TheTechGuide Forum

General Category => Tech Clinic => Topic started by: kit23 on February 02, 2005, 11:33:36 AM

Title: hjt log
Post by: kit23 on February 02, 2005, 11:33:36 AM

i've already run norton, adaware, and spybot...

here's the log. thanks for the help in advance.

Logfile of HijackThis v1.97.7
Scan saved at 11:38:33 PM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB (http://\"http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB\")
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab (http://\"http://office.microsoft.com/officeupdate/content/opuc.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab (http://\"http://office.microsoft.com/productupdates/content/opuc.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...7646.8117592593 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37646.8117592593\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx

Title: hjt log
Post by: guestolo on February 02, 2005, 12:26:00 PM

Can you let me know exactly what problems your having

Right now I only see one bad guy we have to remove
To ensure I'm seeing everything

Could you also update your version of Hijackthis
Open Hijackthis>>Config>>Open the Misc tools section
Click the Check for Updates online

If for some reason it won't update could you download the latest version from my signature below and save it to your
C:\Program Files\HijackThis folder
Allow to overwrite the old version if prompted

After you have updated hijackthis can you RESTART your computer

Back in Windows

Open Hijackthis 1.99
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log  here
Don't try and fix anything yet----It is all important

Title: hjt log
Post by: kit23 on February 02, 2005, 03:02:46 PM

sorry i forgot the symptoms...

things going wrong:
system running very slowly
IE often says it needs to shut down (and doesn't always do so)
searches with google and yahoo(haven't tried others) are all directed to a first page of obviously wrong websites
zone alarm won't start
norton keeps finding viruses:
Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Downloader.Trojan
File:  C:\WINDOWS\System32\tmpf02.exe
Location:  Quarantine
Computer:  KEN
User:  KenW
Action taken:  Clean failed : Quarantine succeeded : Access denied
Date found: Wed Feb 02 13:49:06 2005

here's latest hjt (first 4 look suspicious to me)

Logfile of HijackThis v1.99.0
Scan saved at 1:55:56 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\hijackthis.exe
C:\WINDOWS\System32\tmpf00.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\tmpf01.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html (http://\"http://www.searchv.com/1/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ (http://\"http://www.searchv.com/1/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html (http://\"http://www.searchv.com/1/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ (http://\"http://www.searchv.com/1/\")
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Title: hjt log
Post by: guestolo on February 02, 2005, 03:51:01 PM

Let's try this

Download and Install this small program
to help clean your temp folders,cookies,prefetch,etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install it for now but don't run a scan yet
Hold onto this

Could you download and save to desktop
The standalone version of CWShredder.exe (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Don't run it yet

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Print the rest of this out, or save to a Notepad file on your desktop
You can use it as a checklist

Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")

Find and delete these files or folders if they exist
C:\WINDOWS\System32\tmpf02.exe <--file
C:\WINDOWS\System32\tmpf00.exe <--file
C:\WINDOWS\System32\tmpf01.exe <--file
Are there any more files that look like tmpf0.exe

Stay in safe mode

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html (http://\"http://www.searchv.com/1/search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ (http://\"http://www.searchv.com/1/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html (http://\"http://www.searchv.com/1/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ (http://\"http://www.searchv.com/1/\")

O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL

O4 - Startup: PowerReg Scheduler.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Again, in safe mode
Open Windows CleanUp you installed earlier
START>>All Programs>>Cleanup
Click the CleanUp button, Let it finish scanning, when it's done it will prompt you to Log, DON'T at this time

Instead
Open up just CWShredder, click on ONLY the FIX button
Let it fix all problems
When it's done Restart back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

This one can sometimes fix easy or not so easy  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
I suggest that you also
Just for a double check

Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane---  Use "CTRL  C" on your Keyboard to copy all found in the lower pane  and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product  to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log and the eScan results

Title: hjt log
Post by: kit23 on February 02, 2005, 10:49:43 PM

wow that took a while but all's done as you said. there's a lot to read

escan:
File C:\WINDOWS\SYSTEM32\VDMT16.SYS infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_20.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_64.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_10.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\polall1t.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bilfqaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\boqwsbyd.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dnbjtaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gtvlmooj.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lsgnaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msbar.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nvwixhxn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\oxdqyaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\pmbaneyn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tibs3.exe infected by "Trojan-Downloader.Win32.Tibser.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbejaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\whxsyqih.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\xpxicmld.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\yldaaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0000.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0001.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00000.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00001.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00002.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07900000.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0000.VBN infected by "Backdoor.Win32.Haxdoor.be" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\KenW\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5f5d0f17-147abb63.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\UselessCreations\Matrix3DSetup.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Windows Media Player\wmplayer.exe.tmp infected by "TrojanDropper.Win32.Small.ge" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008510.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008521.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008526.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008631.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008652.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0008683.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008817.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008844.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008854.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008873.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008884.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0009434.exe infected by "not-a-virus:AdWare.BiSpy.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0009891.dll infected by "not-a-virus:AdWare.BiSpy.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0015410.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017279.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017294.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017302.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017309.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017322.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017330.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017340.exe infected by "Trojan.Win32.StartPage.ag" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017341.exe infected by "TrojanDownloader.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017342.exe infected by "TrojanDownloader.Win32.Small.kl" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017352.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017367.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017369.sys infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017371.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017375.sys infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017534.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_20.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_64.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_10.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\polall1t.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\bilfqaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\boqwsbyd.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\cz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dnbjtaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\gtvlmooj.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\hz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\lsgnaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msbar.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\nvwixhxn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\oxdqyaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\pmbaneyn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\tibs3.exe infected by "Trojan-Downloader.Win32.Tibser.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\vbejaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\whxsyqih.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\xpxicmld.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\yldaaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.

and new HJT:
Logfile of HijackThis v1.99.0
Scan saved at 9:46:23 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\KenW\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\KenW\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Title: hjt log
Post by: guestolo on February 02, 2005, 10:58:05 PM

HI again kit23
I have to step out for a bit
But could you do me a favor please
I want to see what this utility will clean out

Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

Restart into Safe mode
Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

Restart into Normal mode and run about:buster again
save this log also

Post both About:Buster logs

Title: hjt log
Post by: kit23 on February 03, 2005, 10:12:02 AM

ok done.
but aboutbuster wouldn't update. said error, etc.

here are the logs

Scanned at: 8:59:02 AM   on: 2/3/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed! : C:\WINDOWS\System32\nthst32.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 9:05:59 AM   on: 2/3/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


now IE is randomly hijacked and taken to a search page as well.

Title: hjt log
Post by: guestolo on February 03, 2005, 10:23:56 AM

Save this reference file for About:buster
to the folder that you extracted aboutbuster too
Ensure it has the .dll extension, it should by default
That should bring the program up to date
http://www.malwarebytes.biz/reflist.dll (http://\"http://www.malwarebytes.biz/reflist.dll\")

Allow to overwrite if prompted

Run it in Normal mode, scan a couple times
Save the log---Restart your computer

Post back a fresh hijackthis log afterwards
Post the about:buster logs too

Title: hjt log
Post by: kit23 on February 03, 2005, 12:15:24 PM

ok guestolo. here are the logs

Scanned at: 11:09:09 AM   on: 2/3/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.99.0
Scan saved at 11:13:44 AM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Title: hjt log
Post by: guestolo on February 03, 2005, 01:06:40 PM

Hi again Kit, let's try cleaning the rest of this up

But first one more small download
Download and save to desktop LSPFIX.zip (http://\"http://www.cexx.org/lspfix.zip\")
Unzip it to your desktop
Open it up and let me know what you see on the KEEP side
Also let me know what you see on the Remove side

EDIT>>I've seen About:buster clean out some of those files that eScan identified

NDNuninstall and some of the others
I guess that was not the case this time

Title: hjt log
Post by: kit23 on February 03, 2005, 02:18:30 PM

ok here it is

all in keep side
mswsock.dll Tcpip
winrnr.dll NTDS
rsvpsp.dll (Protocol Handler)

nothing on remove side

Title: hjt log
Post by: guestolo on February 03, 2005, 04:08:36 PM

Let's try some cleaning, you have one that may be tough to remove, but we'll get it

Many infections are in your System Restore Folder
We'll clean those in a bit

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Access your Control Panel>>>Double click on the Java Plugin>>Cache tab
Clear the Cache

NEXT:Can you download and save ~Removed link~ to your desktop
IMPORTANT>>Create a new folder and UNZIP the contents to that new folder


Download Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")

UNZIP the files to the folder of your choice.
Save this next part to a Notepad file on your desktop for easy access
Disconnect from the Net>>Close all unnecessary windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

With only the Notepad file open for reference

Double-click on Killbox.exe to run it
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally  put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\SYSTEM32\VDMT16.SYS

C:\WINDOWS\NDNuninstall5_20.exe

C:\WINDOWS\NDNuninstall5_40.exe

C:\WINDOWS\NDNuninstall5_48.exe

C:\WINDOWS\NDNuninstall5_64.exe

C:\WINDOWS\NDNuninstall6_10.exe

C:\WINDOWS\System32\mszx23.exe

C:\WINDOWS\polall1t.exe

C:\WINDOWS\System32\bilfqaaa.exe

C:\WINDOWS\System32\boqwsbyd.exe

C:\WINDOWS\System32\dnbjtaaa.exe

C:\WINDOWS\System32\gtvlmooj.exe

C:\WINDOWS\System32\lsgnaaaa.exe

C:\WINDOWS\System32\msbar.exe

C:\WINDOWS\System32\nvwixhxn.exe

C:\WINDOWS\System32\oxdqyaaa.exe

C:\WINDOWS\System32\pmbaneyn.exe

C:\WINDOWS\System32\tibs3.exe

C:\WINDOWS\System32\vbejaaaa.exe

C:\WINDOWS\System32\whxsyqih.exe

C:\WINDOWS\System32\xpxicmld.exe

C:\WINDOWS\System32\yldaaaaa.exe

C:\Program Files\UselessCreations\Matrix3DSetup.exe

C:\Program Files\Windows Media Player\wmplayer.exe.tmp

C:\WINDOWS\System32\cz.dll

C:\WINDOWS\System32\hz.dll

When  you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot

Please Restart the computer into Safe mode at this time
You can enter safe mode by tapping the F8 key on the keyboard as the computer is booting up

You may choose to delete the files in the Quarantine area of Symantec's
manually

You must be in safe mode with Windows set to show hidden files and folders
In safe mode
Open that new folder you created for Rkfiles.zip
Double click on rkfiles.bat to run it.
Sit back and WAIT until the dos Window closes

Restart back to Normal mode
IMPORTANT>>>rkfiles.bat should of created a new .txt file
C:\log.txt
IMPORTANT>>Copy and paste back the contents of log.txt

Along with a fresh hijackthis log

If at any time after you find trouble with your Internet connection
Simply open LSP fix with all other windows closed
and click the Finish button
Restart your computer

Title: hjt log
Post by: kit23 on February 03, 2005, 05:12:04 PM

well this is getting mroe and more fun!
zone alarm seems to be working now

minor issues with above:
the cache tab in java was the temp internet files, right? deleted...

the mszx23.exe !! wasn't there the first hjt scan. however it was there at the final hjt sac so i fixed it then and rescanned and this is the new log

ogfile of HijackThis v1.99.0
Scan saved at 4:07:52 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

here is the rkfiles log

C:\Documents and Settings\KenW\Desktop\rkfiles
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\blfqaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\cxkcqdre.exe: UPX!
C:\WINDOWS\SYSTEM32\hdnlppom.exe: UPX!
C:\WINDOWS\SYSTEM32\huraaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\ripaaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\UC3D.scr: UPX!
C:\WINDOWS\SYSTEM32\ydufaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

Title: hjt log
Post by: guestolo on February 03, 2005, 06:18:41 PM

Your doing good, this is a fairly new nasty
So again please print this out or save to a Notepad file on the desktop

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

 ~REMOVED~

Disconnect completely from the Internet

What I meant by the cache tab
Go into the Control Panel
If not in Classic view >>> switch to Classic view
Double click the Java Plugin
Open the Cache tab and clear the cache

After that is done


Next:
Open up Windows CleanUp you installed earlier and click the Cleanup button
After cleanup DON'T log off

Double-click on Killbox.exe to run it
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally  put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\SYSTEM32\blfqaaaa.exe

C:\WINDOWS\SYSTEM32\mszx23.exe

C:\WINDOWS\SYSTEM32\cxkcqdre.exe

C:\WINDOWS\SYSTEM32\hdnlppom.exe

C:\WINDOWS\SYSTEM32\huraaaaa.exe

C:\WINDOWS\SYSTEM32\ripaaaaa.exe

C:\WINDOWS\SYSTEM32\UC3D.scr

C:\WINDOWS\SYSTEM32\ydufaaaa.exe

C:\WINDOWS\System32\w32tm.exe

C:\WINDOWS\System32\vdmt16.sys

C:\WINDOWS\System32\winlow.sys

C:\WINDOWS\System32\p2.ini

C:\WINDOWS\System32\drct16.dll

C:\WINDOWS\System32\cz.dll

C:\WINDOWS\System32\hz.dll

C:\WINDOWS\System32\wz.dll

C:\WINDOWS\System32\p2.ini



When  you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot

Please Restart the computer into Safe mode at this time

Double click on fix.reg and allow it to merge to the registry

Stay in safe mode run Windows CleanUp one more time

Restart back to Normal mode
Again run fix.reg just to be on the safe side

If you don't have this Spyware checker
Download and Install the free version of
Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Please hold onto this, it's a great program, compliments Spybot very well
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to finish the cleaning process

Post back with a fresh hijackthis log

Can you also confirm that those entries in your registry are no longer present
Check Symantec's website for the presence of them
and how to enter the registry
http://securityresponse.symantec.com/avcen....haxdoor.d.html (http://\"http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html\")

Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file on the desktop

Quote

regedit /e HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
copy HKLMRun.txt + HKCURun.txt = Output.txt
del /q HKLMRun.txt
del /q HKCURun.txt
notepad Output.txt
del /q Output.txt

Double click on Export.bat
It will produce a log>>Output.txt
Can you copy and paste the Whole contents of the Output.txt back here too, thanks

And one last thing
Could you verify none of these files exist in your C:\Windows\System32 folder
I may be repeating some files we have deleted, but take a look
C:\WINDOWS\system32\mszx23.exe
C:\WINDOWS\system32\Tibs3.exe
C:\WINDOWS\system32\drct16.dll
C:\WINDOWS\system32\cz.dll
C:\WINDOWS\system32\vdmt16.sys
C:\WINDOWS\system32\hz.dll
C:\WINDOWS\system32\winlow.sys
C:\WINDOWS\system32\wz.dll
C:\WINDOWS\system32\p2.ini
C:\WINDOWS\system32\es.
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\z.
C:\WINDOWS\system32\—I0¢+opes.
C:\WINDOWS\system32\slowIsys.
C:\WINDOWS\system32\zININEwz.
C:\WINDOWS\system32\2Ioso.
C:\WINDOWS\system32\3d.
C:\WINDOWS\system32\|msz.

Title: hjt log
Post by: Guest on February 03, 2005, 09:57:45 PM

ok. a couple issues

sorry but i can't find the java cache tab
under control panel, i have java. when i click on java i gete five tabs across the top: general, update, java, security, advanced


for killbox, when i pasted these 3 dll's in, I was not given the option to unregister but proceeded anyway
C:\WINDOWS\System32\cz.dll

C:\WINDOWS\System32\hz.dll

C:\WINDOWS\System32\wz.dll


I found these files in C:\Windows\System32 folder
w32tm.exe
es.dll (NOT es. as in your post)

Left them alone for now.
adaware cleaned out some stuff.
Norton found no viruses. went throught the symantec website/registry anyways. nothing to do there.

here's the output.txt
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"ATIModeChange"="Ati2mdxx.exe"
"PCTVOICE"="pctspk.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
@=""
"WeatherWatcher"="C:\\Program Files\\Weather Watcher\\ww.exe"

and here's the hjt log
Logfile of HijackThis v1.99.0
Scan saved at 8:46:21 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

thanks again for your efforts

Title: hjt log
Post by: kit23 on February 03, 2005, 09:59:21 PM

oh, didn't log in. well, who else would write all that?

Title: hjt log
Post by: guestolo on February 03, 2005, 10:26:23 PM

es.dll is a legit file>>leave it alone

Can you navigate to w32tm.exe
Let me know if your copy is related to
Windows Time Service Diagnostic Tool
Right click on it and select properties

Navigate to
C:\Documents and Settings\KenW\Application Data\Sun\Java\Deployment\cache\javapi\v1.0
folder and delete the Whole contents

If everything is running better can you now
Disable System Restore>>Restart your computer>>>Enable System Restore
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
This will clear out all those nasties in your System Restore folder and creates a fresh restore point once enabled

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection


Could you post back one more log after you have done the above
Let me know about w32tm.exe
Also let me know how everythings running

Title: hjt log
Post by: kit23 on February 03, 2005, 11:39:37 PM

W32TM.EXE was related to windows time service diagnostic tool

java: there was no folder v1.0. there was nothing in javapi (and hidden folders/files/etc still are showing)

added the ie-spyad (actually usually use firefox but some things just need IE) to my spywareblaster

did you want another hjt log? here it is in case

Logfile of HijackThis v1.99.0
Scan saved at 10:33:58 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



everythings working great now!

last question, previously i had used zone alarm as my firewall and had been worried about service Pack 2. Would you suggest getting rid of zone alarm and using SP2 as my firewall?

once again, thanks for your tireless efforts.

Title: hjt log
Post by: guestolo on February 04, 2005, 12:33:07 AM

Zone Alarm is most definitely a better firewall

SP2 firewall has increased since SP1 in it's firewall performance
This I will have to leave up to your own opinion
But read this and you decide
http://www.pcworld.com/news/article/0,aid,117380,00.asp (http://\"http://www.pcworld.com/news/article/0,aid,117380,00.asp\")

But you don't need both running.....

I guess I'm not up on the Clearing cache issue with Java 1.5
I better get up to date  /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
You were more right than I, sorry for the confusion
http://www.java.com/en/download/help/5000020300.xml (http://\"http://www.java.com/en/download/help/5000020300.xml\")

If your using the Dogpile Toolbar for it's Popupblocking ability
Don't forget that SP2 has incorporated a Popup blocker for IE also
It's in IE under the tools section

I noticed this in your log
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe

I guess your already up on SpywareBlaster  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
My eyes are going on me
By the way, I wouldn't be without Firefox either

Thanks for hesitating on W32TM.EXE
We could of replaced it, but good move

Quote

went throught the symantec website/registry anyways. nothing to do there

fix.reg probably took care of all of it for you


If you find the time would you mind running one more scan with
eScan
No rush, everything looks good
Before you run the scan can you delete your copy and download a new copy
If it's been updated, better to have the latest definitions
Here's the link again
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")

I'm just double checking to see if everything looks alright

Hold onto Windows CleanUp and clean those temp folders at least every couple of weeks
You may want to check the options in CleanUp and  uncheck Prefetch
But clean that folder at least every couple of months

Hold onto Ad-Aware along with Spybot
Check for updates at least every couple of weeks and run a scan
A little extra protection
Open Spybot>>Click Immunize>>OK>>Immunize at the top
Do this after every update
You may already know this, but you can open SpywareBlaster from the Immunize section of Spybot too...

I'll leave this topic open for a few days, if you can run another scan with eScan
and let me know if everything's clean, that would be great
Just give me a nod or slap or something well your passing by to let me know alls well
 /laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />
If you find something with eScan ensure to post it back here

Here's a quote from Symantec's site

Quote

It also attempts to log key strokes and steal passwords.

To be on the safe side, you may want to change passwords to any financial institutions>>>such as online banking and such

Stay safe

EDIT>>Can I check one thing please
Navigate to this key in the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Left click and Highlight Notify
Right click on it and EXPORT it
Name it and Save it to a convenient location
Exit the Registry

Navigate to where you saved the Export
Right click on it and choose EDIT
Copy and paste back here the whole contents

Title: hjt log
Post by: Guest on February 04, 2005, 06:42:21 PM

esacn is going to take 4 hrs, so i'll run it tonight and post it pack here tomorrow sometime
here's the registry log you requested...
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

Title: hjt log
Post by: guestolo on February 05, 2005, 03:34:12 AM

Quote

esacn is going to take 4 hrs

Sorry, curious what you mean by that
The scan should take about 30 minutes at most
Is it the download time your talking about?

Title: hjt log
Post by: Guest on February 05, 2005, 04:00:40 PM

here's the escan. found a few more.

File C:\WINDOWS\System32\jwboytxh.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\liiceaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\rlrogyej.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\upxymnpk.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ydufaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\jwboytxh.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\liiceaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\rlrogyej.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\upxymnpk.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ydufaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.

maybe i didn't set the options up right, but it takes 4 hrs to scan 70000+ files. (download is 10 seconds)
time elapsed: 04:19:16
it also found 80 errors. is that significant?
thanks

Title: hjt log
Post by: guestolo on February 05, 2005, 05:32:19 PM

Some of these won't die

Can you save this to a Notepad file again

Restart into Safe mode

Navigate to your System32 folder

Right click on each of the files I have in bold below
Left click properties
Look at the date and size of them

Are there any other files with the same date created and size
In the System32 folder?
Stay disconnected from the Internet

Open up Killbox

Copy and paste each of these into the Full path of file name  field
Click the REDX button after entering each

C:\WINDOWS\System32\jwboytxh.exe

C:\WINDOWS\System32\rlrogyej.exe

C:\WINDOWS\System32\upxymnpk.exe

C:\WINDOWS\SYSTEM32\liiceaaa.exe

C:\WINDOWS\SYSTEM32\ydufaaaa.exe

For any files that won't delete use the Delete on Reboot option
Let the computer restart back to Normal mode after you have pasted the last one in

Back in Windows
Ensure that those files are gone

Could you please go to this link
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\") and scroll down to
Registry Search Tool
Download,UNZIP and run "RegSrch.vbs" >>Allow this to run, even if prompted from your AV
Copy and paste this in the dialog box:
mszx23.exe


Hit OK
After a while a prompt will come up.(About 10 seconds) Click OK to write the results to wordpad or notepad and post them

Look back in your System 32 folder, any new files created?


Can you navigate to this key in your Registry
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

EXPORT >>>LIST

Could you also EXPORT the next one too
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

Exit the registry editor

Navigate to where you exported LIST
Right click on it and choose edit and paste it back here
Do the same for ModuleUsage

Could you also post a fresh hijackthis log, don't fix anything with it
Let me see the whole log

Title: hjt log
Post by: kit23 on February 05, 2005, 06:15:07 PM

ok.

there weren't any files of the same date and size
the 5 files were deleted normally without reboot
they were gone when rechecked

mszx23.exe was not found in registry


when i looked back for new files created. there were none from today but i noticed tmpf00.exe created one 2/3/05 within the timeframe of the other killed files (all 23kb and created over 2-3hours)
left it alone for now

here are the export lists (no standard profile seen)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:enabled:explorer"


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/axofupld.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/easyupld.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/liborca.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/liborca_comm.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/NeoterisSetup.ocx]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/NeoterisSetupDll.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ofutils.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ofxml.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll]
".Owner"="{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}"
"{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_de.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_en.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_es.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_fr.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_ja.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_ko.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_zh.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_zh_cn.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll]
".Owner"="{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}"
"{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}"=""


Logfile of HijackThis v1.99.0
Scan saved at 5:10:13 PM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://icare.cdh.org/dana-cached/setup/NeoterisSetup.cab (http://\"https://icare.cdh.org/dana-cached/setup/NeoterisSetup.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


well that's all i got for now.

Title: hjt log
Post by: kit23 on February 05, 2005, 06:36:51 PM

i just did a search of c:\ for exe files less than 100kb

those same 5 files came up as created on 2/5 at 4:54pm (40min ago)in a folder called

C:\!Submit

they are listed as modified on 2/3

there are also 6 files (5 are 23kb, 1 is 9kb) created on 2/3
they are in c:\system volume information\_restore ...etc and are called A0017964.exe etc

hope this makes sense/helps

Title: hjt log
Post by: guestolo on February 05, 2005, 08:03:53 PM

Thanks for the cooperation Kit

The files in the Submit folder, you can delete if you choose they are the backups made by Killbox

Others in your System Volume Information folder
Are in your System Restore folders
You can Disable system restore>>Restart your computer and then Enable system restore
That should clean them

Quote

but i noticed tmpf00.exe created one 2/3/05 within the timeframe of the other killed files (all 23kb and created over 2-3hours)
left it alone for now

I forgot all about that
I asked you this before

"Find and delete these files or folders if they exist
C:\WINDOWS\System32\tmpf02.exe <--file
C:\WINDOWS\System32\tmpf00.exe <--file
C:\WINDOWS\System32\tmpf01.exe <--file
Are there any more files that look like tmpf0.exe?"

Go ahead and delete that file
C:\WINDOWS\System32\tmpf00.exe

Do it like this>>Delete that file
Disable System Restore
Run Windows CleanUp! again
Restart your computer
Enable System Restore

Can I have you run one more tool please
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
http://www.downloads.subratam.org/l2mfix.exe (http://\"http://www.downloads.subratam.org/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Could you also open Hijackthis>>Open the Misc tools section>>Open Host file manager
Click the "Open In Notepad" button
Copy and paste back here the Whole contents of the hosts notepad file, thanks

Title: hjt log
Post by: Guest on February 06, 2005, 01:36:26 AM

i did delete that tmpf00.exe on 2/2/05 along with the other 2. there were no others at that time. this tmpf00.exe file was created on 2/3/05.

anyway i deleted it now. rechecked and it's not there (at least now)

nothing in the hosts notepad file.

L2MFIX find log 1.02a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

********************************************************************************
**
HKEY ROOT CLASSIDS:
********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   hypertrm.dll   Wed Nov 17 2004  11:57:02a  A....        493,056   481.50 K
   klogini.dll    Tue Feb  1 2005   8:08:40p  A....              0     0.00 K
   knnaaaaa.dll   Tue Feb  1 2005   3:59:12p  A....         11,425    11.16 K
   koaaaaaa.dll   Tue Feb  1 2005   1:13:38p  A....          2,315     2.26 K
   ntrshp.dll     Tue Feb  1 2005   3:59:12p  A....            991     0.96 K
   shdocvw.dll    Thu Nov 11 2004  11:20:56p  A....      1,332,224     1.27 M
   user32.dll     Tue Dec 28 2004   7:31:44p  A....        574,464   561.00 K
   vsdata.dll     Sun Nov 28 2004   5:21:50a  A....         75,032    73.27 K
   vsinit.dll     Sun Nov 28 2004   5:22:02a  A....        124,184   121.27 K
   vsmonapi.dll   Sun Nov 28 2004   5:22:10a  A....        107,808   105.28 K
   vspubapi.dll   Sun Nov 28 2004   5:22:14a  A....        197,920   193.28 K
   vsregexp.dll   Sun Nov 28 2004   5:22:18a  A....         70,944    69.28 K
   vsutil.dll     Sun Nov 28 2004   5:22:30a  A....        353,560   345.27 K
   vsxml.dll      Sun Nov 28 2004   5:22:38a  A....         99,608    97.27 K
   zlcomm.dll     Sun Nov 28 2004   5:23:00a  A....         75,032    73.27 K
   zlcommdb.dll   Sun Nov 28 2004   5:23:04a  A....         66,848    65.28 K

16 items found:  16 files, 0 directories.
   Total of file sizes:  3,585,411 bytes      3.42 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 78E6-2519

 Directory of C:\WINDOWS\System32

02/01/2005  10:51 PM    <DIR>          DLLCACHE
06/28/2004  06:13 PM               508 TafqXOmo.dwc
01/05/2003  03:41 AM    <DIR>          Microsoft
               1 File(s)            508 bytes
               2 Dir(s)  12,037,636,096 bytes free

Title: hjt log
Post by: guestolo on February 06, 2005, 02:59:49 AM

Open Killbox>>click on tools>>Delete Temp files

Can you have Killbox delete these files on reboot
Unregister .dll also, if it will

C:\WINDOWS\SYSTEM32\klogini.dll

C:\WINDOWS\SYSTEM32\knnaaaaa.dll

C:\WINDOWS\SYSTEM32\koaaaaaa.dll

C:\WINDOWS\SYSTEM32\ntrshp.dll

On the last one reboot your computer

Back in Windows
Double click on fix.reg that you save earlier and allow to merge
 look for these files in the System32 folder
 most we got, but take a look

cm.dll
draw32.dll
hm.sys
klogini.dll
memlow.sys
p2.ini
vdnt32.sys
wd.sys

Can you make sure that no other new files were created and make sure the ones we killed with killbox are gone

You also had this infection
http://www.sophos.com/virusinfo/analyses/trojppdoora.html (http://\"http://www.sophos.com/virusinfo/analyses/trojppdoora.html\")

Can you ensure there is no presence of it left in this key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
If you highlight shellserviceobjectdelayload
on the right hand side it should look something like this
Default
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

The above are legit entries, do you see anything different?

When you tried opening the Host file in notepad with Hijackthis
Did you mean that there were no entries below this entry?
127.0.0.1 local host

or was it actually a blank box, no writing at all?

Title: hjt log
Post by: kit23 on February 06, 2005, 10:02:07 AM

the only file left was vdnt32.sys
i deleted it manually
 
saw this on the sophos website for Troj/Haxdoor-O
HKLM\SYSTEM\CurrentControlSet\Services\vdnt32\
Type
Start
ErrorControl
ImagePath
DisplayName
Security\
Security\Security

so i checked the registry and didnt find vdnt32 folder listed

only those 4 entries (and default) in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

hjt notepad was actually a blank box with no writing at all

Title: hjt log
Post by: guestolo on February 06, 2005, 02:36:04 PM

Couple choices
You should be able to Navigate to
C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder
Inside the ETC folder should be a HOST file
No extension
If you open it up in Notepad
It should look something like this

Quote

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

If yours has nothing in it
You can add the above to your empty Notepad file
or
Download and UNZIP to a folder Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")
and click "RESTORE ORIGINAL HOSTS"

OR
Install a Custom Host file
Here's some info
http://www.mvps.org/winhelp2002/hosts.htm (http://\"http://www.mvps.org/winhelp2002/hosts.htm\")

Can you check and see if any other files are created in your system32 folder
recently created
Careful, there may be legit entries

Title: hjt log
Post by: kit23 on February 06, 2005, 02:50:35 PM

so i restored the original hosts file from toadbee

these are the files since 2/2/05
T.COM 2/2
TSKMGR.COM  2/2

these on 2/6
locate.com
NTrights.exe
Process.exe
Reboot.exe
RegDACL.exe
strings.exe
zip.exe

there are a LOT of files created on 2/1/05

Title: hjt log
Post by: guestolo on February 06, 2005, 03:12:01 PM

locate.com
NTrights.exe
Process.exe
Reboot.exe
RegDACL.exe
strings.exe
zip.exe

Most or all are related too  related too L2Fix you ran earlier

I was more concerned with any files in the system32 folder that we were dealing with in this thread
To ensure that you restore the rights properly
Although VX2 was not found

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

I think we got it all, I'm just concerned about one entry in your registry, I'll check into it

Can you also do me one more favor please

Can you go to START>>RUN>>type cmd
Hit ok

Type these into the command prompt box hitting Enter after each

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

The below is how to input

cd\<enter>
cd+%windir%\system32<enter>
dir+/a:-d+/o:-d+>+%systemdrive%\system32.txt<enter>
start+%systemdrive%\system32.txt<enter>
cls<enter>
exit<enter>

NOTE: Don't include the + signs when entering the commands
That is just to indicate where there is a space

A long log should popup
Can you include that log back here please

Title: hjt log
Post by: kit23 on February 06, 2005, 05:24:24 PM

here it is.

Logfile of HijackThis v1.99.0
Scan saved at 4:23:12 PM, on 2/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB (http://\"https://dr.edward.org/securex/LogoffControl.CAB\")
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab (http://\"https://dr.edward.org/securex/wfica.cab\")
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://icare.cdh.org/dana-cached/setup/NeoterisSetup.cab (http://\"https://icare.cdh.org/dana-cached/setup/NeoterisSetup.cab\")
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab (http://\"http://simcity.ea.com/update/EARTPX.cab\")
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab (http://\"http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab (http://\"http://www.installengine.com/engine/isetup.cab\")
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab (http://\"http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab\")
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab (http://\"http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab\")
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab (http://\"http://simcity.ea.com/play/classic/SimCityX.cab\")
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab (http://\"http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab\")
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab (http://\"http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab (http://\"http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email (http://\"http://by8fd.bay8.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

L2Mfix 1.02a
 
Running From:
C:\Documents and Settings\KenW\Desktop\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------      Everyone
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Documents and Settings\KenW\Desktop\l2mfix
System Rebooted!
 
Running From:
C:\Documents and Settings\KenW\Desktop\l2mfix
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1244 'explorer.exe'
Killing PID 1244 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
 
Zipping up files for submission:
  adding: clear.reg (164 bytes security) (deflated 2%)
  adding: echo.reg (164 bytes security) (deflated 8%)
  adding: direct.txt (164 bytes security) (stored 0%)
  adding: lo2.txt (164 bytes security) (deflated 70%)
  adding: readme.txt (164 bytes security) (deflated 49%)
  adding: report.txt (164 bytes security) (deflated 63%)
  adding: test.txt (164 bytes security) (stored 0%)
  adding: test2.txt (164 bytes security) (stored 0%)
  adding: test3.txt (164 bytes security) (stored 0%)
  adding: test5.txt (164 bytes security) (stored 0%)
  adding: backregs/shell.reg (164 bytes security) (deflated 74%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

 
The following are the files found:
****************************************************************************
 
Registry Entries that were Deleted:
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Title: hjt log
Post by: guestolo on February 06, 2005, 05:55:34 PM

Again, thanks for your cooperation

I'm going to watch the Superbowl so I won't be back on for awhile

Not sure if you seen my edit above Kit
If you could supply the log you get from the command prompt
That would be appreciated

Title: hjt log
Post by: kit23 on February 06, 2005, 06:13:33 PM

sorry totally missed that
here's the log

 Volume in drive C has no label.
 Volume Serial Number is 78E6-2519

 Directory of C:\WINDOWS\SYSTEM32

02/06/2005  04:18 PM               893 vsconfig.xml
02/03/2005  05:47 PM            25,913 klo5.sys
02/03/2005  04:08 PM                95 ps.a3d
02/01/2005  11:06 PM            25,065 wmpscheme.xml
02/01/2005  11:05 PM            16,832 amcompat.tlb
02/01/2005  11:05 PM            23,392 nscompat.tlb
02/01/2005  10:53 PM               216 spdwnwxp.log
02/01/2005  10:34 PM           380,918 PERFH009.DAT
02/01/2005  10:34 PM            53,166 PERFC009.DAT
02/01/2005  10:33 PM           439,376 PerfStringBackup.INI
02/01/2005  10:27 PM           230,392 FNTCACHE.DAT
02/01/2005  05:18 PM             4,212 zllictbl.dat
02/01/2005  05:03 PM             1,170 WPA.DBL
01/23/2005  05:33 PM         5,242,934 toyhide.bmp
12/28/2004  07:31 PM           574,464 user32.dll
12/02/2004  01:14 PM           512,512 hhctrl.ocx
11/28/2004  05:23 AM            66,848 zlcommdb.dll
11/28/2004  05:23 AM            75,032 zlcomm.dll
11/28/2004  05:22 AM            99,608 vsxml.dll
11/28/2004  05:22 AM           353,560 vsutil.dll
11/28/2004  05:22 AM            70,944 vsregexp.dll
11/28/2004  05:22 AM           197,920 vspubapi.dll
11/28/2004  05:22 AM           107,808 vsmonapi.dll
11/28/2004  05:22 AM           124,184 vsinit.dll
11/28/2004  05:21 AM           279,264 vsdatant.sys
11/28/2004  05:21 AM            75,032 vsdata.dll
11/17/2004  09:18 PM            49,262 jpicpl32.cpl
11/17/2004  09:18 PM           127,075 javaws.exe
11/17/2004  09:18 PM            49,247 javaw.exe
11/17/2004  09:18 PM            49,245 java.exe
11/17/2004  11:57 AM           493,056 hypertrm.dll
11/11/2004  11:20 PM         1,332,224 shdocvw.dll
10/28/2004  09:45 AM         1,350,144 query.dll
10/28/2004  09:45 AM            64,512 ciodm.dll
10/27/2004  07:29 PM           116,736 shsvcs.dll
10/27/2004  07:29 PM           681,984 lsasrv.dll
10/27/2004  07:29 PM            92,160 cscdll.dll
10/25/2004  10:39 AM           450,048 urlmon.dll
10/25/2004  10:39 AM         2,693,120 mshtml.dll
10/22/2004  02:33 AM         2,088,448 ntoskrnl.exe
10/22/2004  01:29 AM         1,955,840 ntkrnlpa.exe
09/26/2004  06:47 PM            29,184 sstunst2.exe
08/26/2004  09:53 AM            69,632 inseng.dll
08/23/2004  07:32 PM           589,312 wininet.dll
08/22/2004  06:34 PM         1,025,536 browseui.dll
08/21/2004  01:54 AM           316,928 zipfldr.dll
08/20/2004  04:01 PM            15,872 linkinfo.dll
08/20/2004  04:01 PM            82,432 fldrclnr.dll
08/20/2004  04:01 PM           700,928 sxs.dll
08/20/2004  04:01 PM         8,442,368 shell32.dll
08/20/2004  02:01 PM           422,912 shlwapi.dll
08/05/2004  12:15 PM         1,845,888 win32k.sys
08/04/2004  01:56 AM             8,192 spdwnwxp.exe
08/03/2004  09:42 PM            20,480 sprecovr.exe
08/03/2004  09:42 PM            15,872 spupdsvc.exe
08/03/2004  01:07 PM         1,081,112 wuaueng.dll
08/03/2004  01:04 PM           185,624 iuengine.dll
08/03/2004  01:03 PM           167,704 wuaucpl.cpl
08/03/2004  01:03 PM           186,136 wuaueng1.dll
08/03/2004  01:02 PM           118,552 wucltui.dll
08/03/2004  01:02 PM           113,944 wuauclt.exe
08/03/2004  01:01 PM           167,704 wuauclt1.exe
08/03/2004  01:00 PM            71,448 cdm.dll
08/03/2004  01:00 PM           420,632 wuapi.dll
08/03/2004  12:59 PM           120,288 wuweb.dll
08/03/2004  12:59 PM            39,704 wups.dll
08/02/2004  01:20 PM             4,569 secupd.dat
08/02/2004  01:20 PM             7,208 secupd.sig
07/30/2004  03:29 PM           594,432 xpsp2res.dll
07/29/2004  04:50 PM            38,400 grpconv.exe
07/19/2004  03:19 PM           285,696 kstvtune.ax
07/09/2004  03:27 AM           181,248 dmime.dll
07/09/2004  03:27 AM           265,728 ddraw.dll
07/09/2004  03:27 AM           104,448 dmusic.dll
07/09/2004  03:27 AM         1,179,648 d3d8.dll
07/09/2004  03:27 AM           230,400 dplayx.dll
07/09/2004  03:27 AM            57,856 dpwsockx.dll
07/09/2004  03:27 AM         1,689,600 d3d9.dll
07/09/2004  03:27 AM           363,520 dsound.dll
07/09/2004  03:27 AM           974,848 dxdiag.exe
07/09/2004  03:27 AM         1,769,472 dxdiagn.dll
07/09/2004  03:27 AM           382,976 qdvd.dll
07/09/2004  03:27 AM           276,480 qdv.dll
07/09/2004  03:26 AM            47,104 wstdecod.dll
07/09/2004  03:26 AM            30,208 psisrndr.ax
07/09/2004  03:26 AM           354,816 psisdecd.dll
07/09/2004  03:26 AM           226,304 kswdmcap.ax
07/09/2004  03:26 AM            27,648 vbisurf.ax
07/09/2004  03:26 AM            52,224 msdvbnp.ax
07/09/2004  03:26 AM            39,424 ksxbar.ax
07/09/2004  03:26 AM            57,856 mpeg2data.ax
07/09/2004  03:26 AM         1,230,336 msvidctl.dll
07/09/2004  03:26 AM            16,896 bdaplgin.ax
07/09/2004  03:26 AM            16,896 msyuv.dll
07/09/2004  03:26 AM            14,848 ipsink.ax
07/01/2004  04:08 PM             7,168 bitsprx3.dll
07/01/2004  04:08 PM            17,408 qmgrprxy.dll
07/01/2004  04:08 PM             7,680 bitsprx2.dll
07/01/2004  04:08 PM           361,984 qmgr.dll
07/01/2004  04:08 PM           331,776 winhttp.dll
06/30/2004  05:59 PM           158,720 xpob2res.dll
06/28/2004  06:13 PM               508 TafqXOmo.dwc
06/22/2004  06:43 PM           123,392 itss.dll
06/17/2004  11:58 AM            13,312 ntvdmd.dll
06/17/2004  11:58 AM           930,816 kernel32.dll
06/17/2004  11:58 AM           276,992 winsrv.dll
06/17/2004  11:58 AM            47,616 basesrv.dll
06/17/2004  11:58 AM           257,536 gdi32.dll
06/17/2004  11:58 AM            23,040 vdmdbg.dll
06/16/2004  06:24 PM            16,384 nddenb32.dll
06/16/2004  12:32 PM           107,008 netdde.exe
06/15/2004  07:07 PM             3,364 d3d9caps.dat
06/15/2004  04:19 PM               257 seedfile.dat
06/15/2004  12:42 PM               398 master.dll
06/15/2004  12:42 PM           115,623 datastore.dll
06/15/2004  05:58 AM               766 wecxg32.dll
06/15/2004  05:58 AM               766 zxmsn.dll
06/15/2004  05:58 AM               766 gupd.dll
06/15/2004  05:58 AM               766 cidpoq32.dll
06/15/2004  05:58 AM               766 cidft.dll
06/15/2004  05:58 AM               766 sdfup.dll
06/15/2004  05:58 AM               766 xcwer32.dll
06/15/2004  05:58 AM               766 icqrt.dll
06/15/2004  05:58 AM               766 icvbr.dll
06/15/2004  05:58 AM               766 icnfe.dll
06/15/2004  05:58 AM                34 mtjpgb.dll
06/13/2004  04:51 PM               597 jupdate-1.4.2_04-b05.log
06/11/2004  07:14 PM           396,288 ntvdm.exe
06/08/2004  04:02 PM           172,544 schedsvc.dll
06/08/2004  04:02 PM           260,096 mstask.dll
06/08/2004  04:02 PM           306,688 netapi32.dll
06/08/2004  01:59 PM            10,752 mstinit.exe
06/07/2004  01:19 PM           596,480 inetcomm.dll
06/03/2004  06:43 PM           245,760 wow32.dll
05/26/2004  09:37 PM             1,454 qtplugin.log
05/26/2004  07:38 PM           483,328 winlogon.exe
05/17/2004  04:48 PM            92,224 krnl386.exe
05/17/2004  04:43 PM            35,424 ntio412.sys
05/17/2004  04:43 PM            34,560 ntio404.sys
05/17/2004  04:43 PM            34,560 ntio804.sys
05/17/2004  04:43 PM            35,648 ntio411.sys
05/17/2004  04:43 PM            33,840 ntio.sys
04/10/2004  11:24 AM            26,112 xpsp1hfm.exe
04/08/2004  01:12 PM            70,144 QuickTimeCheck.ocx
04/08/2004  01:12 PM         2,017,280 QuickTimeMusicalInstruments.qtx
04/08/2004  01:12 PM           430,592 QuickTimeVR.qtx
04/08/2004  01:12 PM           323,072 QuickTime.cpl
04/08/2004  01:12 PM         5,524,992 QuickTime.qts
04/05/2004  04:42 PM            78,896 GEARAspi.dll
03/31/2004  07:58 PM           176,167 rmoc3260.dll
03/31/2004  07:58 PM             5,632 pndx5032.dll
03/31/2004  07:58 PM             6,656 pndx5016.dll
03/31/2004  07:58 PM           278,528 pncrt.dll
03/29/2004  07:48 PM           253,440 h323.tsp
03/29/2004  07:48 PM            36,864 mf3216.dll
03/29/2004  07:48 PM            51,712 msasn1.dll
03/29/2004  07:48 PM           439,808 ipnathlp.dll
03/29/2004  07:48 PM           593,408 h323msp.dll
03/29/2004  07:48 PM           971,264 msgina.dll
03/29/2004  07:48 PM           136,704 schannel.dll
03/29/2004  07:48 PM           548,352 rtcdll.dll
03/17/2004  01:33 PM             6,656 spmsg.dll
03/16/2004  12:44 PM            30,749 vbajet32.dll
03/16/2004  12:44 PM         1,507,356 msjet40.dll
03/16/2004  11:38 AM           614,431 mswstr10.dll
03/16/2004  11:38 AM           151,583 msjint40.dll
03/05/2004  08:16 PM         1,194,496 comsvcs.dll
03/05/2004  08:16 PM           535,552 rpcrt4.dll
03/05/2004  08:16 PM           226,816 es.dll
03/05/2004  08:16 PM           977,920 msdtctm.dll
03/05/2004  08:16 PM           499,712 clbcatq.dll
03/05/2004  08:16 PM           263,680 rpcss.dll
03/05/2004  08:16 PM         1,183,744 ole32.dll
03/05/2004  08:16 PM            82,432 mtxoci.dll
03/05/2004  08:16 PM           150,528 msdtcuiu.dll
03/05/2004  08:16 PM            64,512 colbact.dll
03/05/2004  08:16 PM           367,616 msdtcprx.dll
03/05/2004  08:16 PM           110,080 clbcatex.dll
03/05/2004  08:16 PM           594,944 catsrvut.dll
03/05/2004  08:16 PM            64,512 mtxclu.dll
03/05/2004  08:16 PM           225,280 catsrv.dll
03/05/2004  08:16 PM           499,200 comuid.dll
03/05/2004  08:16 PM            97,280 txflog.dll
03/03/2004  10:13 PM           167,936 SpoonUninstall.exe
03/01/2004  12:55 PM           348,189 msxbde40.dll
03/01/2004  12:55 PM           552,989 msrepl40.dll
03/01/2004  12:55 PM           258,077 mstext40.dll
03/01/2004  12:55 PM           348,189 mspbde40.dll
03/01/2004  12:55 PM           241,693 msjtes40.dll
03/01/2004  12:55 PM           319,517 msexcl40.dll
03/01/2004  12:55 PM           512,029 msexch40.dll
03/01/2004  12:52 PM           358,976 msjetoledb40.dll
01/31/2004  12:39 AM           115,512 iuctl.dll
01/10/2004  05:37 AM           380,957 expsrv.dll
01/10/2004  05:36 AM           831,519 mswdat10.dll
01/10/2004  05:36 AM           315,423 msrd3x40.dll
01/10/2004  05:36 AM           421,919 msrd2x40.dll
01/10/2004  05:36 AM           213,023 msltus40.dll
01/10/2004  05:36 AM            53,279 msjter40.dll
01/05/2004  01:30 AM           565,248 hpotscl.dll
01/05/2004  01:30 AM            90,112 hpovst08.dll
01/05/2004  01:30 AM           274,432 hpgwiamd.dll
01/05/2004  01:30 AM            57,344 hpzisn12.dll
01/05/2004  01:30 AM           196,608 hpzipr12.dll
01/05/2004  01:30 AM            94,208 hpzipt12.dll
01/05/2004  01:30 AM            61,699 hpzinw12.exe
01/05/2004  01:30 AM           266,296 hpzidr12.dll
01/05/2004  01:30 AM            65,795 hpzipm12.exe
01/05/2004  01:30 AM           184,386 hpzsnt09.dll
01/05/2004  01:30 AM           192,512 hpzcoi09.dll
01/05/2004  01:30 AM           258,048 hpzcon09.dll
01/05/2004  01:30 AM           262,144 HPZc3212.dll
12/18/2003  01:04 PM            49,152 hpzjrd01.dll
12/11/2003  10:15 AM           487,424 hpvcp70.dll
12/11/2003  10:15 AM           344,064 hpvcr70.dll
12/11/2003  10:15 AM           626,960 hpvaut32.dll
12/11/2003  10:15 AM            44,544 MSXML4a.dll
11/02/2003  06:33 PM           188,681 setup.inx
10/27/2003  08:13 PM            24,576 odbcbcp.dll
10/27/2003  08:13 PM            98,304 odbccp32.dll
10/27/2003  08:12 PM           385,024 sqlsrv32.dll
10/27/2003  08:12 PM            61,440 dbnetlib.dll
10/27/2003  08:09 PM           126,976 msdart.dll
10/27/2003  08:09 PM           204,800 odbc32.dll
10/21/2003  05:06 PM           119,808 wkssvc.dll
10/21/2003  05:06 PM            32,256 msgsvc.dll
09/18/2003  06:53 AM         1,302,528 wmpcore.dll
09/17/2003  11:01 AM           844,048 msdxm.ocx
09/04/2003  09:49 AM           212,992 HPODStormEncoder.dll
08/29/2003  01:55 AM           423,424 WMAVDS32.ax
08/28/2003  08:57 AM           143,872 itircl.dll
08/23/2003  06:35 PM             8,464 sporder.dll
07/24/2003  03:40 PM           477,696 cryptui.dll
06/23/2003  01:44 AM         1,415,680 wmv9vcm.dll
05/30/2003  08:00 AM         1,246,208 quartz.dll
05/30/2003  08:00 AM         1,189,888 dx8vb.dll
05/30/2003  08:00 AM            53,248 devenum.dll
05/30/2003  08:00 AM           797,184 d3dim700.dll
05/22/2003  07:58 AM            98,304 hpzjsn01.dll
05/01/2003  03:56 PM           654,336 ntdll.dll
04/18/2003  03:46 PM         1,233,920 msxml4.dll
03/25/2003  06:40 PM            53,760 cryptsvc.dll
03/24/2003  08:00 AM            68,096 dpnhupnp.dll
03/24/2003  08:00 AM            32,768 dpnhpast.dll
03/18/2003  08:20 PM         1,060,864 mfc71.dll
03/18/2003  08:12 PM         1,047,552 mfc71u.dll
03/18/2003  07:44 PM            49,152 MFC71KOR.DLL
03/18/2003  07:44 PM            57,344 MFC71ENU.DLL
03/18/2003  07:44 PM            40,960 MFC71CHS.DLL
03/18/2003  07:44 PM            61,440 MFC71ESP.DLL
03/18/2003  07:44 PM            61,440 MFC71ITA.DLL
03/18/2003  07:44 PM            45,056 MFC71CHT.DLL
03/18/2003  07:44 PM            65,536 MFC71DEU.DLL
03/18/2003  07:44 PM            49,152 MFC71JPN.DLL
03/18/2003  07:44 PM            61,440 MFC71FRA.DLL
03/18/2003  07:14 PM           499,712 msvcp71.dll
03/18/2003  06:05 PM            89,088 atl71.dll
03/09/2003  07:58 PM            20,898 SpoonUninstall-dBpowerAMP Music Converter.dat
03/09/2003  07:58 PM            27,958 SpoonUninstall-dBpowerAMP Music Converter.bmp
03/03/2003  03:57 PM           228,864 msoeacct.dll
03/03/2003  03:57 PM            44,032 msident.dll
03/03/2003  03:57 PM            91,136 msoert2.dll
02/28/2003  05:26 PM           171,792 wjview.exe
02/28/2003  05:26 PM            15,120 jdbgmgr.exe
02/28/2003  05:26 PM           172,304 jview.exe
02/28/2003  05:26 PM           947,472 msjava.dll
02/28/2003  05:26 PM            49,424 clspack.exe
02/28/2003  05:26 PM           286,992 vmhelper.dll
02/28/2003  05:26 PM            21,264 msjdbc10.dll
02/28/2003  05:26 PM           171,280 jit.dll
02/28/2003  05:26 PM           154,384 msawt.dll
02/28/2003  05:26 PM           139,536 javaee.dll
02/28/2003  05:26 PM           404,752 javart.dll
02/28/2003  05:26 PM            63,248 javaprxy.dll
02/28/2003  05:26 PM           187,152 javacypt.dll
02/28/2003  03:54 PM             7,315 javasup.vxd
02/28/2003  03:38 PM               113 zonedoff.reg
02/28/2003  03:38 PM               113 zonedon.reg
02/28/2003  03:34 PM           313,856 dx3j.dll
02/21/2003  03:42 AM           348,160 msvcr71.dll
02/20/2003  06:16 PM            32,768 netfxperf.dll
02/20/2003  06:09 PM           106,496 mscories.dll
02/20/2003  06:06 PM           155,648 mscoree.dll
02/20/2003  05:43 PM            16,896 mscorier.dll
02/03/2003  03:47 PM               145 AddPort.ini
01/31/2003  05:46 PM           238,080 newdev.dll
01/31/2003  11:59 AM           118,784 HPODXPAT.DLL
01/20/2003  11:24 PM         4,530,256 atioglxx.dll
01/20/2003  10:45 PM           268,416 ati2dvag.dll
01/20/2003  10:35 PM            77,824 atipdlxx.dll
01/20/2003  10:35 PM            73,728 Oemdspif.dll
01/20/2003  10:35 PM           151,552 ati2evxx.exe
01/20/2003  10:34 PM            49,152 ATIDDC.DLL
01/20/2003  10:30 PM           721,561 ati3duag.dll
01/20/2003  10:18 PM         1,143,963 ati3d2ag.dll
01/20/2003  10:03 PM           942,395 ati3d1ag.dll
01/20/2003  09:45 PM            32,768 atitvo32.dll
01/19/2003  10:06 PM             1,888 Lexmark 3200 Series ColorFine.AD2
01/13/2003  02:57 PM           589,881 jscript.dll
01/11/2003  11:02 AM               361 QuickTime.qtp
01/10/2003  02:43 PM            37,888 hhsetup.dll
01/10/2003  03:04 AM               270 $WINNT$.INF
01/07/2003  11:47 AM           290,816 atiiiexx.dll
01/05/2003  04:31 AM               333 $NCSP$.INF
01/05/2003  04:28 AM            45,056 cdrtc.dll
01/05/2003  04:28 AM            45,056 cdral.dll
01/05/2003  04:02 AM             1,536 TrueSoft.dat
01/05/2003  03:49 AM               547 OEMINFO.INI
12/12/2002  12:14 AM             8,192 d3d8thk.dll
12/12/2002  12:14 AM           177,152 qcap.dll
12/12/2002  12:14 AM           524,800 qedit.dll
12/12/2002  12:14 AM           733,184 qedwipes.dll
12/12/2002  12:14 AM           194,560 mswebdvd.dll
12/12/2002  12:14 AM            13,312 msdmo.dll
12/12/2002  12:14 AM            64,512 amstream.dll
12/12/2002  12:14 AM           136,192 mpg2splt.ax
12/12/2002  12:14 AM            34,304 mciqtz32.dll
12/12/2002  12:14 AM            83,456 l3codecx.ax
12/12/2002  12:14 AM             4,096 ksuser.dll
12/12/2002  12:14 AM           117,248 ksproxy.ax
12/12/2002  12:14 AM            12,288 ksolay.ax
12/12/2002  12:14 AM            18,944 encapi.dll
12/12/2002  12:14 AM           602,624 dx7vb.dll
12/12/2002  12:14 AM            18,432 dswave.dll
12/12/2002  12:14 AM         1,294,336 dsound3d.dll
12/12/2002  12:14 AM            68,096 dsdmoprp.dll
12/12/2002  12:14 AM           186,880 dsdmo.dll
12/12/2002  12:14 AM           112,128 dpvvox.dll
12/12/2002  12:14 AM            80,896 dpvsetup.exe
12/12/2002  12:14 AM           203,264 dpvoice.dll
12/12/2002  12:14 AM            19,968 dpvacm.dll
12/12/2002  12:14 AM            16,896 dpnsvr.exe
12/12/2002  12:14 AM             3,072 dpnlobby.dll
12/12/2002  12:14 AM           377,856 dpnet.dll
12/12/2002  12:14 AM             3,072 dpnaddr.dll
12/12/2002  12:14 AM            22,016 dpmodemx.dll
12/12/2002  12:14 AM            28,160 dplaysvr.exe
12/12/2002  12:14 AM           100,864 dmsynth.dll
12/12/2002  12:14 AM            98,816 dmstyle.dll
12/12/2002  12:14 AM            76,800 dmscript.dll
12/12/2002  12:14 AM            33,280 dmloader.dll
12/12/2002  12:14 AM            58,368 dmcompos.dll
12/12/2002  12:14 AM            27,136 dmband.dll
12/12/2002  12:14 AM            24,064 ddrawex.dll
12/11/2002  11:14 PM            46,592 dxdllreg.exe
12/11/2002  07:09 PM           358,912 msscp.dll
12/11/2002  07:02 PM         2,058,888 wmvcore.dll
12/11/2002  06:50 PM           301,712 drmclien.dll
12/11/2002  06:12 PM           760,968 wmsdmod.dll
12/11/2002  06:12 PM           316,040 mp43dmod.dll
12/11/2002  06:11 PM           410,248 wmadmod.dll
12/11/2002  06:10 PM           816,264 wmvdmod.dll
12/11/2002  06:09 PM           678,912 drmv2clt.dll
12/11/2002  06:09 PM           253,952 msnetobj.dll
12/11/2002  06:09 PM           232,960 blackbox.dll
12/11/2002  06:07 PM           486,536 wmspdmod.dll
12/11/2002  05:34 PM            82,432 drmstor.dll
12/11/2002  05:34 PM           892,416 wmspdmoe.dll
12/11/2002  05:34 PM           670,208 wmadmoe.dll
12/11/2002  05:34 PM         1,111,040 wmsdmoe2.dll
12/11/2002  05:34 PM           241,664 qasf.dll
12/11/2002  05:34 PM           997,888 wmvdmoe2.dll
12/11/2002  05:23 PM           981,504 wmnetmgr.dll
12/11/2002  05:23 PM           218,112 wmasf.dll
12/11/2002  04:34 PM           241,664 mpg4dmod.dll
12/11/2002  03:16 PM           143,360 wmidx.dll
12/11/2002  03:16 PM             6,656 laprxy.dll
12/11/2002  03:04 PM            81,408 logagent.exe
12/11/2002  02:16 PM           384,512 mp4sdmod.dll
12/03/2002  06:50 PM            68,608 locator.exe
11/26/2002  08:03 PM            23,552 wmdmps.dll
11/26/2002  08:03 PM           245,760 mswmdm.dll
11/26/2002  08:03 PM            27,136 wmdmlog.dll
11/26/2002  07:03 PM           201,728 mspmsp.dll
11/26/2002  07:03 PM           159,232 cewmdm.dll
11/26/2002  07:03 PM            52,224 mspmsnsv.dll
11/25/2002  01:00 AM           118,784 DartWeb.dll
11/22/2002  01:00 AM           221,184 DartSock.dll
11/20/2002  11:50 AM           212,480 osk.exe
11/20/2002  11:50 AM            51,200 narrator.exe
11/20/2002  11:50 AM            67,584 magnify.exe
11/20/2002  11:50 AM           179,200 accwiz.exe
11/14/2002  02:50 PM           226,816 srrstr.dll
11/14/2002  12:58 PM           154,624 ivfsrc.ax
11/14/2002  12:58 PM           200,192 ir50_qc.dll
11/14/2002  12:58 PM           183,808 ir50_qcx.dll
11/14/2002  12:58 PM           755,200 ir50_32.dll
11/14/2002  12:58 PM           338,432 ir41_qcx.dll
11/14/2002  12:58 PM           120,320 ir41_qc.dll
11/14/2002  12:58 PM           848,384 ir41_32.ax
11/14/2002  12:58 PM           199,680 iac25_32.ax
10/24/2002  10:18 AM           180,496 opuc.dll
10/11/2002  02:08 PM            47,616 inetres.dll
10/10/2002  10:39 AM           163,840 pctspk.exe
10/10/2002  10:39 AM            31,744 mdmmoh.dll
10/10/2002  10:39 AM           151,552 ptsetup.dll
10/10/2002  10:39 AM           122,880 ptuninst.exe
10/10/2002  10:39 AM               456 pthsp.dat
09/30/2002  10:58 AM           125,440 shmedia.dll
09/23/2002  08:53 PM            53,248 DellSys.dll
09/23/2002  03:10 PM           544,256 crypt32.dll
09/11/2002  11:00 PM           290,816 mcinsctl.dll
09/02/2002  06:59 PM             2,577 CONFIG.NT
09/02/2002  06:57 PM               488 logonui.exe.manifest
09/02/2002  06:57 PM               488 WindowsLogon.manifest
09/02/2002  06:57 PM               749 ncpa.cpl.manifest
09/02/2002  06:57 PM               749 nwc.cpl.manifest
09/02/2002  06:57 PM               749 cdplayer.exe.manifest
09/02/2002  06:57 PM               749 sapi.cpl.manifest
09/02/2002  06:57 PM               749 wuaucpl.cpl.manifest
09/02/2002  06:56 PM            21,640 emptyregdb.dat
09/02/2002  06:53 PM                 0 H323LOG.TXT
09/02/2002  06:31 PM           787,356 OEMBKGN1.BMP
09/02/2002  06:31 PM             5,134 OEMLOGO.BMP
09/02/2002  06:31 PM            96,310 DELLWALL.BMP
09/02/2002  06:31 PM        13,107,200 OEMBIOS.BIN
09/02/2002  06:31 PM             4,594 OEMBIOS.DAT
09/02/2002  06:31 PM             6,788 OEMBIOS.SIG
09/02/2002  06:31 PM             7,046 OEMBIOS.CAT
08/29/2002  03:41 AM           150,528 ptpusd.dll
08/29/2002  03:41 AM           207,360 joy.cpl
08/29/2002  03:41 AM            31,744 pid.dll
08/29/2002  03:40 AM           151,552 dinput.dll
08/29/2002  03:40 AM           168,960 dinput8.dll
08/28/2002  03:00 PM            66,594 C_775.NLS
08/28/2002  03:00 PM            24,576 dbmsrpcn.dll
08/28/2002  03:00 PM            62,464 DPNMODEM.DLL
08/28/2002  03:00 PM            20,480 DBMSADSN.DLL
08/28/2002  03:00 PM            61,952 DPNWSOCK.DLL
08/28/2002  03:00 PM            53,520 DPSERIAL.DLL
08/28/2002  03:00 PM            66,594 C_850.NLS
08/28/2002  03:00 PM           847,872 DBGENG.DLL
08/28/2002  03:00 PM           142,848 daxctle.ocx
08/28/2002  03:00 PM            22,016 davclnt.dll
08/28/2002  03:00 PM            42,768 DPWSOCK.DLL
08/28/2002  03:00 PM            66,594 C_737.NLS
08/28/2002  03:00 PM             9,216 DISKCOMP.COM
08/28/2002  03:00 PM           489,984 dbghelp.dll
08/28/2002  03:00 PM            24,576 dbmsvinn.dLL
08/28/2002  03:00 PM            11,776 drprov.dll
08/28/2002  03:00 PM            28,112 DRWATSON.EXE
08/28/2002  03:00 PM            45,568 DRWTSN32.EXE
08/28/2002  03:00 PM             4,656 ds16gt.dLL
08/28/2002  03:00 PM            16,384 ds32gt.dll
08/28/2002  03:00 PM            62,976 DSAUTH.DLL
08/28/2002  03:00 PM           152,064 DATIME.DLL
08/28/2002  03:00 PM            66,594 C_865.NLS
08/28/2002  03:00 PM           172,664 xenroll.dll
08/28/2002  03:00 PM            84,992 dskquota.dll
08/28/2002  03:00 PM           144,384 DSKQUOUI.DLL
08/28/2002  03:00 PM            66,082 C_500.NLS
08/28/2002  03:00 PM                81 DSOUND.VXD
08/28/2002  03:00 PM            51,712 dataclen.dll
08/28/2002  03:00 PM           135,680 dsprop.dll
08/28/2002  03:00 PM             3,584 dsprpres.dll
08/28/2002  03:00 PM           227,840 dsquery.dll
08/28/2002  03:00 PM           218,003 DSSEC.DAT
08/28/2002  03:00 PM            47,104 dssec.dll
08/28/2002  03:00 PM           124,928 dssenh.dll
08/28/2002  03:00 PM           106,496 dsuiext.dll
08/28/2002  03:00 PM            44,032 DIMAP.DLL
08/28/2002  03:00 PM           107,008 aclui.dll
08/28/2002  03:00 PM             9,216 dumprep.exe
08/28/2002  03:00 PM           263,680 duser.dll
08/28/2002  03:00 PM            55,296 DVDPLAY.EXE
08/28/2002  03:00 PM            15,872 dvdupgrd.exe
08/28/2002  03:00 PM           180,224 dwwin.exe
08/28/2002  03:00 PM            66,594 C_437.NLS
08/28/2002  03:00 PM           129,536 ACLEDIT.DLL
08/28/2002  03:00 PM            66,082 C_28605.NLS
08/28/2002  03:00 PM            66,082 C_28603.NLS
08/28/2002  03:00 PM            66,082 C_28599.NLS
08/28/2002  03:00 PM            55,296 digest.dll
08/28/2002  03:00 PM           498,205 dxmasf.dll
08/28/2002  03:00 PM           802,304 dxmrtp.dll
08/28/2002  03:00 PM           337,920 dxtmsft.dll
08/28/2002  03:00 PM           194,560 dxtrans.dll
08/28/2002  03:00 PM            69,886 EDIT.COM
08/28/2002  03:00 PM            10,790 EDIT.HLP
08/28/2002  03:00 PM            12,642 EDLIN.EXE
08/28/2002  03:00 PM           127,213 EGA.CPI
08/28/2002  03:00 PM            28,160 xcopy.exe
08/28/2002  03:00 PM            86,016 xactsrv.dll
08/28/2002  03:00 PM           264,704 wzcsvc.dll
08/28/2002  03:00 PM            23,552 wzcsapi.dll
08/28/2002  03:00 PM            56,832 wzcdlg.dll
08/28/2002  03:00 PM           181,760 activeds.dll
08/28/2002  03:00 PM           165,376 els.dll
08/28/2002  03:00 PM            66,594 C_863.NLS
08/28/2002  03:00 PM            59,392 6to4svc.dll
08/28/2002  03:00 PM           155,648 encdec.dll
08/28/2002  03:00 PM           103,424 EqnClass.Dll
08/28/2002  03:00 PM            19,456 ersvc.dll
08/28/2002  03:00 PM            66,082 C_28598.NLS
08/28/2002  03:00 PM         1,018,368 esent.dll
08/28/2002  03:00 PM         1,114,896 ESENT97.DLL
08/28/2002  03:00 PM            17,408 ESENTPRF.DLL
08/28/2002  03:00 PM             6,708 ESENTPRF.HXX
08/28/2002  03:00 PM         1,015,477 ESENTPRF.INI
08/28/2002  03:00 PM            39,424 ESENTUTL.EXE
08/28/2002  03:00 PM           178,688 eudcedit.exe
08/28/2002  03:00 PM            37,668 EULA.TXT
08/28/2002  03:00 PM            33,280 EVENTCLS.DLL
08/28/2002  03:00 PM            49,152 eventlog.dll
08/28/2002  03:00 PM             8,704 EVENTVWR.EXE
08/28/2002  03:00 PM            56,678 EVENTVWR.MSC
08/28/2002  03:00 PM             8,424 EXE2BIN.EXE
08/28/2002  03:00 PM            15,872 EXPAND.EXE
08/28/2002  03:00 PM            66,082 C_28597.NLS
08/28/2002  03:00 PM            40,960 extrac32.exe
08/28/2002  03:00 PM           121,856 EXTS.DLL
08/28/2002  03:00 PM           111,104 ACTIVEDS.TLB
08/28/2002  03:00 PM               882 FASTOPEN.EXE
08/28/2002  03:00 PM            66,560 faultrep.dll
08/28/2002  03:00 PM            14,848 FC.EXE
08/28/2002  03:00 PM            18,432 feclient.dll
08/28/2002  03:00 PM           323,072 filemgmt.dll
08/28/2002  03:00 PM             9,216 FIND.EXE
08/28/2002  03:00 PM            25,088 findstr.exe
08/28/2002  03:00 PM             9,216 FINGER.EXE
08/28/2002  03:00 PM             3,072 FIXMAPI.EXE
08/28/2002  03:00 PM            66,082 C_28595.NLS
08/28/2002  03:00 PM               634 fltr.a3d
08/28/2002  03:00 PM            32,256 WUPDMGR.EXE
08/28/2002  03:00 PM             4,096 actmovie.exe
08/28/2002  03:00 PM            16,384 FMIFS.DLL
08/28/2002  03:00 PM            66,082 C_28594.NLS
08/28/2002  03:00 PM           361,472 fontext.dll
08/28/2002  03:00 PM            79,360 FONTSUB.DLL
08/28/2002  03:00 PM            19,456 fontview.exe
08/28/2002  03:00 PM             7,168 FORCEDOS.EXE
08/28/2002  03:00 PM            25,600 FORMAT.COM
08/28/2002  03:00 PM             8,832 framebuf.dll
08/28/2002  03:00 PM            55,296 FREECELL.EXE
08/28/2002  03:00 PM            32,760 FSMGMT.MSC
08/28/2002  03:00 PM            81,408 FSUSD.DLL
08/28/2002  03:00 PM            56,320 FSUTIL.EXE
08/28/2002  03:00 PM            40,448 ftp.exe
08/28/2002  03:00 PM           176,128 FTSRCH.DLL
08/28/2002  03:00 PM            41,472 G711CODC.AX
08/28/2002  03:00 PM            24,006 GB2312.UCE
08/28/2002  03:00 PM            76,800 GCDEF.DLL
08/28/2002  03:00 PM            24,576 GDI.EXE
08/28/2002  03:00 PM            66,082 C_28593.NLS
08/28/2002  03:00 PM            66,082 C_28592.NLS
08/28/2002  03:00 PM            24,772 GEO.NLS
08/28/2002  03:00 PM           605,696 GETUNAME.DLL
08/28/2002  03:00 PM           285,184 GLMF32.DLL
08/28/2002  03:00 PM           116,736 glu32.dll
08/28/2002  03:00 PM           101,888 GPKCSP.DLL
08/28/2002  03:00 PM             9,728 gpkrsrc.dll
08/28/2002  03:00 PM            26,112 GRAFTABL.COM
08/28/2002  03:00 PM            19,694 GRAPHICS.COM
08/28/2002  03:00 PM            21,232 GRAPHICS.PRO
08/28/2002  03:00 PM            66,082 C_28591.NLS
08/28/2002  03:00 PM            66,082 C_21866.NLS
08/28/2002  03:00 PM            66,082 C_20905.NLS
08/28/2002  03:00 PM            28,672 dbnmpntw.dll
08/28/2002  03:00 PM            66,082 C_20866.NLS
08/28/2002  03:00 PM            77,440 hal.dll
08/28/2002  03:00 PM           150,016 hdwwiz.cpl
08/28/2002  03:00 PM            14,848 HELP.EXE
08/28/2002  03:00 PM             9,216 wuauserv.dll
08/28/2002  03:00 PM           139,810 C_20261.NLS
08/28/2002  03:00 PM            66,082 C_20127.NLS
08/28/2002  03:00 PM            22,528 hid.dll
08/28/2002  03:00 PM            28,160 hidphone.tsp
08/28/2002  03:00 PM             4,768 HIMEM.SYS
08/28/2002  03:00 PM            77,850 HLINK.DLL
08/28/2002  03:00 PM            98,304 actxprxy.dll
08/28/2002  03:00 PM           240,640 hnetcfg.dll
08/28/2002  03:00 PM            14,848 HNETMON.DLL
08/28/2002  03:00 PM           315,904 hnetwiz.dll
08/28/2002  03:00 PM               929 HOMEPAGE.INF
08/28/2002  03:00 PM             7,680 HOSTNAME.EXE
08/28/2002  03:00 PM           137,216 hotplug.dll
08/28/2002  03:00 PM            57,344 admparse.dll
08/28/2002  03:00 PM            66,082 C_1258.NLS
08/28/2002  03:00 PM            66,082 C_1257.NLS
08/28/2002  03:00 PM            66,082 C_1256.NLS
08/28/2002  03:00 PM            66,082 C_1255.NLS
08/28/2002  03:00 PM            66,082 C_1254.NLS
08/28/2002  03:00 PM           139,264 dnsapi.dll
08/28/2002  03:00 PM            26,112 ADPTIF.DLL
08/28/2002  03:00 PM           162,816 adsldp.dll
08/28/2002  03:00 PM           139,776 adsldpc.dll
08/28/2002  03:00 PM            66,082 C_1253.NLS
08/28/2002  03:00 PM            66,082 C_1252.NLS
08/28/2002  03:00 PM            66,082 C_1251.NLS
08/28/2002  03:00 PM            66,082 C_1250.NLS
08/28/2002  03:00 PM            66,082 C_1026.NLS
08/28/2002  03:00 PM            66,082 C_10082.NLS
08/28/2002  03:00 PM            66,082 C_10081.NLS
08/28/2002  03:00 PM            66,082 C_10079.NLS
08/28/2002  03:00 PM            66,082 C_10029.NLS
08/28/2002  03:00 PM            66,082 C_10017.NLS
08/28/2002  03:00 PM            66,082 C_10010.NLS
08/28/2002  03:00 PM            66,082 C_10007.NLS
08/28/2002  03:00 PM            66,082 C_10006.NLS
08/28/2002  03:00 PM            66,082 C_10000.NLS
08/28/2002  03:00 PM            66,082 C_037.NLS
08/28/2002  03:00 PM            44,544 HTICONS.DLL
08/28/2002  03:00 PM            39,936 htui.dll
08/28/2002  03:00 PM             8,386 CTYPE.NLS
08/28/2002  03:00 PM            10,000 i.a3d
08/28/2002  03:00 PM            62,464 adsmsext.dll
08/28/2002  03:00 PM            17,408 wtsapi32.dll
08/28/2002  03:00 PM            61,440 DMVIEW.OCX
08/28/2002  03:00 PM            23,552 IASACCT.DLL
08/28/2002  03:00 PM            41,472 IASADS.DLL
08/28/2002  03:00 PM            32,256 IASHLPR.DLL
08/28/2002  03:00 PM            62,464 IASNAP.DLL
08/28/2002  03:00 PM            17,920 IASPOLCY.DLL
08/28/2002  03:00 PM           116,224 iasrad.dll
08/28/2002  03:00 PM           141,312 IASRECST.DLL
08/28/2002  03:00 PM            86,528 IASSAM.DLL
08/28/2002  03:00 PM           247,808 IASSDO.DLL
08/28/2002  03:00 PM            59,392 IASSVCS.DLL
08/28/2002  03:00 PM             9,216 icaapi.dll
08/28/2002  03:00 PM           110,592 iccvid.dll
08/28/2002  03:00 PM            16,384 ICFGNT5.DLL
08/28/2002  03:00 PM           236,032 icm32.dll
08/28/2002  03:00 PM             3,072 icmp.dll
08/28/2002  03:00 PM            54,784 ICMUI.DLL
08/28/2002  03:00 PM            27,200 CTL3DV2.DLL
08/28/2002  03:00 PM            27,136 CTL3D32.DLL
08/28/2002  03:00 PM           239,616 adsnt.dll
08/28/2002  03:00 PM            69,632 icwdial.dll
08/28/2002  03:00 PM            61,440 icwphbk.dll
08/28/2002  03:00 PM            60,458 IDEOGRAF.UCE
08/28/2002  03:00 PM           113,152 idq.dll
08/28/2002  03:00 PM            28,672 ie4uinit.exe
08/28/2002  03:00 PM           126,976 ieakeng.dll
08/28/2002  03:00 PM           204,288 ieaksie.dll
08/28/2002  03:00 PM           221,184 IEAKUI.DLL
08/28/2002  03:00 PM           294,912 iedkcs32.dll
08/28/2002  03:00 PM           231,424 iepeers.dll
08/28/2002  03:00 PM            23,040 iernonce.dll
08/28/2002  03:00 PM            59,392 iesetup.dll
08/28/2002  03:00 PM            19,514 ieuinit.inf
08/28/2002  03:00 PM            99,840 iexpress.exe
08/28/2002  03:00 PM           125,952 ifmon.dll
08/28/2002  03:00 PM            70,656 IFSUTIL.DLL
08/28/2002  03:00 PM             8,192 igmpagnt.dll
08/28/2002  03:00 PM            73,728 ils.dll
08/28/2002  03:00 PM            14,848 imaadp32.acm
08/28/2002  03:00 PM           126,976 imagehlp.dll
08/28/2002  03:00 PM           123,904 imapi.exe
08/28/2002  03:00 PM            36,922 imeshare.dll
08/28/2002  03:00 PM            30,208 imgutil.dll
08/28/2002  03:00 PM           103,936 imm32.dll
08/28/2002  03:00 PM            21,504 wsock32.dll
08/28/2002  03:00 PM            38,912 wsnmp32.dll
08/28/2002  03:00 PM           266,240 inetcfg.dll
08/28/2002  03:00 PM            13,312 ctfmon.exe
08/28/2002  03:00 PM           292,352 inetcpl.cpl
08/28/2002  03:00 PM           110,592 INETCPLC.DLL
08/28/2002  03:00 PM            31,232 inetmib1.dll
08/28/2002  03:00 PM            68,096 inetpp.dll
08/28/2002  03:00 PM            14,336 inetppui.dll
08/28/2002  03:00 PM            50,688 dmutil.dll
08/28/2002  03:00 PM            17,408 wshtcpip.dll
08/28/2002  03:00 PM           450,560 INFOSOFT.DLL
08/28/2002  03:00 PM           144,896 initpki.dll
08/28/2002  03:00 PM           114,176 input.dll
08/28/2002  03:00 PM            10,240 wshrm.dll
08/28/2002  03:00 PM           766,934 instcat.sql
08/28/2002  03:00 PM           121,856 intl.cpl
08/28/2002  03:00 PM            30,720 IOLOGMSG.DLL
08/28/2002  03:00 PM            16,384 ipconf.tsp
08/28/2002  03:00 PM            51,712 ipconfig.exe
08/28/2002  03:00 PM            82,944 iphlpapi.dll
08/28/2002  03:00 PM           154,112 IPMONTR.DLL
08/28/2002  03:00 PM           102,448 wshom.ocx
08/28/2002  03:00 PM           318,464 ippromon.dll
08/28/2002  03:00 PM             3,584 IPROP.DLL
08/28/2002  03:00 PM             4,096 IPRTPRIO.DLL
08/28/2002  03:00 PM           169,984 IPRTRMGR.DLL
08/28/2002  03:00 PM            44,032 IPSEC6.EXE
08/28/2002  03:00 PM           332,800 ipsecsnp.dll
08/28/2002  03:00 PM           155,648 ipsecsvc.dll
08/28/2002  03:00 PM             7,168 WSHNETBS.DLL
08/28/2002  03:00 PM           364,032 ipsmsnap.dll
08/28/2002  03:00 PM            60,928 ipv6.exe
08/28/2002  03:00 PM           134,144 ipv6mon.dll
08/28/2002  03:00 PM            83,968 IPXMONTR.DLL
08/28/2002  03:00 PM            69,120 IPXPROMN.DLL
08/28/2002  03:00 PM            21,504 IPXRIP.DLL
08/28/2002  03:00 PM            22,016 ipxroute.exe
08/28/2002  03:00 PM            39,936 IPXRTMGR.DLL
08/28/2002  03:00 PM            66,560 IPXSAP.DLL
08/28/2002  03:00 PM            20,992 IPXWAN.DLL
08/28/2002  03:00 PM           199,168 IR32_32.DLL
08/28/2002  03:00 PM            66,594 C_855.NLS
08/28/2002  03:00 PM            66,048 access.cpl
08/28/2002  03:00 PM            64,512 ACCTRES.DLL
08/28/2002  03:00 PM            21,504 dmserver.dll
08/28/2002  03:00 PM             7,168 DISKCOPY.COM
08/28/2002  03:00 PM            14,336 dmremote.exe
08/28/2002  03:00 PM            13,312 IRCLASS.DLL
08/28/2002  03:00 PM            77,824 isign32.dll
08/28/2002  03:00 PM            28,672 isrdbg32.dll
08/28/2002  03:00 PM            11,776 WSHISN.DLL
08/28/2002  03:00 PM            73,728 CSSEQCHK.DLL
08/28/2002  03:00 PM             4,096 csrss.exe
08/28/2002  03:00 PM            29,184 csrsrv.dll
08/28/2002  03:00 PM            19,456 DMOCX.DLL
08/28/2002  03:00 PM            13,312 wship6.dll
08/28/2002  03:00 PM            49,664 ixsso.dll
08/28/2002  03:00 PM            45,568 iyuv_32.dll
08/28/2002  03:00 PM            65,585 wshext.dll
08/28/2002  03:00 PM           307,712 cscui.dll
08/28/2002  03:00 PM           102,450 cscript.exe
08/28/2002  03:00 PM            53,248 cryptnet.dll
08/28/2002  03:00 PM            48,640 cryptext.dll
08/28/2002  03:00 PM            29,184 cryptdll.dll
08/28/2002  03:00 PM            70,144 cryptdlg.dll
08/28/2002  03:00 PM             1,740 dcache.bin
08/28/2002  03:00 PM           149,019 CRTDLL.DLL
08/28/2002  03:00 PM           362,496 JET500.DLL
08/28/2002  03:00 PM            28,721 wshcon.dll
08/28/2002  03:00 PM            44,544 JGAW400.DLL
08/28/2002  03:00 PM           144,896 JGDW400.DLL
08/28/2002  03:00 PM             9,216 WSHATM.DLL
08/28/2002  03:00 PM            35,840 JGMD400.DLL
08/28/2002  03:00 PM            42,496 JGPL400.DLL
08/28/2002  03:00 PM            45,568 JGSD400.DLL
08/28/2002  03:00 PM            65,536 JGSH400.DLL
08/28/2002  03:00 PM           158,720 credui.dll
08/28/2002  03:00 PM            47,952 JOBEXEC.DLL
08/28/2002  03:00 PM            66,594 C_852.NLS
08/28/2002  03:00 PM           118,834 wscript.exe
08/28/2002  03:00 PM            27,097 COUNTRY.SYS
08/28/2002  03:00 PM            12,288 jsproxy.dll
08/28/2002  03:00 PM            14,877 corpol.dll
08/28/2002  03:00 PM            13,824 CONVERT.EXE
08/28/2002  03:00 PM             6,948 KANJI_1.UCE
08/28/2002  03:00 PM             8,484 KANJI_2.UCE
08/28/2002  03:00 PM            14,710 KB16.COM
08/28/2002  03:00 PM             6,656 KBDAL.DLL
08/28/2002  03:00 PM             5,632 KBDAZE.DLL
08/28/2002  03:00 PM             5,632 KBDAZEL.DLL
08/28/2002  03:00 PM             6,144 KBDBE.DLL
08/28/2002  03:00 PM             6,144 KBDBENE.DLL
08/28/2002  03:00 PM             5,632 KBDBLR.DLL
08/28/2002  03:00 PM             6,144 KBDBR.DLL
08/28/2002  03:00 PM             5,632 KBDBU.DLL
08/28/2002  03:00 PM             6,144 KBDCA.DLL
08/28/2002  03:00 PM             7,680 KBDCAN.DLL
08/28/2002  03:00 PM             6,656 KBDCR.DLL
08/28/2002  03:00 PM             7,168 KBDCZ.DLL
08/28/2002  03:00 PM             6,656 KBDCZ1.DLL
08/28/2002  03:00 PM             6,656 KBDCZ2.DLL
08/28/2002  03:00 PM             6,144 KBDDA.DLL
08/28/2002  03:00 PM             5,120 KBDDV.DLL
08/28/2002  03:00 PM             6,144 KBDES.DLL
08/28/2002  03:00 PM             6,144 KBDEST.DLL
08/28/2002  03:00 PM             6,144 KBDFC.DLL
08/28/2002  03:00 PM             6,144 KBDFI.DLL
08/28/2002  03:00 PM             6,144 KBDFO.DLL
08/28/2002  03:00 PM             6,144 KBDFR.DLL
08/28/2002  03:00 PM             5,632 KBDGAE.DLL
08/28/2002  03:00 PM             6,144 KBDGKL.DLL
08/28/2002  03:00 PM             6,144 KBDGR.DLL
08/28/2002  03:00 PM             6,144 KBDGR1.DLL
08/28/2002  03:00 PM             5,632 KBDHE.DLL
08/28/2002  03:00 PM             5,632 KBDHE220.DLL
08/28/2002  03:00 PM             5,632 KBDHE319.DLL
08/28/2002  03:00 PM             6,144 KBDHELA2.DLL
08/28/2002  03:00 PM             6,656 KBDHELA3.DLL
08/28/2002  03:00 PM             8,192 KBDHEPT.DLL
08/28/2002  03:00 PM             6,656 KBDHU.DLL
08/28/2002  03:00 PM             5,632 KBDHU1.DLL
08/28/2002  03:00 PM             6,144 KBDIC.DLL
08/28/2002  03:00 PM             5,632 KBDIR.DLL
08/28/2002  03:00 PM             5,632 KBDIT.DLL
08/28/2002  03:00 PM             5,632 KBDIT142.DLL
08/28/2002  03:00 PM             5,632 KBDKAZ.DLL
08/28/2002  03:00 PM             5,632 KBDKYR.DLL
08/28/2002  03:00 PM             6,656 KBDLA.DLL
08/28/2002  03:00 PM             5,632 KBDLT.DLL
08/28/2002  03:00 PM             5,632 KBDLT1.DLL
08/28/2002  03:00 PM             6,144 KBDLV.DLL
08/28/2002  03:00 PM             6,144 KBDLV1.DLL
08/28/2002  03:00 PM             6,144 KBDMAC.DLL
08/28/2002  03:00 PM             5,632 KBDMON.DLL
08/28/2002  03:00 PM             6,144 KBDNE.DLL
08/28/2002  03:00 PM             7,168 KBDNEC.DLL
08/28/2002  03:00 PM             6,144 KBDNO.DLL
08/28/2002  03:00 PM             6,656 KBDPL.DLL
08/28/2002  03:00 PM             5,632 KBDPL1.DLL
08/28/2002  03:00 PM             6,144 KBDPO.DLL
08/28/2002  03:00 PM             5,632 KBDRO.DLL
08/28/2002  03:00 PM             5,632 KBDRU.DLL
08/28/2002  03:00 PM             5,632 KBDRU1.DLL
08/28/2002  03:00 PM             6,144 KBDSF.DLL
08/28/2002  03:00 PM             6,656 KBDSG.DLL
08/28/2002  03:00 PM             6,656 KBDSL.DLL
08/28/2002  03:00 PM             6,656 KBDSL1.DLL
08/28/2002  03:00 PM             6,144 KBDSP.DLL
08/28/2002  03:00 PM             6,144 KBDSW.DLL
08/28/2002  03:00 PM             5,632 KBDTAT.DLL
08/28/2002  03:00 PM             6,144 KBDTUF.DLL
08/28/2002  03:00 PM             6,144 KBDTUQ.DLL
08/28/2002  03:00 PM             5,632 KBDUK.DLL
08/28/2002  03:00 PM             5,632 KBDUR.DLL
08/28/2002  03:00 PM             5,632 KBDUS.DLL
08/28/2002  03:00 PM             6,144 KBDUSL.DLL
08/28/2002  03:00 PM             6,144 KBDUSR.DLL
08/28/2002  03:00 PM             6,144 KBDUSX.DLL
08/28/2002  03:00 PM             5,632 KBDUZB.DLL
08/28/2002  03:00 PM             5,632 KBDYCC.DLL
08/28/2002  03:00 PM             6,656 KBDYCL.DLL
08/28/2002  03:00 PM            75,264 ws2_32.dll
08/28/2002  03:00 PM             7,040 kd1394.dll
08/28/2002  03:00 PM             7,040 KDCOM.DLL
08/28/2002  03:00 PM           272,896 kerberos.dll
08/28/2002  03:00 PM             8,192 CONTROL.EXE
08/28/2002  03:00 PM            42,809 KEY01.SYS
08/28/2002  03:00 PM             2,000 KEYBOARD.DRV
08/28/2002  03:00 PM            42,537 KEYBOARD.SYS
08/28/2002  03:00 PM           146,432 keymgr.dll
08/28/2002  03:00 PM            66,560 CONSOLE.DLL
08/28/2002  03:00 PM            32,256 kmddsp.tsp
08/28/2002  03:00 PM            18,944 ws2help.dll
08/28/2002  03:00 PM            12,876 KOREAN.UCE
08/28/2002  03:00 PM             5,632 WRITE.EXE
08/28/2002  03:00 PM            29,184 wpnpinst.exe
08/28/2002  03:00 PM            24,576 conime.exe
08/28/2002  03:00 PM             2,233 12520850.CPX
08/28/2002  03:00 PM             2,151 12520437.CPX
08/28/2002  03:00 PM           345,600 CONFMSP.DLL
08/28/2002  03:00 PM           986,112 danim.dll
08/28/2002  03:00 PM            18,432 DMINTF.DLL
08/28/2002  03:00 PM           147,456 COMSNAP.DLL
08/28/2002  03:00 PM           290,816 l3codeca.acm
08/28/2002  03:00 PM            31,232 wpabaln.exe
08/28/2002  03:00 PM            47,616 D3DXOF.DLL
08/28/2002  03:00 PM             9,728 LABEL.EXE
08/28/2002  03:00 PM            89,600 LANGWRBK.DLL
08/28/2002  03:00 PM           221,600 LANMAN.DRV
08/28/2002  03:00 PM            79,360 diantz.exe
08/28/2002  03:00 PM           558,080 advapi32.dll
08/28/2002  03:00 PM            13,824 WOWFAXUI.DLL
08/28/2002  03:00 PM           792,064 comres.dll
08/28/2002  03:00 PM             3,200 WOWFAX.DLL
08/28/2002  03:00 PM            10,368 WOWEXEC.EXE
08/28/2002  03:00 PM             2,736 WOWDEB.EXE
08/28/2002  03:00 PM            91,136 advpack.dll
08/28/2002  03:00 PM           258,048 wmvds32.ax
08/28/2002  03:00 PM           394,240 DIACTFRM.DLL
08/28/2002  03:00 PM           446,464 WMVDMOE.DLL
08/28/2002  03:00 PM            74,240 DHCPSAPI.DLL
08/28/2002  03:00 PM         1,677,312 WMVCORE2.DLL
08/28/2002  03:00 PM           370,176 DHCPMON.DLL
08/28/2002  03:00 PM            91,648 ahui.exe
08/28/2002  03:00 PM           278,559 wmv8ds32.ax
08/28/2002  03:00 PM           311,327 WMV8DMOD.DLL
08/28/2002  03:00 PM           367,616 licdll.dll
08/28/2002  03:00 PM            19,456 licmgr10.dll
