0

I pasted all of the highjackthis report but Idont know if you can read it. I cant get my internet Explorer to download a single thing. I gat a message that IE cant find the file or the file doent exist. If someone could make heads or tails 0f this Im crossing my fingers.Thanks


Articles
Spyware
File Help
Startup DB
Tips
Forum
News


NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!
Key:
• "Y" - Normally leave to run at start-up
• "N" - Not required - typically infrequently used tasks that can be started manually if necessary
• "U" - User's choice - depends whether a user deems it necessary
• "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
• "?" - Unknown


Page 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40


41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

Startup Name Process Name Details
X
system32.exe
Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field

Y !1_pgaccount
pgaccount.exe
DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly
Y !1_ProcessGuard_Startup
procguard.exe
DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks
N !NoLoad
winrecon.exe
WinRecon - surveillance software that creates records of everything people do on a computer, ie, spying or monitoring depending upon how you call it
? $EnterNet
Enternet.exe
Connection manager for the EnterNet ISP. You can also use RASPPOE

X $WindowsRegKey%update
IEXPLORE.EXE
Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer (iexplore.exe) process, which should not appear in Msconfig/Startup unless you add it manually!
N %cmpmixtitle%
%cmpmixstr%
Possibly related to C-Media Mixer Control panel?
? %FP%012-L2TP fts.exe
fts.exe
012.Net ISP software - what does it do and is it required?
? %FP%012-L2TP FWPortal.exe
FWPortal.exe
012.Net ISP software - what does it do and is it required?
? %FP%1776 Internet fts.exe
fts.exe
1776 Internet ISP software - what does it do and is it required?
? %FP%1776 Internet FWPortal.exe
FWPortal.exe
1776 Internet ISP software - what does it do and is it required?
? %FP%Barak013 fts.exe
fts.exe
Barak013 ISP software - what does it do and is it required?
? %FP%Barak013 FWPortal.exe
FWPortal.exe
Barak013 ISP software - what does it do and is it required?
? %FP%Friendly fts.exe
fts.exe
Friendly ISP software - what does it do and is it required?
X (*)API Machine
winSOCKS.exe
Homepage hijacker, see here (* = any digit)

X (*)Run
win32API.exe
Homepage hijacker, see here (* = any digit)

X (Default)
media_driver.exe
Added by the TUPEG VIRUS!

X (Default)
Shania.vbs
Added by the SHANIA TROJAN!

X (Default)
NOTEPAD.exe
Added by the RUSTY WORM! Note - not to be confused with the valid Windows "NOTEPAD" text editor

X (default)
[random filename].exe
Added by the BLACKMAL WORM!

X (default)
twunk_32.exe
Added by the BLACKMAL.C WORM!

X (default)
winhelp.exe
Added by the BLACKMAL.C WORM!

X (L4r1$$4) (4nt1) (V1ruz)
SP00Lsv32.pif
Added by the ASSIRAL.B WORM!

X *JanisRuckenbrodII
janis.com
Added by the POPS WORM!

Y *StateMgr
statemgr.exe
Windows ME default for System Restore. Do NOT disable!
X *windows update
wrauclt.exe
Added by the RBOT-QU WORM!

X *windows update
wuanclt.exe
Added by the RBOT-PG WORM!

X *windows update
wuaucrlt.exe
Added by the SPYBOT.HUR WORM!

X *windows update
wuraclt.exe
Added by the RBOT-PO WORM!

X *windows update
wurauclt.exe
Added by the RBOT-SY WORM!

X *windows update
wsctl.exe
Added by the SPYBOT.PR WORM!

X *WinLogon
[trojan path] ren time:[random number]
Added by the VUNDO TROJAN!

X ,main drive Loader
wininfo.exe
Suspected malware as it appears in 3 different registry locations - see here

X .mscdr
lassa.exe
Added by the WEBUS.C TROJAN!

X .mscdr
lsvchost.exe
Added by the WEBUS.D TROJAN!

X .mssecure
mssecure.exe
Added by the DDOS_BOXED.X TROJAN!

? .NET config
sysmon32.exe
??
X .norton
rchost.exe
Added by a variant of the BOXED-A TROJAN!

X .Prog
services.exe
Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process, which should not appear in Msconfig/Startup!
X .Prog
winlogon.exe
Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup!

X .TEXTCONV
csrss.exe
Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup!

X .TEXTCONV
lsass.exe
Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup!

X .WMAudio
csrss.exe
Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup!

X .WMAudio
lsass.exe
Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup!

N /l:eng
N/A
Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup. A patch is available - filename R75304.EXE - that fixes the issue. You can find that file at support.dell.com by typing that name in the 'Search' box available there. It addresses the root of the problem in Creative's software and corrects it. Unfortunately there is no direct link to the file, but it's easily available using the search function
X 000hpdllhos
hpdllhost.exe
LZIO.com adware downloader

U 000StTHK
000StTHK.exe
Toshiba Hot key functionality for the function keys (Fn-Esc, Fn-F1 (lock), Fn-F2, Fn-F3, Fn-F4, Fn-F5 (switching between laptop and CRT display output), etc...)
U 00THotkey
00THotKey.exe
For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev.
U 0190 Warner
WARN0190.EXE
Anti-dialer program (Germany)

U 0900 Warner
WARN0900.EXE
Anti-dialer program (Germany)

X 123456
rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl
Added by the KITRO.C (or DANDI.A) WORM! 123456 can be any random 3 to 6 digit number
U 12Ghosts Popup-Killer
12popup.exe
12Ghosts Popup-Killer

? 17779Proj2002
N/A
??
X 180adsolution
180adsolution.exe
180Solutions/N-Case adware variant

X 180ax
180ax.exe
180Solutions/N-Case adware variant

N 1:
hpdrv.exe
HP utility for monitoring when and how many recoveries have been done
N 1A:MacVisionTrayMonitor
TrayMonitor.exe
Comes with the MacVision program for monitoring tray icons (Note : program is by Stardock)
Y 1A:Stardock MCP
mcpserver.exe
Master Control Program for Stardock apps, in development. People should leave it running if they're using any of the Stardock applications
Y 1A:Stardock TrayMonitor
TrayServer.exe
For monitoring tray icons - if disabled icons will not be displayed in ObjectBar or DesktopX
? 1CmailS
NETMAIL.EXE
??
X 1on1
1on1.exe
Adult content dialler
U 1Srv32
SpyAgent4.exe
SpyTech SpyAgent monitoring software. "Spy software that allows you to monitor EVERYTHING users do on your PC."
U 1Win32Cfg
SpyBuddy.exe
SpyBuddy monitoring software

U 1Win32Cfg
Keyloggerpro.exe
KeyloggerPro - monitoring software

X 1WinCfg32
WebMailSpy.exe
WebMailSpy spyware

X 2020Downloader
mssvr.exe
2020Search Toolbar related. Reported to be auto-installed
X 2thousandbuck
[path to file]
Added by the RANKY.L TROJAN!

U 2wSysTray
2portalmon.exe
2Wire Homeportal user interface

X 32-bit Thunking service
thunk32.exe
Added by the DERDERO.A WORM!

? 39ELTFH25Z8SKF
Ezg1q5.exe
Seems to be associated with software by Resplendence SP ?

Y 3c1807pd
3cmlink.exe 3cpipe-3c1807pd
3Com WinModem driver. See here for more WinModem information

Y 3capplnk
3capplnk.exe
US Robotics Modem driver
N 3cdminic
3CDMINIC.EXE
3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards
? 3CM Link
3cmcnkw.exe
??
Y 3Cmlink
3CmlinkW.exe
For a US Robotics WinModem. Provides the link to Windows as the CPU does the processing on WinModems - won't work without it. See here for more WinModem information

N 3ComDMIAgent
3CDMINIC.EXE
3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards
Y 3cpipe-USRpdA
USRmlnkA.exe
Modem driver files from US Robotics
X 3D Text
3D Text.scr
Added by the JERMY.A WORM!

U 3Deep Control Panel
3DeepCTL.EXE
From LightSurf Technologies (nee E-Color) - 3Deep corrects lighting, shading and color for all your 2D and 3D games
X 3Dfx Acc
GFXACC.EXE
Added by the GIBE WORM!

N 3dfx Task Manager
3dfxMan.exe
System Tray application for 3dfx Voodoo 3/4/5 functions. Available via Start -> Programs
Y 3dfx Tools
3dfxCmn.dll
Updates the registry with information that can't be held for Voodoo 3/4/5 series graphics cards. Important for owners of these cards
Y 3dfxv2ps.dll
3dfxv2ps.dll
Updates the registry with info that can't be held for 3dfx Voodoo 2 video cards. Important for owners of these cards
? 3Dlabs Taskbar Display Manager
3DLman.exe
3DLabs graphics driver related. System Tray access to display settings?
U 3DLabsHelperDemon
3dldemon.exe
Directly from the programs author "It is a tiny program that is installed by the Permedia2/3 and probably other Oxygen-series cards. Normally it sits in the background doing nothing at all (sleeping on a semaphore), so it should take zero CPU time and virtually zero memory, since it will all be paged out to the hard drive." In most cases it can be safely disabled
U 3qdctl.exe
3qdctl.exe
Provided with Terratec 128i PCI and similar sound cards. Loads a sound profile at bootup, restoring volume and other audio settings to a pre-determined default. Similar to Creative Lab's AudioHQ
Y 3ware 3DM
3dm.exe
Monitors status of the disk array on 3ware IDE RAID controllers
X 4wd!!!
Natal!.pif
Added by the OPASERV.AI WORM!

X 5-1-61-96
members-area.exe
Adult content dialler
X 5-2-46-112
5-2-46-112.exe
Adult content pop-up dialler. Removal instructions here

X 666
Ska.exe
Added by the PIPES TROJAN!

X 9xHtProtect
AVprotect9x.exe
Added by the NETSKY.M WORM!

X ;Rundll
[filename]
Added by the PWSLEGMIR.E TROJAN!

X @
regedit -s ..win.dll
Added by the SEEKER.K TROJAN!

N @Hoc Toolbar
AtHoc.exe
One-click activated browsing toolbar used by various web-sites. See here for more info

N @loha
reminder.exe
Registration reminder for @loha@home E-mail utility

X @tour_ww
@tour_ww[1].exe
Adult content dialler
X a
a.exe
Commercials file that registers itself in the system registry and redirects IE to a certain commercial website
U a-squared
a2guard.exe
a-Squared antitrojan - can be run on demand but necessary in Startup if you prefer the a² 'Background Guard' real time protection feature
Y a-winpoet-service
winpppoverethernet.exe
WinPoET is the industry's first Windows-based PPP over Ethernet client. Developed by iVasion, WinPoET is attractive to equipment providers, modem suppliers, RBOCs and ISPs. For more info read here. It uses dial-up networking for new high-speed internet customers who are more familiar with analogue modems. If unchecked in MSCONFIG it reports Error 360 - Hardware Error in dial-up networking
U A1000 Settings Utility
cpqa1000.exe
Compaq A1000 Print Fax All-in-One copy scan printer software. Required in the Startup in order to scan, print, copy and fax. Only required if you use these features
U A4Proxy
A4Proxy.exe
Anonymity 4 Proxy - local proxy server that makes you anonymous when visiting web sites
? AAACLEAN
AAACLEAN.INF
??
? AAAKeyboard
??
??
N AAATraySaver
TraySaver.exe
System Tray management utility from Mike Lin which allows you to hide, show, restore icons that are lost in an Explorer crash, remove dead tray icons, minimize any window to the System Tray

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
Powered By Pac's Startup list


Archive 2 - Archive 4 - Archive 5 - Archive 6 - Archive 7

Copyright 2000-2005 I Am Not A Geek
SPONSORED LINK
what's this?

Free Spyware Scan!

Keep your computer free of unwanted programs and downloads. PCTools' Spyware Doctor provides the complete protection solution.
www.pctools.com

6
Contributors
89
Replies
90
Views
12 Years
Discussion Span
Last Post by southernneonser
0

Let's skip the automated log analyser; it's honestly better for us to work from your original log.

Please do the following:

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

0

Man Let me tell you that I cant download anything. i get a message after it starts downloading that says IE cannot download the file because it cant locate it or the file doesnt exist. I found a website last night that ran hjt on ny computer while I was there. I copied the results and posted the in the forum here. I recently tried to find that same website with no luck. Back to square one. How do I find a way to get HJt on my computer and scan it so that I can post it in the virus forum here? If you can eMail me the downloaded file would I be able to open It and run it on my computer? any suggestions welcome. Thanks

0

It sounds like you'll need to download HijackThis onto a different computer, copy it to a floppy, and install/run it on the infected computer that way.

Once the HJT scan is done, you'll need to save the logfile back to the floppy, take the floppy back to a computer with working Internet access, and post the log from there.

I have a copy of the current HJT program on my FTP site. If you need me to email it to you I can do that. Please don't post your email address in this thread though; send it to me privately via my email address or a PM.

0

Hey Dave, he had another thread going on this ( http://www.daniweb.com/techtalkforums/thread20949.html ), but couldn't download HJT; I tried to email it to him, but his Outlook Express wouldn't allow him to open it, saying it was a harmful file.

He doesn't have access to another computer to download to, so I suggested he post the above log so we could see what's going on (and it's not pretty!).

I'm open to some suggestions here; should we try to attack the bad files manually, email him some tools (if OE will let even let him open them), or is it time for a reinstall?

0

I received another E-mail that had the hjt file attached. Again the message said, " outlook has blocked the attachment because it is a potentially harmful file. Is this a virus that si aware of me trying to eliminate it an preventing any application that may do so? Still looking for a solution. I could reload all of my original disk that were loaded at first. The only problem with that is I really dont know how to back up files, delete, reload and all the must not or must do's in the process. I wish we could come up with an easier way. I really appreciate the help. Thanks

0

I received another E-mail that had the hjt file attached. Again the message said, " outlook has blocked the attachment because it is a potentially harmful file. Is this a virus that si aware of me trying to eliminate it an preventing any application that may do so? Still looking for a solution. I could reload all of my original disk that were loaded at first. The only problem with that is I really dont know how to back up files, delete, reload and all the must not or must do's in the process. I wish we could come up with an easier way. I really appreciate the help. Thanks

open outlook /tools /options /security and uncheck do not allow attachments to be saved that could be harmful or a virus , then someone resend the files .

0

I'm waiting for the opinions of a couple other mods here as what the best direction to go would be. If a reinstall is deemed the best solution, we will help you with backing up and reloading.

If you had access to another computer where you could download some utilities, it would be very helpful... maybe a library or friend?

Edit -- what Caperjack said might work, I don't know much about OE.

0

I sent dlh6213 an address of a friend that will download hjt and save it to a floppy for me to run on my machine. Hopefully this will be the beginning of my computer recovery. Thanks

0

I went to tools and then options and then security and every other spot there in options and I did not see a single thin that even looked like a box for attachments to be accepted even if harmful. If their is another name for attachments i dont know It. I tried to go over everything that mentions IE and downloads that would let things go through.

0

I sent dlh6213 an address of a friend that will download hjt and save it to a floppy for me to run on my machine. Hopefully this will be the beginning of my computer recovery. Thanks

I tried sending it to her twice, and both times I got a message saying it couldn't be delivered because it was a bad address. Can you just have her download it for you and put it on a floppy? Here's the website:
http://www.spywareinfo.com/~merijn/

0

I went to tools and then options and then security and every other spot there in options and I did not see a single thin that even looked like a box for attachments to be accepted even if harmful. If their is another name for attachments i dont know It. I tried to go over everything that mentions IE and downloads that would let things go through.

Sorry ,im using outlook express,anyway i have outlook and there is noting in securitys like express ,but in tools ,did you check rules and see if you have something set in there to stop certain file types .

0

mani dont have any settings that I can find anywhere that would restrict any downloads or attachments. I got my freind to go to the web site you gave me. I helped her download the file and copy it to a disk. I ran it on my compter I the program I got is oftspy spyware remover, I finally ended up having to purchase the thing to be able to use it. Now I have to find someway to get the hjt file.Please let me know Thanks

0

I already have adaware and spybot and spyblaster and now I have this one. I was trying to download highjackthis so I could get a picture of my system to post to the virus forum. i wsnt aware that I was downloading a program that I woul have to purchase to use. I ran the program nd I stillhave the problem.I guess i need to get hjt downloaded and posted.

0

I don't know how you got Xoftspy from the link I gave you, but try going here:
http://www.spywareinfo.com/~merijn/downloads.html
Scroll down to Official downloads, and then down to HijackThis. Choose any one of the seven sites listed to download it from.

Do you have any messenger services (like Yahoo, AIM, MSN, etc.)? We may be able to transfer the HJT file that way if you still can't get it onto a floppy.

0

I have windows instant messager. I also have a .net passport under southern neon service. If youwould please email me the Hjt file one more time. at first I had my e-mail go directly to my isp at bellsouth.net. Not long ago I started resceiving my email through Microsoft Outlook. It still comes to bellsouth .net but while in Outlook I must hit the Send & Receive button and my mail downloads to outlook. If you will send me the hjt file again I will go directly to bellsouth internet services and open the mail there instead od opening it in outlook. Being as outlook is the one who blocked the attachment I might be able to retreive it this way. I dont know how you would send it through a IM service. Thanks

0

I received your e-mail and attempted send hjt to a file. not to my suprise I got the same message and was unable to download the hyperlinc to a folder. What a bunch of crap. I e-mailed the letter to a friend and he is going to try sto copy it to a disk. I cant download zilch. thanks

0

Mr dlh6412, I sent the e-mail with the hjt hyperlink to my son in law to download and save to a disk for me. He was unable to download it also because his system said it was a harmful file or something like that. I wonder if my machine has a virus in the e-mail and his machine detected it or if our machines both have some type of security rule that prohibits that type of file? I really dont know what to do. You can send him the hjt link if you think that will do it. I would really like to get this issue over with and I appreciate all of you guys patients and support. Please let me know the next move. Thanks

0

I tried to download this file and got a message that said internet was unable to locate the file or it was unavailable, the same message I get when trying to download any file. Ihave no clue how to turn it into an exe file. If someone else e-mails it to me I still cant download it . ??????????

0

When i right click on it and try to save it on my desk top it starts to download and then up pops the same message. I tried to do a system restore back to March 12th on the day I installed spybot search and destroy. It still did the same thing. I installed SecureIe about that time and that software really scewed me up. At first It wouuldnt install any updates because it couldnt find the temporary files that store them. then my computer started getting real slow. Then it tried to take over every function I have on my computer. Every time I would tryto open anything The Secue IE would try to start. I wrote weinfero about it and they refunded my money but I have yet to delete the entire content of places the program hid itself. I have service pac two and I think that might have something to do with my problem. I need to figure this out somehow. Maby I should just delete everything and start over. I dont want to do that . I know some of you computer geniouses can figure this out. I appretiate anyones help.Thanks

0

unless you are living in some remote area ,it shouldn't really be that hard to go to another computer and download ,hijackthis and a few other programs to fix your problems
You say you went back to march 12 ,did you try going back further !

0

I have never tried it but I guess you are suggesting that I logon to my e-mail from someone elses machine and download the programs to a disk and then run them on my machine. I do live in a remote area when it comes to borrowing someones computer. I guess I could go to the library sometime tomorrow. man I dont know how to think logically when it comes to computers. I didnt see a way to restore back past March 12. I tried to click the back arrow on the left side of the MARCH calander and it wouldnt do a thing. I tried several times. If you have the magic secret please let me know. Mabe if I restore back to the first of Feb It would work. Thanks

0

Hi ,im mean to go to another computer and download the program from the net ,not through you email .just go to www.google.com and search hijack this .download it and copy it to disk !
as for you restore if you can go to
Feb ,then try that .

0

I tried to go back to Feb on the ssystem restore but it would only go back to March.i wonder why it wont go back any farther? Ill try tofind a computer to download the hjt from.

0

Logfile of HijackThis v1.98.2
Scan saved at 5:15:29 PM, on 4/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winferno\SIEPIE\SIEPulse.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\My Documents\c.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = zilla
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = zilla
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zillafind.com/getPageResults.do?doProcessing=true&query=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: ZILLAbar BHO - {2F19BBE7-D050-4C39-829E-C2F9E15C90F0} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - (no file)
O2 - BHO: (no name) - {4FF56F7F-C145-509C-DE02-65550DD82014} - C:\WINDOWS\System32\puk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ZILLAbar - {8FC8AE66-AC15-4C0D-9E9A-51296A0C52FA} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SIE2004] "C:\Program Files\Winferno\SIEPIE\SIEPulse.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Versato] C:\Program Files\MagicKey\MagicKey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Idue] C:\Documents and Settings\Administrator\Application Data\umbs.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Private IE - {644B7837-F1E9-4dba-853C-7E304F51968B} - "C:\Program Files\Winferno\SIEPIE\PrivateIE.exe" (file missing)
O9 - Extra button: (no name) - {B9030549-F0EA-40a7-8E3C-62A9FB0812D0} - "C:\Program Files\Winferno\SIEPIE\PrivateIE.exe" (file missing)
O9 - Extra 'Tools' menuitem: Private IE - {B9030549-F0EA-40a7-8E3C-62A9FB0812D0} - "C:\Program Files\Winferno\SIEPIE\PrivateIE.exe" (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.computercops.biz
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

0

I was able get Hjt on a disk from another machine today. i ran it on my machine and saved the log. I posted the log on the virus forum and i hope I did the right thing, I hope you guys can figure this one out. Its been a mind wrentching thing. thanks

0

Hang in there. It looks like you posted your log in a new thread; let me find that post and merge it in to this one.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.