exe] C:\WINDOWS\TEMP\3KCE.EXE
O4 - HKLM\..\Run: [3MMR@#94N5MQR9] C:\WINDOWS\SYSTEM\Ctbj0i7.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
O4 - HKLM\..\Run: [SetPoint] C:\Program Files\Logitech\SetPoint\KEM.EXE
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\PROGRAM FILES\F-SECURE INTERNET SECURITY\Common\FSMA32.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\MSN Messenger\msmsgs.exe
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\QUICKEN.EXE
O4 - HKCU\..\Run: [cnet] C:\Program Files\Kontiki\bin\kontiki.exe -s cnet -q
O4 - HKCU\..\Run: [RAM Medic] C:\Program Files\Iomatic\RAM Medic\RAMMedic.exe
O4 - HKCU\..\Run: [PRRTECT] C:\WINDOWS\SYSTEM\PRRTECT.exe
O4 - HKCU\..\Run: [Anbr] C:\WINDOWS\Application Data\durr.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Ewtzmq] C:\WINDOWS\SYSTEM\sye.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: iTouch.exe.lnk = C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .sco: C:\PROGRA~1\INTERN~1\PLUGINS\NPSibelius.dll
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for : C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPOJI610.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npwinamp.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab

Edited by FHiL, 29 November 2005 - 07:43 PM.

  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [spp] regedit -s C:\spp.reg
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AdsOff] C:\Program Files\AdsOff2\adsoff.exe -startup
O4 - HKLM\..\Run: [AdsOff Startup] C:\Program Files\AdsOff2\reset.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [b3dUpdate] C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p
O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\TEMP\INS71A3.TMP /R /A
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.EXE
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [CSMAQ] C:\WINDOWS\CSMAQ.exe
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [Launcher] C:\Program Files\KFH\cl\launcher.exe /P
O4 - HKLM\..\Run: [SwimSuitNetwork] C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe /H
O4 - HKLM\..\Run: [DownloadWare] C:\Program Files\DownloadWare\dw.exe /H
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [WJQZ] C:\WINDOWS\WJQZ.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [AUHXRMT] C:\WINDOWS\AUHXRMT.exe
O4 - HKLM\..\Run: [BEHORYFIL] C:\WINDOWS\BEHORYFIL.exe
O4 - HKLM\..\Run: [JMTW] C:\WINDOWS\JMTW.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\VERSION.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\SYSTEM\KEYHOST.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [AEHKNRU] C:\WINDOWS\AEHKNRU.exe
O4 - HKLM\..\Run: [DisableIPC] C:\Program Files\SeeMeMe Windows Utilities\DisableIPC.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [nydwd] C:\WINDOWS\nydwd.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [loads.exe] C:\WINDOWS\suploads.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [3kce.exe] C:\WINDOWS\TEMP\3KCE.EXE
O4 - HKLM\..\Run: [3MMR@#94N5MQR9] C:\WINDOWS\SYSTEM\Ctbj0i7.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
O4 - HKCU\..\Run: [PRRTECT] C:\WINDOWS\SYSTEM\PRRTECT.exe
O4 - HKCU\..\Run: [Anbr] C:\WINDOWS\Application Data\durr.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Ewtzmq] C:\WINDOWS\SYSTEM\sye.exe
O4 - Startup: PowerReg Scheduler.exe



Delete these files, if present.

C:\spp.reg
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\MSMGT.EXE
C:\WINDOWS\SYSTEM\stcloader.exe
C:\WINDOWS\TVTMD.EXE
C:\WINDOWS\CSMAQ.exe
C:\WINDOWS\WJQZ.exe
C:\WINDOWS\BELT.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\AUHXRMT.exe
C:\WINDOWS\BEHORYFIL.exe
C:\WINDOWS\JMTW.exe
C:\WINDOWS\SYSTEM\VERSION.exe
C:\WINDOWS\SYSTEM\KEYHOST.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
C:\WINDOWS\AEHKNRU.exe
c:\windows\180ax.exe
C:\WINDOWS\nydwd.exe
C:\WINDOWS\mmups.exe
C:\WINDOWS\suploads.exe
C:\WINDOWS\DHUpdt.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\SYSTEM\Ctbj0i7.exe
C:\WINDOWS\SYSTEM\IEFEATURES.exe
C:\WINDOWS\SYSTEM\PRRTECT.exe
C:\WINDOWS\Application Data\durr.exe
C:\WINDOWS\SYSTEM\sye.exe



Now I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

  • 0

#15
FHiL

FHiL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Adobe Acrobat 4.0
Adobe Photoshop 7.0
AdsOff 2.0
AIM+ (remove only)
America Online
AMIP (remove only)
AOL Instant Messenger
Ares Lite Edition 1.8.1
avast! Antivirus
BitTorrent 3.3
BroadJump Client Foundation
Camouflage
Carbon Copy 32
Chinese (Simplified) Language Support
Compaq Diagnostics for Windows
Compaq Digital Dashboard LED
Compaq Hardware Discovery
Compaq IE5 Custom US v2.6
Compaq IJ300 Electronic Registration
Compaq IJ600
Compaq OOBE Online
Compaq WebISP
Compaq WebReg v2.6
Compaq Wizard Host Online v2.6
Cult3D ActiveX Player
CuteFTP
Digital Camera Suite
DivX Player
dropcharge ActiveX Control
Easy Access Button Support
eDonkey2000
Encarta Online
eViewStream
EZ_1-2-3 ActiveX Control
Feeding Frenzy
Half-Life
Hex Workshop v4.23
HexEdit
HijackThis 1.99.1
hp deskjet 970c series (Remove only)
HSP56 MicroModem Drivers
HyperLoad
ICQ
Indeo® Software
Intel Application Accelerator
Intel® 810/810E/815/815E/815EM Chipset Graphics Driver Softw
Internet Explorer Q896688
InterVideo Installer
Iomega Tools for Windows 95
Japanese Language Support
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_04
Kaspersky On-line Scanner
Kazaa Media Desktop 2.1.1
KODAK Memory Albums
Korean Language Support
Launcher
LiveJournal 1.4.6 (remove only)
LiveUpdate 1.90 (Symantec Corporation)
LJ Comment Stats Wizard 1.0
Logitech iTouch Software
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Data Access Components KB870669
Microsoft FrontPage Express
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office XP Professional
Microsoft Outlook Express 6
Microsoft VGX Q833989
Microsoft Web Publishing Wizard 1.53
Microsoft Works 2000
Midi Harvester
Mjuice Components
MS Access 97 SP2
msconfig
Musicmatch® Jukebox
Nero - Burning Rom
NeroMediaPlayer
Netscape Communicator 4.7
Norton AntiVirus
Outlook Express Q823353
Panda ActiveScan
PGT Windows ActiveX Control
Pixelon Player
PokerRoom.com (remove only)
Pretty Good Solitaire 500 version 8.0.2
Promotion Wars (c:\Promotion Wars\)
Promotion Wars (c:\promowars\)
QuickTime
Recorder
Secure Delivery
Service Connection
setup (Remove only)
Shockwave
Sibelius Scorch
Sierra Utilities
SpywareBlaster v3.4
StepMania CVS (remove only)
Syntrillium Tremolo DirectX Plug-In
System Files Update
Toolbar - My Toolbar
Triscape FxFoto
TrojanHunter 4.2
UltimateBet
UMAX VistaScan
Universal Media Player
USB CompactFlash Reader
USB SmartMedia Reader
USB Storage Adapter V2
VB Runtime
VideoLAN VLC media player 0.8.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
Virtual Grow 2
Virtual Grow 2 (C:\Program Files\VG\)
Waqas Ahmed's Wrestling Manager Demo
WebIQ Client Software
Winamp (remove only)
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
Windows 98 Q890175 Update
Windows Media Player system update (9 Series)
WinZip
Yahoo! Address AutoComplete
Yahoo! Anti-Spy
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
ZipOffie 10 Classic
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP