Reply
1 2 Last »

Join Date: Jul 2005
Posts: 82
Reputation: jd51edwin is an unknown quantity at this point 
Solved Threads: 0
jd51edwin jd51edwin is offline Offline
Junior Poster in Training

Pops Ups ect on laptop

 
0
  #1
Jun 3rd, 2006
Hi again......now I got my laptop infected ......my daugther went to iconator.com and something nasty got on the laptop ....here's my HJT log.....scanned with ewido before running the log.....thanks for the help .....JD

Logfile of HijackThis v1.99.1
Scan saved at 12:40:18 PM, on 6/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\YWltbmV0\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\defender25.exe
C:\WINNT\system32\twintqez.exe
c:\winnt\system32\psdsregj.exe
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\ssec.exe
C:\WINNT\system32\tfthot.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\PROGRA~1\COMMON~1\SSEMBL~1\spoolsv.exe
C:\PROGRA~1\COMMON~1\owqr\owqrm.exe
C:\Documents and Settings\jdumas\Application Data\?ystem32\?hkntfs.exe
C:\PROGRA~1\COMMON~1\owqr\owqra.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hpsckhm.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINNT\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [{94-4B-B7-76-ZN}] c:\winnt\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\twintqez.exe GID003
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [Awre] "C:\PROGRA~1\COMMON~1\SSEMBL~1\spoolsv.exe" -vt yazr
O4 - HKCU\..\Run: [owqr] C:\PROGRA~1\COMMON~1\owqr\owqrm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Uifnnnar] C:\Documents and Settings\jdumas\Application Data\?ystem32\?hkntfs.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Zeno.lnk = C:\WINNT\system32\twintqez.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productu...ntent/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\e2jmlc111f.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: Pops Ups ect on laptop

 
0
  #2
Jun 3rd, 2006
Hi,
Download WinSockXPFix and extract the ZIP file contents to a folder. Do not run the program now!

Download The Avenger by Swandog46 to your Desktop. Do not run it now!


Uninstall these Software from Add/Remove Programs in Control Panel:-
WebHancer
SurfSideKick
PurityScan
NewDotNet or New.Net


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hpsckhm.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINNT\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [{94-4B-B7-76-ZN}] c:\winnt\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\twintqez.exe GID003
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [Awre] "C:\PROGRA~1\COMMON~1\SSEMBL~1\spoolsv.exe" -vt yazr
O4 - HKCU\..\Run: [owqr] C:\PROGRA~1\COMMON~1\owqr\owqrm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Uifnnnar] C:\Documents and Settings\jdumas\Application Data\?ystem32\?hkntfs.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\twintqez.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\e2jmlc111f.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop.
  • Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-
Files to delete:
C:\defender25.exe
C:\WINNT\system32\twintqez.exe
c:\winnt\system32\psdsregj.exe
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\ssec.exe
C:\WINNT\system32\tfthot.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\WINNT\system32\wumxa.exe
C:\WINNT\system32\hpsckhm.exe
c:\winnt\system32\dwdsregt.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\glutac.exe
C:\WINNT\system32\repairs303169590.dll
C:\keyboard25.exe

Folders to delete:
C:\Program Files\NewDotNet
C:\Program Files\Network Monitor
C:\Program Files\webHancer
C:\Program Files\SurfSideKick 3
C:\PROGRAM FILES\COMMON FILES\owqr
C:\WINNT\YWltbmV0
  • Now, run The Avenger program by double clicking its icon on your Desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing Ctrl V keys.
  • Click Done.
  • Now click on the Green Light to begin execution of the script.
  • Answer "Yes" twice when prompted.


The Avenger will automatically do the following:-
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt


Run WinSockXPFix.exe and click "Reg Backup" to backup the Registry first. After this, click the "Fix" button and follow the instructions given by the tool.


Next, download Dr.Web CureIT!. Run it and click "OK" when it asks you to start a memory scan. Allow it to complete the memory scan. After it completes, select all the hard disk drives (like C:\, D:\ etc.) by clicking on the drive letters that is displayed on the central part of Dr.Web CureIT! Next, click the button which resembles the "Play" icon, to start the scan.


After this, run HijackThis again to get a new log. Please post back this new HijackThis log along with the Avenger log.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: Pops Ups ect on laptop

 
0
  #3
Jun 3rd, 2006
Also, open NotePad and copy the contents of the below "Quote" box:-
cd\
cd Docume~1
cd jdumas
cd Applic~1
dir ?ystem32 > C:\info1.txt
cd\
cd PROGRA~1
cd COMMON~1
dir SSEMBL* > C:\info2.txt
cd\
copy info1.txt + info2.txt = info.txt
del info1.txt
del info2.txt
In NotePad, go to File Menu > Save AS and type the filename as Test.bat and save the file in a convinient location. Exit from NotePad.

Double-click on this Test.bat file. A DOS type window should open and close by itself. Next, there will be a text file named Info.txt in C:\ drive. Copy the contents of this Info.txt file and post it in your next reply.


The Avenger takes a backup of deleted files. It will be in C:\Avenger\backup.zip. Can you upload that ZIP file with your next reply?
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 82
Reputation: jd51edwin is an unknown quantity at this point 
Solved Threads: 0
jd51edwin jd51edwin is offline Offline
Junior Poster in Training

Re: Pops Ups ect on laptop

 
0
  #4
Jun 5th, 2006
thanks swatkat......I tried my best to follow the instructions but I'm not sure the "avenger" piece ran correctly....still have issues on reboot....here are the logs.....I can't seem to figure out how to upload the avenger backup.zip file - can you provide some instructions or direct me to a help section? JD

1) HJT

Logfile of HijackThis v1.99.1
Scan saved at 9:10:36 AM, on 6/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productu...ntent/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\dnp8017ue.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

2) Avenger log

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\olqssomf

*******************

Script file located at: \??\C:\lcsbtnpp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\defender25.exe deleted successfully.
File C:\WINNT\system32\twintqez.exe deleted successfully.
File c:\winnt\system32\psdsregj.exe deleted successfully.
File C:\WINNT\system32\mptft.exe deleted successfully.
File C:\WINNT\system32\ssec.exe deleted successfully.
File C:\WINNT\system32\tfthot.exe deleted successfully.
File C:\WINNT\system32\ssn6tuu.exe deleted successfully.
File C:\WINNT\system32\nr1rnqm8.exe deleted successfully.
File C:\WINNT\system32\wumxa.exe deleted successfully.
File C:\WINNT\system32\hpsckhm.exe deleted successfully.
File c:\winnt\system32\dwdsregt.exe deleted successfully.


File C:\WINNT\system32\ssn6tuu.exe not found!
Deletion of file C:\WINNT\system32\ssn6tuu.exe failed!

Could not process line:
C:\WINNT\system32\ssn6tuu.exe
Status: 0xc0000034

File C:\WINNT\system32\glutac.exe deleted successfully.


File C:\WINNT\system32\repairs303169590.dll not found!
Deletion of file C:\WINNT\system32\repairs303169590.dll failed!

Could not process line:
C:\WINNT\system32\repairs303169590.dll
Status: 0xc0000034

File C:\keyboard25.exe deleted successfully.


Folder C:\Program Files\NewDotNet not found!
Deletion of folder C:\Program Files\NewDotNet failed!

Could not process line:
C:\Program Files\NewDotNet
Status: 0xc0000034

Folder C:\Program Files\Network Monitor deleted successfully.
Folder C:\Program Files\webHancer deleted successfully.


Folder C:\Program Files\SurfSideKick 3 not found!
Deletion of folder C:\Program Files\SurfSideKick 3 failed!

Could not process line:
C:\Program Files\SurfSideKick 3
Status: 0xc0000034

Folder C:\PROGRAM FILES\COMMON FILES\owqr deleted successfully.
Folder C:\WINNT\YWltbmV0 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


3) Into txt


Volume in drive C has no label.
Volume Serial Number is 84D9-4B76

Directory of C:\DOCUME~1\jdumas\APPLIC~1

06/03/2006 09:34a <DIR> ?ystem32
0 File(s) 0 bytes
1 Dir(s) 2,675,716,096 bytes free
Volume in drive C has no label.
Volume Serial Number is 84D9-4B76

Directory of C:\PROGRA~1\COMMON~1

06/03/2006 09:34a <DIR> ?ssembly
0 File(s) 0 bytes
1 Dir(s) 2,675,716,096 bytes free

Reply With Quote Quick reply to this message  
Join Date: May 2006
Posts: 55
Reputation: Burton1 is an unknown quantity at this point 
Solved Threads: 4
Burton1 Burton1 is offline Offline
Junior Poster in Training

Re: Pops Ups ect on laptop

 
0
  #5
Jun 5th, 2006
I am sorry for the HiJack, but it seems that he is infected with qoologic. You might already know this, but a automatic fix has been released. I think the files have been deleted, but just to be on the safe side, and for further reference.



Download Brute Force Uninstaller to your C:\
Unzip it to a folder of its own (C:BFU).
  • BFU should be on your root. In most cases this is C:
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 82
Reputation: jd51edwin is an unknown quantity at this point 
Solved Threads: 0
jd51edwin jd51edwin is offline Offline
Junior Poster in Training

Re: Pops Ups ect on laptop

 
0
  #6
Jun 5th, 2006
thanks Burton1.......I ran the fix per your instructions.....here's my latest HJT log......JD

Logfile of HijackThis v1.99.1
Scan saved at 11:18:33 AM, on 6/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productu...ntent/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\hrr8059ue.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: Pops Ups ect on laptop

 
0
  #7
Jun 5th, 2006
Hi,
Click My Computer, then C: \
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).


Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.


Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Reboot into Normal mode. Now, download
sidekickFix.bat (rightclick on that link and
choose save as)
  • Place sidekickFix.bat in your C:\BFU folder (Important!).
  • Close all browsers and explorer folders.
  • Double-click on sidekickFix.bat
  • Click Yes and follow the prompts, when prompted to restart
    the PC please do so.


After carrying out above two steps, delete these two folders. The "?" (question mark) in the folder name might appear as it is or as any other character. Please be careful while deleting the folders, because there may be other legitimate folders by that name. Before deleting, right-click on each of the folder and click "Properties". Now here, check the Date and Time of folder creation. If they match with the date and time given below, then delete the folders:-

C:\DOCUMENTS AND SETTINGS\jdumas\APPLICATION DATA\?ystem32 --> Date: 06/03/2006 and Time: 09:34 AM

C:\PROGRAM FILES\COMMON FILES\?ssembly --> Date: 06/03/2006 and Time: 09:34 AM

Finally, please post a fresh HijackThis log.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 82
Reputation: jd51edwin is an unknown quantity at this point 
Solved Threads: 0
jd51edwin jd51edwin is offline Offline
Junior Poster in Training

Re: Pops Ups ect on laptop

 
0
  #8
Jun 5th, 2006
Hi swatkat.....I did the BFU again and the sidekick and deleted those folders.....here's my latest HJT scan.....thanks for the help

Logfile of HijackThis v1.99.1
Scan saved at 8:03:05 PM, on 6/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productu...ntent/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\g840lihm184a.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: Pops Ups ect on laptop

 
0
  #9
Jun 6th, 2006
Hi,
Download WinPFind.ZIP and completely extract it to a folder.

We shall do an online scan at F-Secure. Please visit: F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
6. When done click "Show report" and copy/paste its contents into your next reply.

(F-Secure scan works only in Internet Explorer browser)


After the scan run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with F-Secure scan log.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 82
Reputation: jd51edwin is an unknown quantity at this point 
Solved Threads: 0
jd51edwin jd51edwin is offline Offline
Junior Poster in Training

Re: Pops Ups ect on laptop

 
0
  #10
Jun 7th, 2006
Hi swatkat,

I had a difficult time running F-Secure.....it abort 3 times after hours of scanning. and parial cleanings.....the pop-ups did quite a job getting in the way......finally got a completed session after the 4th time and many hours.....I've attached the F-Secure log file and WinFind log as well as another HJT...thanks for the help

1) F-Secure

Scanning Report
Tuesday, June 06, 2006 20:59:30 - 23:45:41
Computer name: A1WJDU
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 27 malware found
ABetterInternet.Nail (spyware)
System (Disinfected)
Adware.Look2Me (spyware)
System (Disinfected)
Adware.Yazzle (spyware)
System (Disinfected)
Alexa (spyware)
System (Disinfected)
CoolWebSearch (spyware)
System (Disinfected)
SearchFast (spyware)
System (Disinfected)
SurfSideKickBHO (spyware)
System (Disinfected)
Targetsaver (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
WebHancer (spyware)
System (Disinfected)
Win32.Trojan.Downloader (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 20428
System: 9413
Not scanned: 5
Actions:
Disinfected: 12
Renamed: 0
Deleted: 0
None: 15
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINNT\SYSTEM32\F4L00E3MEH.DLL
C:\WINNT\SYSTEM32\I806LIDS1806.DLL
C:\WINNT\SYSTEM32\NOLSAPI.DLL
C:\WINNT\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-06-06
F-Secure Libra: 2.4.1, 2006-06-06
F-Secure Orion: 1.2.37, 2006-06-05
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-00-19
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

2) WinFind Log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 6/5/2006 8:32:30 AM 24296 C:\WINNT\icont.exe

Checking %System% folder...
WinShutDown 6/5/2006 7:43:14 PM R S 233695 C:\WINNT\SYSTEM32\ddvenum.dll
ad-w-a-r-e.com 6/5/2006 7:43:14 PM R S 233695 C:\WINNT\SYSTEM32\ddvenum.dll
WinShutDown 6/4/2006 10:29:22 PM R S 237232 C:\WINNT\SYSTEM32\dSdim700.dll
ad-w-a-r-e.com 6/4/2006 10:29:22 PM R S 237232 C:\WINNT\SYSTEM32\dSdim700.dll
WinShutDown 6/5/2006 8:02:28 AM R S 236486 C:\WINNT\SYSTEM32\jtns0757e.dll
ad-w-a-r-e.com 6/5/2006 8:02:28 AM R S 236486 C:\WINNT\SYSTEM32\jtns0757e.dll
WinShutDown 6/6/2006 11:17:26 AM R S 236910 C:\WINNT\SYSTEM32\jtrs0797e.dll
ad-w-a-r-e.com 6/6/2006 11:17:26 AM R S 236910 C:\WINNT\SYSTEM32\jtrs0797e.dll
WinShutDown 6/5/2006 7:55:30 PM R S 234743 C:\WINNT\SYSTEM32\kddsw.dll
ad-w-a-r-e.com 6/5/2006 7:55:30 PM R S 234743 C:\WINNT\SYSTEM32\kddsw.dll
WinShutDown 6/6/2006 9:34:28 AM R S 235708 C:\WINNT\SYSTEM32\kt8ml7l11.dll
ad-w-a-r-e.com 6/6/2006 9:34:28 AM R S 235708 C:\WINNT\SYSTEM32\kt8ml7l11.dll
PTech 7/12/2005 6:04:22 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.dll
WinShutDown 6/5/2006 8:14:48 AM R S 236932 C:\WINNT\SYSTEM32\mcxml3a.dll
ad-w-a-r-e.com 6/5/2006 8:14:48 AM R S 236932 C:\WINNT\SYSTEM32\mcxml3a.dll
WinShutDown 6/4/2006 10:52:56 PM R S 236486 C:\WINNT\SYSTEM32\mmiseq.dll
ad-w-a-r-e.com 6/4/2006 10:52:56 PM R S 236486 C:\WINNT\SYSTEM32\mmiseq.dll
WinShutDown 6/3/2006 11:59:56 AM R S 235384 C:\WINNT\SYSTEM32\mmnetobj.dll
ad-w-a-r-e.com 6/3/2006 11:59:56 AM R S 235384 C:\WINNT\SYSTEM32\mmnetobj.dll
PECompact2 1/4/2006 8:46:40 PM 2827616 C:\WINNT\SYSTEM32\MRT.exe
aspack 1/4/2006 8:46:40 PM 2827616 C:\WINNT\SYSTEM32\MRT.exe
WinShutDown 6/5/2006 7:58:28 AM R S 236486 C:\WINNT\SYSTEM32\myvcrt20.dll
ad-w-a-r-e.com 6/5/2006 7:58:28 AM R S 236486 C:\WINNT\SYSTEM32\myvcrt20.dll
WinShutDown 6/5/2006 9:03:42 AM R S 236932 C:\WINNT\SYSTEM32\nktcfgx.dll
ad-w-a-r-e.com 6/5/2006 9:03:42 AM R S 236932 C:\WINNT\SYSTEM32\nktcfgx.dll
WinShutDown 6/5/2006 4:42:10 PM R S 233695 C:\WINNT\SYSTEM32\nmtmsg.dll
ad-w-a-r-e.com 6/5/2006 4:42:10 PM R S 233695 C:\WINNT\SYSTEM32\nmtmsg.dll
WinShutDown 6/4/2006 10:43:16 PM R S 235384 C:\WINNT\SYSTEM32\osdbse32.dll
ad-w-a-r-e.com 6/4/2006 10:43:16 PM R S 235384 C:\WINNT\SYSTEM32\osdbse32.dll
WinShutDown 6/5/2006 11:09:44 AM R S 236932 C:\WINNT\SYSTEM32\q2pslc771f.dll
ad-w-a-r-e.com 6/5/2006 11:09:44 AM R S 236932 C:\WINNT\SYSTEM32\q2pslc771f.dll
Umonitor 1/12/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
WinShutDown 6/3/2006 12:06:34 PM R S 235384 C:\WINNT\SYSTEM32\rUsgtwy.dll
ad-w-a-r-e.com 6/3/2006 12:06:34 PM R S 235384 C:\WINNT\SYSTEM32\rUsgtwy.dll
winsync 12/7/1999 8:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
WinShutDown 6/6/2006 8:56:22 PM 234052 C:\WINNT\SYSTEM32\__delete_on_reboot__guard.tmp
ad-w-a-r-e.com 6/6/2006 8:56:22 PM 234052 C:\WINNT\SYSTEM32\__delete_on_reboot__guard.tmp

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/2/2006 10:21:00 PM S 183296 C:\WINNT\NDNuninstall7_22.exe
6/5/2006 8:08:42 PM H 922666 C:\WINNT\ShellIconCache
6/5/2006 4:13:08 PM S 64 C:\WINNT\CSC\00000001
6/5/2006 9:02:30 AM S 64 C:\WINNT\CSC\00000002
6/5/2006 8:14:20 AM S 64 C:\WINNT\CSC\csc1.tmp
6/5/2006 7:43:14 PM R S 233695 C:\WINNT\system32\ddvenum.dll
6/4/2006 10:29:22 PM R S 237232 C:\WINNT\system32\dSdim700.dll
6/6/2006 6:36:34 PM R S 236113 C:\WINNT\system32\f4l00e3meh.dll
6/5/2006 8:02:28 AM R S 236486 C:\WINNT\system32\jtns0757e.dll
6/6/2006 11:17:26 AM R S 236910 C:\WINNT\system32\jtrs0797e.dll
6/5/2006 7:55:30 PM R S 234743 C:\WINNT\system32\kddsw.dll
6/6/2006 9:34:28 AM R S 235708 C:\WINNT\system32\kt8ml7l11.dll
6/6/2006 11:55:28 PM R S 233906 C:\WINNT\system32\ktjol7131.dll
6/5/2006 8:14:48 AM R S 236932 C:\WINNT\system32\mcxml3a.dll
6/4/2006 10:52:56 PM R S 236486 C:\WINNT\system32\mmiseq.dll
6/3/2006 11:59:56 AM R S 235384 C:\WINNT\system32\mmnetobj.dll
6/5/2006 7:58:28 AM R S 236486 C:\WINNT\system32\myvcrt20.dll
6/5/2006 9:03:42 AM R S 236932 C:\WINNT\system32\nktcfgx.dll
6/5/2006 4:42:10 PM R S 233695 C:\WINNT\system32\nmtmsg.dll
6/4/2006 10:43:16 PM R S 235384 C:\WINNT\system32\osdbse32.dll
6/5/2006 11:09:44 AM R S 236932 C:\WINNT\system32\q2pslc771f.dll
6/6/2006 11:55:32 PM R S 236113 C:\WINNT\system32\ruaenh.dll
6/3/2006 12:06:34 PM R S 235384 C:\WINNT\system32\rUsgtwy.dll
6/6/2006 11:58:24 PM H 1024 C:\WINNT\system32\config\default.LOG
6/5/2006 4:42:10 PM H 1024 C:\WINNT\system32\config\SAM.LOG
6/7/2006 12:05:38 AM H 1024 C:\WINNT\system32\config\SECURITY.LOG
6/7/2006 12:02:18 AM H 1024 C:\WINNT\system32\config\software.LOG
6/6/2006 11:55:30 PM H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 12/7/1999 8:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
10/1/2001 9:47:18 AM 483328 C:\WINNT\SYSTEM32\cpqIKey.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 12/7/1999 8:00:00 AM 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 60688 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Intel Corporation 5/13/2002 3:02:04 AM 671744 C:\WINNT\SYSTEM32\PROSetp.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 12/7/1999 8:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 1/12/2005 12:40:00 PM 64784 C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 12/7/1999 8:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/7/2005 10:22:18 AM 640 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA521 Configuration Utility.lnk
8/30/2005 11:40:26 AM 1572 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
9/6/2005 2:47:10 PM 1397 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
10/25/2005 5:30:02 PM 1397 C:\Documents and Settings\jdumas\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
1/23/2006 5:32:10 PM 38514 C:\Documents and Settings\jdumas\Application Data\Microsoft Excel.ADR
6/3/2006 9:40:12 AM 67 C:\Documents and Settings\jdumas\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{452E18F7-77D5-4204-9E0A-8A9DD101170B} = C:\WINNT\system32\ruaenh.dll
{342D4634-B971-4F65-B297-21AC58D66D5B} = C:\WINNT\system32\nmtmsg.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINNT\system32\dmonwv.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
cpqek C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
Promon.exe Promon.exe
NGClient C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
hkss C:\Program Files\Compaq\Hotkey Software\hkss.exe
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
Logitech Utility Logi_MwX.Exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
fcylaa C:\WINNT\system32\glutac.exe reg_run
ftexc C:\WINNT\system32\mptft.exe
Hhl7RfpJ "C:\WINNT\system32\ssn6tuu.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
cygnb C:\WINNT\system32\glutac.exe reg_run

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage
= C:\WINNT\system32\f4l00e3meh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/7/2006 12:08:09 AM


3) HJT


Logfile of HijackThis v1.99.1
Scan saved at 12:15:59 AM, on 6/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productu...ntent/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\f4l00e3meh.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
Reply With Quote Quick reply to this message  
Reply
1 2 Last »

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC