Hi again......now I got my laptop infected ......my daugther went to iconator.com and something nasty got on the laptop:sad: ....here's my HJT log.....scanned with ewido before running the log.....thanks for the help .....JD

Logfile of HijackThis v1.99.1
Scan saved at 12:40:18 PM, on 6/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\YWltbmV0\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\defender25.exe
C:\WINNT\system32\twintqez.exe
c:\winnt\system32\psdsregj.exe
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\ssec.exe
C:\WINNT\system32\tfthot.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\PROGRA~1\COMMON~1\SSEMBL~1\spoolsv.exe
C:\PROGRA~1\COMMON~1\owqr\owqrm.exe
C:\Documents and Settings\jdumas\Application Data\?ystem32\?hkntfs.exe
C:\PROGRA~1\COMMON~1\owqr\owqra.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hpsckhm.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINNT\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [{94-4B-B7-76-ZN}] c:\winnt\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\twintqez.exe GID003
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [Awre] "C:\PROGRA~1\COMMON~1\SSEMBL~1\spoolsv.exe" -vt yazr
O4 - HKCU\..\Run: [owqr] C:\PROGRA~1\COMMON~1\owqr\owqrm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Uifnnnar] C:\Documents and Settings\jdumas\Application Data\?ystem32\?hkntfs.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Zeno.lnk = C:\WINNT\system32\twintqez.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\e2jmlc111f.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

Hi,
Download WinSockXPFix and extract the ZIP file contents to a folder. Do not run the program now!

Download The Avenger by Swandog46 to your Desktop. Do not run it now!


Uninstall these Software from Add/Remove Programs in Control Panel:-
WebHancer
SurfSideKick
PurityScan
NewDotNet
or New.Net


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,hpsckhm.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINNT\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [{94-4B-B7-76-ZN}] c:\winnt\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\twintqez.exe GID003
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [Awre] "C:\PROGRA~1\COMMON~1\SSEMBL~1\spoolsv.exe" -vt yazr
O4 - HKCU\..\Run: [owqr] C:\PROGRA~1\COMMON~1\owqr\owqrm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Uifnnnar] C:\Documents and Settings\jdumas\Application Data\?ystem32\?hkntfs.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\twintqez.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\e2jmlc111f.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop.

  • Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-

Files to delete:
C:\defender25.exe
C:\WINNT\system32\twintqez.exe
c:\winnt\system32\psdsregj.exe
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\ssec.exe
C:\WINNT\system32\tfthot.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\WINNT\system32\wumxa.exe
C:\WINNT\system32\hpsckhm.exe
c:\winnt\system32\dwdsregt.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\glutac.exe
C:\WINNT\system32\repairs303169590.dll
C:\keyboard25.exe

Folders to delete:
C:\Program Files\NewDotNet
C:\Program Files\Network Monitor
C:\Program Files\webHancer
C:\Program Files\SurfSideKick 3
C:\PROGRAM FILES\COMMON FILES\owqr
C:\WINNT\YWltbmV0

  • Now, run The Avenger program by double clicking its icon on your Desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing Ctrl V keys.
  • Click Done.
  • Now click on the Green Light to begin execution of the script.
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Run WinSockXPFix.exe and click "Reg Backup" to backup the Registry first. After this, click the "Fix" button and follow the instructions given by the tool.


Next, download Dr.Web CureIT!. Run it and click "OK" when it asks you to start a memory scan. Allow it to complete the memory scan. After it completes, select all the hard disk drives (like C:\, D:\ etc.) by clicking on the drive letters that is displayed on the central part of Dr.Web CureIT! Next, click the button which resembles the "Play" icon, to start the scan.


After this, run HijackThis again to get a new log. Please post back this new HijackThis log along with the Avenger log.

Also, open NotePad and copy the contents of the below "Quote" box:-

cd\
cd Docume~1
cd jdumas
cd Applic~1
dir ?ystem32 > C:\info1.txt
cd\
cd PROGRA~1
cd COMMON~1
dir SSEMBL* > C:\info2.txt
cd\
copy info1.txt + info2.txt = info.txt
del info1.txt
del info2.txt

In NotePad, go to File Menu > Save AS and type the filename as Test.bat and save the file in a convinient location. Exit from NotePad.

Double-click on this Test.bat file. A DOS type window should open and close by itself. Next, there will be a text file named Info.txt in C:\ drive. Copy the contents of this Info.txt file and post it in your next reply.


The Avenger takes a backup of deleted files. It will be in C:\Avenger\backup.zip. Can you upload that ZIP file with your next reply?

thanks swatkat......I tried my best to follow the instructions but I'm not sure the "avenger" piece ran correctly....still have issues on reboot....here are the logs.....I can't seem to figure out how to upload the avenger backup.zip file - can you provide some instructions or direct me to a help section? JD

1) HJT

Logfile of HijackThis v1.99.1
Scan saved at 9:10:36 AM, on 6/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://www.mrfindalot.com/search.asp?si=20065&k=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://www.mrfindalot.com/search.asp?si=20065&k=[/url]
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - [url]http://verizon.webattend.com/components/wt0809.cab[/url]
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - [url]http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab[/url]
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - [url]http://www.officeupdate.com/productupdates/content/opuc.cab[/url]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [url]http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\dnp8017ue.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

2) Avenger log

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Error:  could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\olqssomf

*******************

Script file located at: \??\C:\lcsbtnpp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\defender25.exe deleted successfully.
File C:\WINNT\system32\twintqez.exe deleted successfully.
File c:\winnt\system32\psdsregj.exe deleted successfully.
File C:\WINNT\system32\mptft.exe deleted successfully.
File C:\WINNT\system32\ssec.exe deleted successfully.
File C:\WINNT\system32\tfthot.exe deleted successfully.
File C:\WINNT\system32\ssn6tuu.exe deleted successfully.
File C:\WINNT\system32\nr1rnqm8.exe deleted successfully.
File C:\WINNT\system32\wumxa.exe deleted successfully.
File C:\WINNT\system32\hpsckhm.exe deleted successfully.
File c:\winnt\system32\dwdsregt.exe deleted successfully.


File C:\WINNT\system32\ssn6tuu.exe not found!
Deletion of file C:\WINNT\system32\ssn6tuu.exe failed!

Could not process line:
C:\WINNT\system32\ssn6tuu.exe
Status: 0xc0000034

File C:\WINNT\system32\glutac.exe deleted successfully.


File C:\WINNT\system32\repairs303169590.dll not found!
Deletion of file C:\WINNT\system32\repairs303169590.dll failed!

Could not process line:
C:\WINNT\system32\repairs303169590.dll
Status: 0xc0000034

File C:\keyboard25.exe deleted successfully.


Folder C:\Program Files\NewDotNet not found!
Deletion of folder C:\Program Files\NewDotNet failed!

Could not process line:
C:\Program Files\NewDotNet
Status: 0xc0000034

Folder C:\Program Files\Network Monitor deleted successfully.
Folder C:\Program Files\webHancer deleted successfully.


Folder C:\Program Files\SurfSideKick 3 not found!
Deletion of folder C:\Program Files\SurfSideKick 3 failed!

Could not process line:
C:\Program Files\SurfSideKick 3
Status: 0xc0000034

Folder C:\PROGRAM FILES\COMMON FILES\owqr deleted successfully.
Folder C:\WINNT\YWltbmV0 deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

3) Into txt

 Volume in drive C has no label.
 Volume Serial Number is 84D9-4B76

 Directory of C:\DOCUME~1\jdumas\APPLIC~1

06/03/2006  09:34a      <DIR>          ?ystem32
               0 File(s)              0 bytes
               1 Dir(s)   2,675,716,096 bytes free
 Volume in drive C has no label.
 Volume Serial Number is 84D9-4B76

 Directory of C:\PROGRA~1\COMMON~1

06/03/2006  09:34a      <DIR>          ?ssembly
               0 File(s)              0 bytes
               1 Dir(s)   2,675,716,096 bytes free

I am sorry for the HiJack, but it seems that he is infected with qoologic. You might already know this, but a automatic fix has been released. I think the files have been deleted, but just to be on the safe side, and for further reference.

Download Brute Force Uninstaller to your C:\
Unzip it to a folder of its own (C:BFU).

  • BFU should be on your root. In most cases this is C:
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.

thanks Burton1.......I ran the fix per your instructions.....here's my latest HJT log......JD

Logfile of HijackThis v1.99.1
Scan saved at 11:18:33 AM, on 6/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\hrr8059ue.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\YWltbmV0\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

Hi,
Click My Computer, then C: \
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).


Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.


Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Reboot into Normal mode. Now, download
sidekickFix.bat (rightclick on that link and
choose save as)

  • Place sidekickFix.bat in your C:\BFU folder (Important!).
  • Close all browsers and explorer folders.
  • Double-click on sidekickFix.bat
  • Click Yes and follow the prompts, when prompted to restart
    the PC please do so.

After carrying out above two steps, delete these two folders. The "?" (question mark) in the folder name might appear as it is or as any other character. Please be careful while deleting the folders, because there may be other legitimate folders by that name. Before deleting, right-click on each of the folder and click "Properties". Now here, check the Date and Time of folder creation. If they match with the date and time given below, then delete the folders:-

C:\DOCUMENTS AND SETTINGS\jdumas\APPLICATION DATA\?ystem32 --> Date: 06/03/2006 and Time: 09:34 AM

C:\PROGRAM FILES\COMMON FILES\?ssembly --> Date: 06/03/2006 and Time: 09:34 AM

Finally, please post a fresh HijackThis log.

Hi swatkat.....I did the BFU again and the sidekick and deleted those folders.....here's my latest HJT scan.....thanks for the help

Logfile of HijackThis v1.99.1
Scan saved at 8:03:05 PM, on 6/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\wumxa.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINNT\system32\x3cqp0.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\g840lihm184a.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

Hi,
Download WinPFind.ZIP and completely extract it to a folder.

We shall do an online scan at F-Secure. Please visit: F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
6. When done click "Show report" and copy/paste its contents into your next reply.

(F-Secure scan works only in Internet Explorer browser)


After the scan run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with F-Secure scan log.

Hi swatkat,

I had a difficult time running F-Secure.....it abort 3 times after hours of scanning. and parial cleanings.....the pop-ups did quite a job getting in the way......finally got a completed session after the 4th time and many hours.....I've attached the F-Secure log file and WinFind log as well as another HJT...thanks for the help

1) F-Secure


Scanning Report
Tuesday, June 06, 2006 20:59:30 - 23:45:41
Computer name: A1WJDU
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\



--------------------------------------------------------------------------------


Result: 27 malware found
ABetterInternet.Nail (spyware)
System (Disinfected)
Adware.Look2Me (spyware)
System (Disinfected)
Adware.Yazzle (spyware)
System (Disinfected)
Alexa (spyware)
System (Disinfected)
CoolWebSearch (spyware)
System (Disinfected)
SearchFast (spyware)
System (Disinfected)
SurfSideKickBHO (spyware)
System (Disinfected)
Targetsaver (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
WebHancer (spyware)
System (Disinfected)
Win32.Trojan.Downloader (spyware)
System (Disinfected)


--------------------------------------------------------------------------------


Statistics
Scanned:
Files: 20428
System: 9413
Not scanned: 5
Actions:
Disinfected: 12
Renamed: 0
Deleted: 0
None: 15
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINNT\SYSTEM32\F4L00E3MEH.DLL
C:\WINNT\SYSTEM32\I806LIDS1806.DLL
C:\WINNT\SYSTEM32\NOLSAPI.DLL
C:\WINNT\SYSTEM32\CONFIG\DEFAULT


--------------------------------------------------------------------------------


Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-06-06
F-Secure Libra: 2.4.1, 2006-06-06
F-Secure Orion: 1.2.37, 2006-06-05
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-00-19
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics


--------------------------------------------------------------------------------


Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


2) WinFind Log:


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.


If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.


»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000    Current Build: Service Pack 4    Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...
UPX!                 6/5/2006 8:32:30 AM         24296      C:\WINNT\icont.exe


Checking %System% folder...
WinShutDown          6/5/2006 7:43:14 PM     R S 233695     C:\WINNT\SYSTEM32\ddvenum.dllad-w-a-r-e.com       6/5/2006 7:43:14 PM     R S 233695     C:\WINNT\SYSTEM32\ddvenum.dll
WinShutDown          6/4/2006 10:29:22 PM    R S 237232     C:\WINNT\SYSTEM32\dSdim700.dllad-w-a-r-e.com       6/4/2006 10:29:22 PM    R S 237232     C:\WINNT\SYSTEM32\dSdim700.dll
WinShutDown          6/5/2006 8:02:28 AM     R S 236486     C:\WINNT\SYSTEM32\jtns0757e.dllad-w-a-r-e.com       6/5/2006 8:02:28 AM     R S 236486     C:\WINNT\SYSTEM32\jtns0757e.dll
WinShutDown          6/6/2006 11:17:26 AM    R S 236910     C:\WINNT\SYSTEM32\jtrs0797e.dllad-w-a-r-e.com       6/6/2006 11:17:26 AM    R S 236910     C:\WINNT\SYSTEM32\jtrs0797e.dll
WinShutDown          6/5/2006 7:55:30 PM     R S 234743     C:\WINNT\SYSTEM32\kddsw.dllad-w-a-r-e.com       6/5/2006 7:55:30 PM     R S 234743     C:\WINNT\SYSTEM32\kddsw.dll
WinShutDown          6/6/2006 9:34:28 AM     R S 235708     C:\WINNT\SYSTEM32\kt8ml7l11.dllad-w-a-r-e.com       6/6/2006 9:34:28 AM     R S 235708     C:\WINNT\SYSTEM32\kt8ml7l11.dll
PTech                7/12/2005 6:04:22 PM        520456     C:\WINNT\SYSTEM32\LegitCheckControl.dll
WinShutDown          6/5/2006 8:14:48 AM     R S 236932     C:\WINNT\SYSTEM32\mcxml3a.dllad-w-a-r-e.com       6/5/2006 8:14:48 AM     R S 236932     C:\WINNT\SYSTEM32\mcxml3a.dll
WinShutDown          6/4/2006 10:52:56 PM    R S 236486     C:\WINNT\SYSTEM32\mmiseq.dllad-w-a-r-e.com       6/4/2006 10:52:56 PM    R S 236486     C:\WINNT\SYSTEM32\mmiseq.dll
WinShutDown          6/3/2006 11:59:56 AM    R S 235384     C:\WINNT\SYSTEM32\mmnetobj.dllad-w-a-r-e.com       6/3/2006 11:59:56 AM    R S 235384     C:\WINNT\SYSTEM32\mmnetobj.dll
PECompact2           1/4/2006 8:46:40 PM         2827616    C:\WINNT\SYSTEM32\MRT.exe
aspack               1/4/2006 8:46:40 PM         2827616    C:\WINNT\SYSTEM32\MRT.exe
WinShutDown          6/5/2006 7:58:28 AM     R S 236486     C:\WINNT\SYSTEM32\myvcrt20.dllad-w-a-r-e.com       6/5/2006 7:58:28 AM     R S 236486     C:\WINNT\SYSTEM32\myvcrt20.dll
WinShutDown          6/5/2006 9:03:42 AM     R S 236932     C:\WINNT\SYSTEM32\nktcfgx.dllad-w-a-r-e.com       6/5/2006 9:03:42 AM     R S 236932     C:\WINNT\SYSTEM32\nktcfgx.dll
WinShutDown          6/5/2006 4:42:10 PM     R S 233695     C:\WINNT\SYSTEM32\nmtmsg.dllad-w-a-r-e.com       6/5/2006 4:42:10 PM     R S 233695     C:\WINNT\SYSTEM32\nmtmsg.dll
WinShutDown          6/4/2006 10:43:16 PM    R S 235384     C:\WINNT\SYSTEM32\osdbse32.dllad-w-a-r-e.com       6/4/2006 10:43:16 PM    R S 235384     C:\WINNT\SYSTEM32\osdbse32.dll
WinShutDown          6/5/2006 11:09:44 AM    R S 236932     C:\WINNT\SYSTEM32\q2pslc771f.dllad-w-a-r-e.com       6/5/2006 11:09:44 AM    R S 236932     C:\WINNT\SYSTEM32\q2pslc771f.dll
Umonitor             1/12/2005 12:39:46 PM       531216     C:\WINNT\SYSTEM32\RASDLG.DLL
WinShutDown          6/3/2006 12:06:34 PM    R S 235384     C:\WINNT\SYSTEM32\rUsgtwy.dllad-w-a-r-e.com       6/3/2006 12:06:34 PM    R S 235384     C:\WINNT\SYSTEM32\rUsgtwy.dll
winsync              12/7/1999 8:00:00 AM        1309184    C:\WINNT\SYSTEM32\wbdbase.deu
WinShutDown          6/6/2006 8:56:22 PM         234052     C:\WINNT\SYSTEM32\__delete_on_reboot__guard.tmpad-w-a-r-e.com       6/6/2006 8:56:22 PM         234052     C:\WINNT\SYSTEM32\__delete_on_reboot__guard.tmp


Checking %System%\Drivers folder and sub-folders...


Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/2/2006 10:21:00 PM      S 183296     C:\WINNT\NDNuninstall7_22.exe
6/5/2006 8:08:42 PM      H  922666     C:\WINNT\ShellIconCache
6/5/2006 4:13:08 PM       S 64         C:\WINNT\CSC\00000001
6/5/2006 9:02:30 AM       S 64         C:\WINNT\CSC\00000002
6/5/2006 8:14:20 AM       S 64         C:\WINNT\CSC\csc1.tmp
6/5/2006 7:43:14 PM     R S 233695     C:\WINNT\system32\ddvenum.dll
6/4/2006 10:29:22 PM    R S 237232     C:\WINNT\system32\dSdim700.dll
6/6/2006 6:36:34 PM     R S 236113     C:\WINNT\system32\f4l00e3meh.dll
6/5/2006 8:02:28 AM     R S 236486     C:\WINNT\system32\jtns0757e.dll
6/6/2006 11:17:26 AM    R S 236910     C:\WINNT\system32\jtrs0797e.dll
6/5/2006 7:55:30 PM     R S 234743     C:\WINNT\system32\kddsw.dll
6/6/2006 9:34:28 AM     R S 235708     C:\WINNT\system32\kt8ml7l11.dll
6/6/2006 11:55:28 PM    R S 233906     C:\WINNT\system32\ktjol7131.dll
6/5/2006 8:14:48 AM     R S 236932     C:\WINNT\system32\mcxml3a.dll
6/4/2006 10:52:56 PM    R S 236486     C:\WINNT\system32\mmiseq.dll
6/3/2006 11:59:56 AM    R S 235384     C:\WINNT\system32\mmnetobj.dll
6/5/2006 7:58:28 AM     R S 236486     C:\WINNT\system32\myvcrt20.dll
6/5/2006 9:03:42 AM     R S 236932     C:\WINNT\system32\nktcfgx.dll
6/5/2006 4:42:10 PM     R S 233695     C:\WINNT\system32\nmtmsg.dll
6/4/2006 10:43:16 PM    R S 235384     C:\WINNT\system32\osdbse32.dll
6/5/2006 11:09:44 AM    R S 236932     C:\WINNT\system32\q2pslc771f.dll
6/6/2006 11:55:32 PM    R S 236113     C:\WINNT\system32\ruaenh.dll
6/3/2006 12:06:34 PM    R S 235384     C:\WINNT\system32\rUsgtwy.dll
6/6/2006 11:58:24 PM     H  1024       C:\WINNT\system32\config\default.LOG
6/5/2006 4:42:10 PM      H  1024       C:\WINNT\system32\config\SAM.LOG
6/7/2006 12:05:38 AM     H  1024       C:\WINNT\system32\config\SECURITY.LOG
6/7/2006 12:02:18 AM     H  1024       C:\WINNT\system32\config\software.LOG
6/6/2006 11:55:30 PM     H  6          C:\WINNT\Tasks\SA.DAT


Checking for CPL files...
Microsoft Corporation          12/7/1999 8:00:00 AM        67344      C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        301328     C:\WINNT\SYSTEM32\appwiz.cpl
10/1/2001 9:47:18 AM        483328     C:\WINNT\SYSTEM32\cpqIKey.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        237328     C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        31504      C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        128272     C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        118032     C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        36112      C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        60688      C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        122128     C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        303888     C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        17168      C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        41232      C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        90896      C:\WINNT\SYSTEM32\powercfg.cpl
Intel Corporation              5/13/2002 3:02:04 AM        671744     C:\WINNT\SYSTEM32\PROSetp.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        83216      C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        125712     C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        5904       C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        61200      C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          1/12/2005 12:40:00 PM       64784      C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation                9/23/1999 6:44:36 PM        94208      C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...
9/7/2005 10:22:18 AM        640        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA521 Configuration Utility.lnk
8/30/2005 11:40:26 AM       1572       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
9/6/2005 2:47:10 PM         1397       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk


Checking files in %ALLUSERSPROFILE%\Application Data folder...


Checking files in %USERPROFILE%\Startup folder...
10/25/2005 5:30:02 PM       1397       C:\Documents and Settings\jdumas\Start Menu\Programs\Startup\HotSync Manager.lnk


Checking files in %USERPROFILE%\Application Data folder...
1/23/2006 5:32:10 PM        38514      C:\Documents and Settings\jdumas\Application Data\Microsoft Excel.ADR
6/3/2006 9:40:12 AM         67         C:\Documents and Settings\jdumas\Application Data\Sskuknwrd.dll


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{452E18F7-77D5-4204-9E0A-8A9DD101170B}   = C:\WINNT\system32\ruaenh.dll
{342D4634-B971-4F65-B297-21AC58D66D5B}   = C:\WINNT\system32\nmtmsg.dll


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINNT\system32\dmonwv.dll


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467}   = &Radio   : C:\WINNT\System32\msdxm.ocx


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText   = Research :


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
cpqek   C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
Promon.exe  Promon.exe
NGClient    C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
hkss    C:\Program Files\Compaq\Hotkey Software\hkss.exe
vptray  C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
Logitech Utility    Logi_MwX.Exe
MMTray  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
fcylaa  C:\WINNT\system32\glutac.exe reg_run
ftexc   C:\WINNT\system32\mptft.exe
Hhl7RfpJ    "C:\WINNT\system32\ssn6tuu.exe"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL   Installed = 1
MAPI    Installed = 1
MSFS    Installed = 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
cygnb   C:\WINNT\system32\glutac.exe reg_run


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  149
CDRAutoRun  0



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray          {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
Shell       = Explorer.exe
System      =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage
= C:\WINNT\system32\f4l00e3meh.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/7/2006 12:08:09 AM



3) HJT



Logfile of HijackThis v1.99.1
Scan saved at 12:15:59 AM, on 6/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\f4l00e3meh.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

Hi,
Download L2mfix from one of these links:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop. Double click l2mfix.exe. Click the Install button to extract the files and follow the prompts.

Close any other programs you have open since this step requires a reboot.

From the L2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter.If it asks for a password type bye (in lowercase) then press Enter key. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder.

Hi swatkat,

Here you go....thanks...JD

1) L2MFIX log



L2mfix 051206
Creating Account.
The command completed successfully.



Adding Administrative privleges.
The command completed successfully.


Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX   ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*


zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (152 bytes security) (deflated 72%)



2) HJT scan



Logfile of HijackThis v1.99.1
Scan saved at 5:19:26 PM, on 6/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: Run - C:\WINNT\system32\ktjol7131.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

Hi,
F-Secure's advanced scan system is still in Beta stages. So, that may be reason for the problems associated with it!

Please download CCleaner and install it. Do not run it now!


Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-

Files to delete:
C:\WINNT\SYSTEM32\F4L00E3MEH.DLL
C:\WINNT\SYSTEM32\I806LIDS1806.DLL
C:\WINNT\SYSTEM32\NOLSAPI.DLL
C:\WINNT\system32\ddvenum.dll
C:\WINNT\system32\dSdim700.dll
C:\WINNT\system32\f4l00e3meh.dll
C:\WINNT\system32\jtns0757e.dll
C:\WINNT\system32\jtrs0797e.dll
C:\WINNT\system32\kddsw.dll
C:\WINNT\system32\kt8ml7l11.dll
C:\WINNT\system32\ktjol7131.dll
C:\WINNT\system32\mcxml3a.dll
C:\WINNT\system32\mmiseq.dll
C:\WINNT\system32\mmnetobj.dll
C:\WINNT\system32\myvcrt20.dll
C:\WINNT\system32\nktcfgx.dll
C:\WINNT\system32\nmtmsg.dll
C:\WINNT\system32\osdbse32.dll
C:\WINNT\system32\q2pslc771f.dll
C:\WINNT\system32\ruaenh.dll
C:\WINNT\system32\rUsgtwy.dll
C:\WINNT\SYSTEM32\__delete_on_reboot__guard.tmp
C:\WINNT\NDNuninstall7_22.exe
C:\Documents and Settings\jdumas\Application Data\Sskuknwrd.dll
C:\WINNT\system32\dmonwv.dll
C:\WINNT\system32\glutac.exe
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\hpsckhm.exe
C:\WINNT\hpsckhm.exe

  • Now, run The Avenger program by double clicking its icon on your Desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing Ctrl V keys.
  • Click Done.
  • Now click on the Green Light to begin execution of the script.
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

After this, reboot to Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,hpsckhm.exe
O4 - HKLM\..\Run: [fcylaa] C:\WINNT\system32\glutac.exe reg_run
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\f4l00e3meh.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Now run CCleaner, click the "Options" button in the left pane of CCleaner. Here, click "Settings" and then click "Advanced" button. Here, Uncheck the options "Only delete files in Windows Temp folder older than 48 hours" and "Show prompt to backup registry issues".After unchecking them, click the "Issues" button in the left pane. Here, click "Scan for issues". It takes some time to scan. Once it finishes the scan, click "Fix selected issues". This opens up a new window, here click "Fix all selected issues" button to remove all the detected issues.After this, click the "Cleaner" button in the left pane and click "Run Cleaner" to clean the temp files.


Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log and Avenger log.

swatkat ....I did everything successfully except for the Kaspersky On-Line Scan .....as soon as I connected to the Internet the pop-ups took over....IE aborted before I even finished downloading the scan.....is there an alternative as this method seems a bit counter productive....I've inlcuded the Avenger log and HJT log....thanks for the help....JD

1) Avenger log


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tgmlqnou

*******************

Script file located at: \??\C:\WINNT\xmehsuin.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:WINNTSYSTEM32F4L00E3MEH.DLL not found!
Deletion of file C:WINNTSYSTEM32F4L00E3MEH.DLL failed!

Could not process line:
C:WINNTSYSTEM32F4L00E3MEH.DLL
Status: 0xc0000034

File C:WINNTSYSTEM32I806LIDS1806.DLL not found!
Deletion of file C:WINNTSYSTEM32I806LIDS1806.DLL failed!

Could not process line:
C:WINNTSYSTEM32I806LIDS1806.DLL
Status: 0xc0000034

File C:WINNTSYSTEM32NOLSAPI.DLL not found!
Deletion of file C:WINNTSYSTEM32NOLSAPI.DLL failed!

Could not process line:
C:WINNTSYSTEM32NOLSAPI.DLL
Status: 0xc0000034

File C:WINNTsystem32ddvenum.dll not found!
Deletion of file C:WINNTsystem32ddvenum.dll failed!

Could not process line:
C:WINNTsystem32ddvenum.dll
Status: 0xc0000034

File C:WINNTsystem32dSdim700.dll not found!
Deletion of file C:WINNTsystem32dSdim700.dll failed!

Could not process line:
C:WINNTsystem32dSdim700.dll
Status: 0xc0000034

File C:WINNTsystem32f4l00e3meh.dll not found!
Deletion of file C:WINNTsystem32f4l00e3meh.dll failed!

Could not process line:
C:WINNTsystem32f4l00e3meh.dll
Status: 0xc0000034

File C:WINNTsystem32jtns0757e.dll not found!
Deletion of file C:WINNTsystem32jtns0757e.dll failed!

Could not process line:
C:WINNTsystem32jtns0757e.dll
Status: 0xc0000034

File C:WINNTsystem32jtrs0797e.dll not found!
Deletion of file C:WINNTsystem32jtrs0797e.dll failed!

Could not process line:
C:WINNTsystem32jtrs0797e.dll
Status: 0xc0000034

File C:WINNTsystem32kddsw.dll not found!
Deletion of file C:WINNTsystem32kddsw.dll failed!

Could not process line:
C:WINNTsystem32kddsw.dll
Status: 0xc0000034

File C:WINNTsystem32kt8ml7l11.dll not found!
Deletion of file C:WINNTsystem32kt8ml7l11.dll failed!

Could not process line:
C:WINNTsystem32kt8ml7l11.dll
Status: 0xc0000034

File C:WINNTsystem32ktjol7131.dll not found!
Deletion of file C:WINNTsystem32ktjol7131.dll failed!

Could not process line:
C:WINNTsystem32ktjol7131.dll
Status: 0xc0000034

File C:WINNTsystem32mcxml3a.dll not found!
Deletion of file C:WINNTsystem32mcxml3a.dll failed!

Could not process line:
C:WINNTsystem32mcxml3a.dll
Status: 0xc0000034

File C:WINNTsystem32mmiseq.dll not found!
Deletion of file C:WINNTsystem32mmiseq.dll failed!

Could not process line:
C:WINNTsystem32mmiseq.dll
Status: 0xc0000034

File C:WINNTsystem32mmnetobj.dll not found!
Deletion of file C:WINNTsystem32mmnetobj.dll failed!

Could not process line:
C:WINNTsystem32mmnetobj.dll
Status: 0xc0000034

File C:WINNTsystem32myvcrt20.dll not found!
Deletion of file C:WINNTsystem32myvcrt20.dll failed!

Could not process line:
C:WINNTsystem32myvcrt20.dll
Status: 0xc0000034

File C:WINNTsystem32nktcfgx.dll not found!
Deletion of file C:WINNTsystem32nktcfgx.dll failed!

Could not process line:
C:WINNTsystem32nktcfgx.dll
Status: 0xc0000034

File C:WINNTsystem32nmtmsg.dll not found!
Deletion of file C:WINNTsystem32nmtmsg.dll failed!

Could not process line:
C:WINNTsystem32nmtmsg.dll
Status: 0xc0000034

File C:WINNTsystem32osdbse32.dll not found!
Deletion of file C:WINNTsystem32osdbse32.dll failed!

Could not process line:
C:WINNTsystem32osdbse32.dll
Status: 0xc0000034

File C:WINNTsystem32q2pslc771f.dll not found!
Deletion of file C:WINNTsystem32q2pslc771f.dll failed!

Could not process line:
C:WINNTsystem32q2pslc771f.dll
Status: 0xc0000034

File C:WINNTsystem32ruaenh.dll not found!
Deletion of file C:WINNTsystem32ruaenh.dll failed!

Could not process line:
C:WINNTsystem32ruaenh.dll
Status: 0xc0000034

File C:WINNTsystem32rUsgtwy.dll not found!
Deletion of file C:WINNTsystem32rUsgtwy.dll failed!

Could not process line:
C:WINNTsystem32rUsgtwy.dll
Status: 0xc0000034

File C:WINNTSYSTEM32__delete_on_reboot__guard.tmp not found!
Deletion of file C:WINNTSYSTEM32__delete_on_reboot__guard.tmp failed!

Could not process line:
C:WINNTSYSTEM32__delete_on_reboot__guard.tmp
Status: 0xc0000034

File C:WINNTNDNuninstall7_22.exe not found!
Deletion of file C:WINNTNDNuninstall7_22.exe failed!

Could not process line:
C:WINNTNDNuninstall7_22.exe
Status: 0xc0000034

File C:Documents and SettingsjdumasApplication DataSskuknwrd.dll not found!
Deletion of file C:Documents and SettingsjdumasApplication DataSskuknwrd.dll failed!

Could not process line:
C:Documents and SettingsjdumasApplication DataSskuknwrd.dll
Status: 0xc0000034

File C:WINNTsystem32dmonwv.dll not found!
Deletion of file C:WINNTsystem32dmonwv.dll failed!

Could not process line:
C:WINNTsystem32dmonwv.dll
Status: 0xc0000034

File C:WINNTsystem32glutac.exe not found!
Deletion of file C:WINNTsystem32glutac.exe failed!

Could not process line:
C:WINNTsystem32glutac.exe
Status: 0xc0000034

File C:WINNTsystem32mptft.exe not found!
Deletion of file C:WINNTsystem32mptft.exe failed!

Could not process line:
C:WINNTsystem32mptft.exe
Status: 0xc0000034

File C:WINNTsystem32ssn6tuu.exe not found!
Deletion of file C:WINNTsystem32ssn6tuu.exe failed!

Could not process line:
C:WINNTsystem32ssn6tuu.exe
Status: 0xc0000034

File C:WINNTsystem32hpsckhm.exe not found!
Deletion of file C:WINNTsystem32hpsckhm.exe failed!

Could not process line:
C:WINNTsystem32hpsckhm.exe
Status: 0xc0000034

File C:WINNThpsckhm.exe not found!
Deletion of file C:WINNThpsckhm.exe failed!

Could not process line:
C:WINNThpsckhm.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

2) HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:58:55 PM, on 6/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\nmtmsg.dll
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\hrn4055qe.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINNT\system32\guard.tmp (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

Hi,
No problem! Those popups are due to the Look2Me spyware. It's a nasty one! We will remove it now!


Please download F-Look2Me, a removal tool from F-Secure, and save it in a convinient location. Next, run it and allow it to scan and remove infections.


Reboot the PC.


Next, download
Brute Force Uninstaller to your desktop. (rightclick
on this link and choose save as, if using IE save target as)

  • Right click the BFU folder on your desktop, and choose Extract
    All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and
    then click "Finish".

If you already have BFU, then no need to download it again. But, run the below mentioned fix again

  • Download
    qoofix.bat (rightclick on this link and choose save
    as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder.
    (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.

Hi swatkat,

I'm not sure it worked since ewid pops up with a screen that it found a problem with iHshlpr.dll in C:\WINNT\system32 ....says it's Adware: Look2.ME.. :( .....here's the HJT scan.....thanks...JD

Logfile of HijackThis v1.99.1
Scan saved at 9:26:24 AM, on 6/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\hrn4055qe.dll (file missing)
O20 - Winlogon Notify: RunOnceEx - C:\WINNT\system32\i6jq0g15e6.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINNT\system32\dn8q01l5e.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe

Hi,

Yes! Look2Me is still there. Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click "Look2Me-Destroyer.exe" to run it.
  • Put a check next to "Run this program as a task."
  • You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 1 minute". Click "OK"
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the "Remove L2M" button.
  • You will receive a "Done Scanning" message, click "OK".
  • When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click "OK".
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. The log can be found wherever the fix is located - if Look2Me-Destroyer is on the desktop thats where the log will be.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

================================

Also, Please download the 2-week trial version of WebRoot SpySweeper from HERE.
Alternate download site.
Alternate download site.
Alternate download site.

  • Click on Free Spy Scan.
  • On the next page, click on Start Scan Now
  • Save the Setup file to your Desktop>click OK.
  • Double-click on the file that you saved. (If you receive alerts from your firewall, allow all activities for Spy Sweeper)
  • You will be prompted to check for updated definitions, please do so.
  • Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
  • Check "Local Disc C" and under "What to Sweep", check every box.
  • Click on "Sweep" and allow it to fully scan your system.
  • When the sweep has finished, click "Remove" to remove any items found.
  • Exit SpySweeper and reboot your computer.

NOTE: After SpySweeper has finished and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

==================================

After running above two tools, please post a new HijackThis log.

Hi swatkat....seems like we may have got it? ...ewido did not display the look2me warning.....keeping my fingers crossed....let me know...thanks....JD

Logfile of HijackThis v1.99.1
Scan saved at 7:24:03 PM, on 6/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [cygnb] C:\WINNT\system32\glutac.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Hi,
Yes, Look2Me's gone! Now, there's one last thing to remove from, it's the Qoologic spyware. Actually, we should again use the BFU and Qoofix.bat tool that was previously. This tool should remove the Qoologic, but it failed to remove, when it was used last time, because Look2Me spyware deletes some Registry keys which are used by BFU and Qoolfix.bat combo.

So, here's the steps to remove Qoologic. You may have these files already, but I will post this for your reference:-

Please download
Brute Force Uninstaller to your desktop. (rightclick
on this link and choose save as, if using IE save target as)

  • Right click the BFU folder on your desktop, and choose Extract
    All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:\) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and
    then click "Finish".
  • Download
    qoofix.bat (rightclick on this link and choose save
    as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder.
    (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another HijackThis log.

swatkat.....I think it worked ......in previous tries the BFU/Qoolfix.bat combo did not take the "5 minutes" stated in the instructions....I guess I should have mentioned that.....here's the latest HJT....is the laptop clean? thanks...JD

1) HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:10:05 PM, on 6/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Hi,
Yes, Look2Me was interfering with other fixes. That's why Qoolfix wasn't working! Now, it's gone. Log looks clean :D

swatkat......great! :) ....thanks for all of your help....I'll be loading the Spyware Blaster program on the laptop too! ......JD

swatkat.....hold on ....I can't believe it but I still have pop-ups on the laptop.....I connected to the Internet and I download the SpyBlaster program and set it up it up and I started to get some sites blocked etc....I rebooted and immediately got more pops ups.....here's the HJT - what's going on :( ? JD

HJT

Logfile of HijackThis v1.99.1
Scan saved at 8:43:04 PM, on 6/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\jdumas\My Documents\Security Downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: MA521 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://verizon.webattend.com/components/wt0809.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.officeupdate.com/productupdates/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.aimnetsolutions.net
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\SYMANTEC\Ghost\NGCTW32.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Hi,
Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
1. Open a command window by going to Start > Run and typing: cmd
2. Copy/paste or type the following in the command window:

C:\blbeta.exe /expert

3. Hit "Enter" to start the program and then close the cmd box.
4. Accept the user agreement and click "Next".
5 Click "Scan".
6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
8. Exit Blacklight and post the contents of the log in your next reply.

Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.

Hi swatkat....here's the log file.....it did not find any hidden files.....please advise....thanks....JD

06/11/06 19:28:29 [Info]: BlackLight Engine 1.0.37 initialized
06/11/06 19:28:29 [Info]: OS: 5.0 build 2195 (Service Pack 4)
06/11/06 19:28:29 [Note]: 7019 4
06/11/06 19:28:29 [Note]: 7005 0
06/11/06 19:28:42 [Note]: 7006 0
06/11/06 19:28:42 [Note]: 7011 1200
06/11/06 19:28:42 [Note]: 7026 0
06/11/06 19:28:43 [Note]: 7026 0
06/11/06 19:28:59 [Note]: FSRAW library version 1.7.1015
06/11/06 19:33:29 [Note]: 7007 0

Hi,
Please post a new WinPFind log. Let's what it shows.

swatkat.....here's the WinPFind log....it's starting to get to me :twisted: ......thanks for the help....JD

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.


If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.


»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000    Current Build: Service Pack 4    Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...


Checking %System% folder...
WinShutDown          6/7/2006 10:03:40 PM        234872     C:\WINNT\SYSTEM32\ktpml7711.dll.renad-w-a-r-e.com       6/7/2006 10:03:40 PM        234872     C:\WINNT\SYSTEM32\ktpml7711.dll.ren
PTech                7/12/2005 6:04:22 PM        520456     C:\WINNT\SYSTEM32\LegitCheckControl.dll
UPX!                 1/13/2005 9:41:48 PM        11254      C:\WINNT\SYSTEM32\locate.com
WinShutDown          6/8/2006 9:51:50 AM     R S 236615     C:\WINNT\SYSTEM32\MKIDENT.DLLad-w-a-r-e.com       6/8/2006 9:51:50 AM     R S 236615     C:\WINNT\SYSTEM32\MKIDENT.DLL
PECompact2           5/3/2006 9:26:24 PM         5818784    C:\WINNT\SYSTEM32\MRT.exe
aspack               5/3/2006 9:26:24 PM         5818784    C:\WINNT\SYSTEM32\MRT.exe
Umonitor             1/12/2005 12:39:46 PM       531216     C:\WINNT\SYSTEM32\RASDLG.DLL
UPX!                 1/20/2005 1:47:50 PM        175616     C:\WINNT\SYSTEM32\strings.exe
winsync              12/7/1999 8:00:00 AM        1309184    C:\WINNT\SYSTEM32\wbdbase.deu
WinShutDown          6/8/2006 7:57:16 AM         234872     C:\WINNT\SYSTEM32\__delete_on_reboot__DEomExt.dll.renad-w-a-r-e.com       6/8/2006 7:57:16 AM         234872     C:\WINNT\SYSTEM32\__delete_on_reboot__DEomExt.dll.ren


Checking %System%\Drivers folder and sub-folders...


Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/12/2006 4:48:44 PM     H  1098360    C:\WINNT\ShellIconCache
6/13/2006 7:55:30 AM      S 64         C:\WINNT\CSC\00000001
6/8/2006 4:33:30 PM       S 64         C:\WINNT\CSC\00000002
6/8/2006 9:51:24 AM       S 64         C:\WINNT\CSC\csc1.tmp
6/8/2006 9:51:50 AM     R S 236615     C:\WINNT\system32\MKIDENT.DLL
6/13/2006 7:58:44 AM     H  1024       C:\WINNT\system32\config\default.LOG
6/7/2006 8:42:06 PM      H  1024       C:\WINNT\system32\config\SAM.LOG
6/13/2006 8:05:56 AM     H  1024       C:\WINNT\system32\config\SECURITY.LOG
6/13/2006 5:11:36 PM     H  1024       C:\WINNT\system32\config\software.LOG
6/13/2006 7:55:48 AM     H  6          C:\WINNT\Tasks\SA.DAT


Checking for CPL files...
Microsoft Corporation          12/7/1999 8:00:00 AM        67344      C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        301328     C:\WINNT\SYSTEM32\appwiz.cpl
10/1/2001 9:47:18 AM        483328     C:\WINNT\SYSTEM32\cpqIKey.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        237328     C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        31504      C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        128272     C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        118032     C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        36112      C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        60688      C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        122128     C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        303888     C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        17168      C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        41232      C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        90896      C:\WINNT\SYSTEM32\powercfg.cpl
Intel Corporation              5/13/2002 3:02:04 AM        671744     C:\WINNT\SYSTEM32\PROSetp.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        83216      C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        125712     C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        5904       C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        61200      C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          1/12/2005 12:40:00 PM       64784      C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation                9/23/1999 6:44:36 PM        94208      C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...
9/7/2005 10:22:18 AM        640        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA521 Configuration Utility.lnk
8/30/2005 11:40:26 AM       1572       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
9/6/2005 2:47:10 PM         1397       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk


Checking files in %ALLUSERSPROFILE%\Application Data folder...


Checking files in %USERPROFILE%\Startup folder...
10/25/2005 5:30:02 PM       1397       C:\Documents and Settings\jdumas\Start Menu\Programs\Startup\HotSync Manager.lnk


Checking files in %USERPROFILE%\Application Data folder...
1/23/2006 5:32:10 PM        38514      C:\Documents and Settings\jdumas\Application Data\Microsoft Excel.ADR
6/3/2006 9:40:12 AM         67         C:\Documents and Settings\jdumas\Application Data\Sskuknwrd.dll


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B}   = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467}   = &Radio   : C:\WINNT\System32\msdxm.ocx


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText   = Research :


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
cpqek   C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
Promon.exe  Promon.exe
NGClient    C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
hkss    C:\Program Files\Compaq\Hotkey Software\hkss.exe
vptray  C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
Logitech Utility    Logi_MwX.Exe
MMTray  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
SpySweeper  "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL   Installed = 1
MAPI    Installed = 1
MSFS    Installed = 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  149
CDRAutoRun  0



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray          {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = C:\WINNT\system32\Userinit.exe,
Shell       = Explorer.exe
System      =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/13/2006 5:13:44 PM

Hi,
There are still some files to delete. Let's use Avenger.
Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-

Files to delete:
C:\WINNT\SYSTEM32\ktpml7711.dll.ren
C:\WINNT\SYSTEM32\MKIDENT.DLL
C:\WINNT\SYSTEM32\__delete_on_reboot__DEomExt.dll.ren
C:\Documents and Settings\jdumas\Application Data\Sskuknwrd.dll

  • Now, run The Avenger program by double clicking its icon on your Desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing Ctrl V keys.
  • Click Done.
  • Now click on the Green Light to begin execution of the script.
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Please post a new WinPFind log along with the Avenger log.

swatkat......did it....here are the logs.....how does it look? ....thanks...JD

1) Avenger


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dkkikqcp


*******************


Script file located at: \??\C:\Documents and Settings\irnvbrpf.txt
Script file opened successfully.


Script file read successfully


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


File C:\WINNT\SYSTEM32\ktpml7711.dll.ren deleted successfully.
File C:\WINNT\SYSTEM32\MKIDENT.DLL deleted successfully.
File C:\WINNT\SYSTEM32\__delete_on_reboot__DEomExt.dll.ren deleted successfully.
File C:\Documents and Settings\jdumas\Application Data\Sskuknwrd.dll deleted successfully.


Completed script processing.


*******************


Finished!  Terminate.



2) WinPFind


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.


If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.


»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000    Current Build: Service Pack 4    Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...


Checking %System% folder...
PTech                7/12/2005 6:04:22 PM        520456     C:\WINNT\SYSTEM32\LegitCheckControl.dll
UPX!                 1/13/2005 9:41:48 PM        11254      C:\WINNT\SYSTEM32\locate.com
PECompact2           5/3/2006 9:26:24 PM         5818784    C:\WINNT\SYSTEM32\MRT.exe
aspack               5/3/2006 9:26:24 PM         5818784    C:\WINNT\SYSTEM32\MRT.exe
Umonitor             1/12/2005 12:39:46 PM       531216     C:\WINNT\SYSTEM32\RASDLG.DLL
UPX!                 1/20/2005 1:47:50 PM        175616     C:\WINNT\SYSTEM32\strings.exe
winsync              12/7/1999 8:00:00 AM        1309184    C:\WINNT\SYSTEM32\wbdbase.deu


Checking %System%\Drivers folder and sub-folders...


Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/13/2006 5:22:10 PM     H  1098406    C:\WINNT\ShellIconCache
6/13/2006 10:56:18 PM     S 64         C:\WINNT\CSC\00000001
6/8/2006 4:33:30 PM       S 64         C:\WINNT\CSC\00000002
6/8/2006 9:51:24 AM       S 64         C:\WINNT\CSC\csc1.tmp
6/13/2006 10:58:58 PM    H  1024       C:\WINNT\system32\config\default.LOG
6/7/2006 8:42:06 PM      H  1024       C:\WINNT\system32\config\SAM.LOG
6/13/2006 11:06:44 PM    H  1024       C:\WINNT\system32\config\SECURITY.LOG
6/13/2006 11:04:22 PM    H  1024       C:\WINNT\system32\config\software.LOG
6/13/2006 10:56:36 PM    H  6          C:\WINNT\Tasks\SA.DAT


Checking for CPL files...
Microsoft Corporation          12/7/1999 8:00:00 AM        67344      C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        301328     C:\WINNT\SYSTEM32\appwiz.cpl
10/1/2001 9:47:18 AM        483328     C:\WINNT\SYSTEM32\cpqIKey.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        237328     C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        31504      C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        128272     C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        118032     C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        36112      C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        60688      C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        122128     C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        303888     C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        17168      C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        41232      C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        90896      C:\WINNT\SYSTEM32\powercfg.cpl
Intel Corporation              5/13/2002 3:02:04 AM        671744     C:\WINNT\SYSTEM32\PROSetp.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        83216      C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation          6/19/2003 3:05:04 PM        125712     C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation          12/7/1999 8:00:00 AM        5904       C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        61200      C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/29/2002 7:14:40 AM        292352     C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          1/12/2005 12:40:00 PM       64784      C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation                9/23/1999 6:44:36 PM        94208      C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation          12/7/1999 8:00:00 AM        41232      C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...
9/7/2005 10:22:18 AM        640        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA521 Configuration Utility.lnk
8/30/2005 11:40:26 AM       1572       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
9/6/2005 2:47:10 PM         1397       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk


Checking files in %ALLUSERSPROFILE%\Application Data folder...


Checking files in %USERPROFILE%\Startup folder...
10/25/2005 5:30:02 PM       1397       C:\Documents and Settings\jdumas\Start Menu\Programs\Startup\HotSync Manager.lnk


Checking files in %USERPROFILE%\Application Data folder...
1/23/2006 5:32:10 PM        38514      C:\Documents and Settings\jdumas\Application Data\Microsoft Excel.ADR


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}   = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B}   = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467}   = &Radio   : C:\WINNT\System32\msdxm.ocx


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText   = Research :


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
cpqek   C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
Promon.exe  Promon.exe
NGClient    C:\Program Files\SYMANTEC\Ghost\ngctw32.exe
hkss    C:\Program Files\Compaq\Hotkey Software\hkss.exe
vptray  C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
Logitech Utility    Logi_MwX.Exe
MMTray  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
SpySweeper  "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL   Installed = 1
MAPI    Installed = 1
MSFS    Installed = 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  149
CDRAutoRun  0



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray          {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = C:\WINNT\system32\Userinit.exe,
Shell       = Explorer.exe
System      =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/13/2006 11:12:09 PM

swatkat....still not clean....just rebooted and hooked it up to the internet and ad banners start to pop up :( ....does the WinPFind reveal anything? ...thanks...JD

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.