08/28/2002  03:00 PM            57,856 licwmi.dll
08/28/2002  03:00 PM            29,696 LIGHTS.EXE
08/28/2002  03:00 PM            82,432 COMREPL.DLL
08/28/2002  03:00 PM            12,288 lmhsvc.dll
08/28/2002  03:00 PM           381,440 lmrt.dll
08/28/2002  03:00 PM            25,088 LNKSTUB.EXE
08/28/2002  03:00 PM             1,131 LOADFIX.COM
08/28/2002  03:00 PM            91,648 loadperf.dll
08/28/2002  03:00 PM           296,448 wmstream.dll
08/28/2002  03:00 PM           209,010 locale.nls
08/28/2002  03:00 PM           202,752 localsec.dll
08/28/2002  03:00 PM           295,936 localspl.dll
08/28/2002  03:00 PM            10,240 localui.dll
08/28/2002  03:00 PM            99,840 dhcpcsvc.dll
08/28/2002  03:00 PM             5,120 LODCTR.EXE
08/28/2002  03:00 PM            85,020 DGSETUP.DLL
08/28/2002  03:00 PM            50,176 LOGHOURS.DLL
08/28/2002  03:00 PM            15,360 LOGOFF.EXE
08/28/2002  03:00 PM           219,648 logon.scr
08/28/2002  03:00 PM           504,320 logonui.exe
08/28/2002  03:00 PM            66,594 C_857.NLS
08/28/2002  03:00 PM            18,944 lpk.dll
08/28/2002  03:00 PM             6,144 LPQ.EXE
08/28/2002  03:00 PM             8,192 LPR.EXE
08/28/2002  03:00 PM             8,704 lprhelp.dll
08/28/2002  03:00 PM             9,216 LPRMONUI.DLL
08/28/2002  03:00 PM           176,157 DGRPSETU.DLL
08/28/2002  03:00 PM           222,208 compstui.dll
08/28/2002  03:00 PM            11,776 lsass.exe
08/28/2002  03:00 PM           103,424 dgnet.dll
08/28/2002  03:00 PM            25,600 dfsshlex.dll
08/28/2002  03:00 PM           118,784 wmsdmoe.dll
08/28/2002  03:00 PM           113,152 dfrgui.dll
08/28/2002  03:00 PM         1,404,928 wmpui.dll
08/28/2002  03:00 PM            77,824 WMPSTUB.EXE
08/28/2002  03:00 PM            77,824 wmpshell.dll
08/28/2002  03:00 PM            41,984 alg.exe
08/28/2002  03:00 PM         1,998,848 wmploc.dll
08/28/2002  03:00 PM            15,872 alrsvc.dll
08/28/2002  03:00 PM           253,952 wmpcd.dll
08/28/2002  03:00 PM            42,166 LUSRMGR.MSC
08/28/2002  03:00 PM            25,600 AAAAMON.DLL
08/28/2002  03:00 PM             2,560 LZ32.DLL
08/28/2002  03:00 PM             9,936 LZEXPAND.DLL
08/28/2002  03:00 PM               168 L_EXCEPT.NLS
08/28/2002  03:00 PM             7,046 L_INTL.NLS
08/28/2002  03:00 PM            35,328 dfrgsnap.dll
08/28/2002  03:00 PM             8,192 MAG_HOOK.DLL
08/28/2002  03:00 PM           187,904 MAIN.CPL
08/28/2002  03:00 PM            79,360 makecab.exe
08/28/2002  03:00 PM            51,200 DFRGRES.DLL
08/28/2002  03:00 PM           112,128 MAPI32.DLL
08/28/2002  03:00 PM            18,944 WMIPROP.DLL
08/28/2002  03:00 PM           112,128 MAPISTUB.DLL
08/28/2002  03:00 PM            30,160 COMPOBJ.DLL
08/28/2002  03:00 PM            12,800 mcastmib.dll
08/28/2002  03:00 PM            10,240 MCD32.DLL
08/28/2002  03:00 PM            10,496 MCDSRV32.DLL
08/28/2002  03:00 PM             4,608 MCHGRCOI.DLL
08/28/2002  03:00 PM            73,376 MCIAVI.DRV
08/28/2002  03:00 PM            80,384 mciavi32.dll
08/28/2002  03:00 PM            17,408 MCICDA.DLL
08/28/2002  03:00 PM           118,784 DMDSKRES.DLL
08/28/2002  03:00 PM             8,192 MCIOLE16.DLL
08/28/2002  03:00 PM             7,680 MCIOLE32.DLL
08/28/2002  03:00 PM           350,208 D3DRM.DLL
08/28/2002  03:00 PM            20,992 mciseq.dll
08/28/2002  03:00 PM            25,264 MCISEQ.DRV
08/28/2002  03:00 PM            22,016 mciwave.dll
08/28/2002  03:00 PM            28,160 MCIWAVE.DRV
08/28/2002  03:00 PM            50,176 MDHCP.DLL
08/28/2002  03:00 PM           108,544 mdminst.dll
08/28/2002  03:00 PM           184,320 dmdskmgr.dll
08/28/2002  03:00 PM           147,968 MDWMDMSP.DLL
08/28/2002  03:00 PM            39,274 MEM.EXE
08/28/2002  03:00 PM            38,302 COMPMGMT.MSC
08/28/2002  03:00 PM           924,432 MFC40.DLL
08/28/2002  03:00 PM           924,432 MFC40U.DLL
08/28/2002  03:00 PM           995,383 mfc42.dll
08/28/2002  03:00 PM            63,488 WMIMGMT.MSC
08/28/2002  03:00 PM           995,384 mfc42u.dll
08/28/2002  03:00 PM            89,600 WMIDX.OCX
08/28/2002  03:00 PM            99,328 dfrgntfs.exe
08/28/2002  03:00 PM           238,592 compatui.dll
08/28/2002  03:00 PM            17,408 COMPACT.EXE
08/28/2002  03:00 PM            15,872 COMP.EXE
08/28/2002  03:00 PM            32,816 COMMDLG.DLL
08/28/2002  03:00 PM            50,620 COMMAND.COM
08/28/2002  03:00 PM            10,544 COMM.DRV
08/28/2002  03:00 PM             5,632 wmi.dll
08/28/2002  03:00 PM            51,200 WMERRENU.DLL
08/28/2002  03:00 PM           258,048 comdlg32.dll
08/28/2002  03:00 PM            76,288 dfrgfat.exe
08/28/2002  03:00 PM           557,056 comctl32.dll
08/28/2002  03:00 PM            41,397 DFRG.MSC
08/28/2002  03:00 PM           263,168 devmgr.dll
08/28/2002  03:00 PM            20,992 mfcsubs.dll
08/28/2002  03:00 PM            33,079 DEVMGMT.MSC
08/28/2002  03:00 PM            12,800 mgmtapi.dll
08/28/2002  03:00 PM            46,258 MIB.BIN
08/28/2002  03:00 PM            17,920 midimap.dll
08/28/2002  03:00 PM            56,320 miglibnt.dll
08/28/2002  03:00 PM            51,712 MIGPWD.EXE
08/28/2002  03:00 PM            18,944 MIMEFILT.DLL
08/28/2002  03:00 PM           163,840 MINDEX.DLL
08/28/2002  03:00 PM           673,088 MLANG.DAT
08/28/2002  03:00 PM           577,024 mlang.dll
08/28/2002  03:00 PM             3,584 MLL_HP.DLL
08/28/2002  03:00 PM           273,920 DMDLGS.DLL
08/28/2002  03:00 PM             5,632 MLL_QIC.DLL
08/28/2002  03:00 PM           774,144 mmc.exe
08/28/2002  03:00 PM            66,560 mmcbase.dll
08/28/2002  03:00 PM         1,128,960 mmcndmgr.dll
08/28/2002  03:00 PM            46,592 mmcshext.dll
08/28/2002  03:00 PM             1,490 MMDRIVER.INF
08/28/2002  03:00 PM            12,288 MMDRV.DLL
08/28/2002  03:00 PM            16,384 mmfutil.dll
08/28/2002  03:00 PM           559,616 mmsys.cpl
08/28/2002  03:00 PM            68,928 mmsystem.dll
08/28/2002  03:00 PM             1,152 MMTASK.TSK
08/28/2002  03:00 PM           119,808 MMUTILSE.DLL
08/28/2002  03:00 PM            32,256 mnmdd.dll
08/28/2002  03:00 PM            32,768 mnmsrvc.exe
08/28/2002  03:00 PM           196,096 mobsync.dll
08/28/2002  03:00 PM           135,680 mobsync.exe
08/28/2002  03:00 PM            19,456 MODE.COM
08/28/2002  03:00 PM           145,408 modemui.dll
08/28/2002  03:00 PM            10,112 MODEX.DLL
08/28/2002  03:00 PM            15,872 MORE.COM
08/28/2002  03:00 PM           210,944 moricons.dll
08/28/2002  03:00 PM             8,192 MOUNTVOL.EXE
08/28/2002  03:00 PM             2,032 MOUSE.DRV
08/28/2002  03:00 PM            66,594 C_860.NLS
08/28/2002  03:00 PM                 2 DESKTOP.INI
08/28/2002  03:00 PM            18,432 DESKPERF.DLL
08/28/2002  03:00 PM           590,336 D3DRAMP.DLL
08/28/2002  03:00 PM            16,896 DESKMON.DLL
08/28/2002  03:00 PM           262,144 mpg4ds32.ax
08/28/2002  03:00 PM           116,736 mplay32.exe
08/28/2002  03:00 PM            22,016 MPNOTIFY.EXE
08/28/2002  03:00 PM            55,808 mpr.dll
08/28/2002  03:00 PM            79,360 mprapi.dll
08/28/2002  03:00 PM            69,120 MPRDDM.DLL
08/28/2002  03:00 PM            49,152 MPRDIM.DLL
08/28/2002  03:00 PM            99,840 MPRMSG.DLL
08/28/2002  03:00 PM            47,104 MPRUI.DLL
08/28/2002  03:00 PM            12,800 MRINFO.EXE
08/28/2002  03:00 PM            86,528 wlnotify.dll
08/28/2002  03:00 PM           102,912 MSAATEXT.DLL
08/28/2002  03:00 PM            16,384 DESKADP.DLL
08/28/2002  03:00 PM            67,072 msacm32.dll
08/28/2002  03:00 PM            20,480 MSACM32.DRV
08/28/2002  03:00 PM           221,184 msadds32.ax
08/28/2002  03:00 PM            13,312 msadp32.acm
08/28/2002  03:00 PM             3,584 msafd.dll
08/28/2002  03:00 PM            80,128 msapsspc.dll
08/28/2002  03:00 PM           168,448 wldap32.dll
08/28/2002  03:00 PM           294,912 msaud32.acm
08/28/2002  03:00 PM            65,024 MSAUDITE.DLL
08/28/2002  03:00 PM             3,584 COMCAT.DLL
08/28/2002  03:00 PM             7,168 MSCAT32.DLL
08/28/2002  03:00 PM               817 MSCDEXNT.EXE
08/28/2002  03:00 PM            25,600 COMADDIN.DLL
08/28/2002  03:00 PM            34,816 D3DPMESH.DLL
08/28/2002  03:00 PM             9,029 ANSI.SYS
08/28/2002  03:00 PM            65,536 msconf.dll
08/28/2002  03:00 PM            26,624 CNVFAT.DLL
08/28/2002  03:00 PM            32,768 CNETCFG.DLL
08/28/2002  03:00 PM            45,568 cnbjmon.dll
08/28/2002  03:00 PM            12,288 mscpx32r.dll
08/28/2002  03:00 PM            36,864 mscpxl32.dll
08/28/2002  03:00 PM           266,752 msctf.dll
08/28/2002  03:00 PM           162,304 msctfime.ime
08/28/2002  03:00 PM            67,584 msctfp.dll
08/28/2002  03:00 PM            36,352 cmutil.dll
08/28/2002  03:00 PM            12,288 msdatsrc.tlb
08/28/2002  03:00 PM            66,594 C_866.NLS
08/28/2002  03:00 PM             6,144 msdtc.exe
08/28/2002  03:00 PM            54,784 msdtclog.dll
08/28/2002  03:00 PM               768 MSDTCPRF.H
08/28/2002  03:00 PM             1,931 MSDTCPRF.INI
08/28/2002  03:00 PM            54,784 cmstp.exe
08/28/2002  03:00 PM           174,592 cmprops.dll
08/28/2002  03:00 PM            14,336 CMPBK32.DLL
08/28/2002  03:00 PM                64 CMOS.RAM
08/28/2002  03:00 PM            35,840 cmmon32.exe
08/28/2002  03:00 PM             4,126 msdxmlc.dll
08/28/2002  03:00 PM            94,282 MSENCODE.DLL
08/28/2002  03:00 PM             4,096 winver.exe
08/28/2002  03:00 PM            61,172 CMMGR32.HLP
08/28/2002  03:00 PM           166,912 wintrust.dll
08/28/2002  03:00 PM            41,472 cmdl32.exe
08/28/2002  03:00 PM            18,944 WINSTRM.DLL
08/28/2002  03:00 PM           504,832 msftedit.dll
08/28/2002  03:00 PM            20,992 MSG.EXE
08/28/2002  03:00 PM             9,216 MSG711.ACM
08/28/2002  03:00 PM           118,784 MSG723.ACM
08/28/2002  03:00 PM           324,608 cmdial32.dll
08/28/2002  03:00 PM            19,968 MSGSM32.ACM
08/28/2002  03:00 PM           375,808 cmd.exe
08/28/2002  03:00 PM            48,128 winsta.dll
08/28/2002  03:00 PM             2,112 WINSPOOL.EXE
08/28/2002  03:00 PM           184,320 msh261.drv
08/28/2002  03:00 PM           286,720 msh263.drv
08/28/2002  03:00 PM           126,976 MSHEARTS.EXE
08/28/2002  03:00 PM            24,064 mshta.exe
08/28/2002  03:00 PM            12,288 cmcfg32.dll
08/28/2002  03:00 PM         1,350,656 mshtml.tlb
08/28/2002  03:00 PM           440,320 mshtmled.dll
08/28/2002  03:00 PM            56,320 mshtmler.dll
08/28/2002  03:00 PM         2,086,400 msi.dll
08/28/2002  03:00 PM           132,096 winspool.drv
08/28/2002  03:00 PM             5,120 msidle.dll
08/28/2002  03:00 PM            14,848 MSIDNTLD.DLL
08/28/2002  03:00 PM           229,888 msieftp.dll
08/28/2002  03:00 PM            64,512 msiexec.exe
08/28/2002  03:00 PM           305,664 msihnd.dll
08/28/2002  03:00 PM             4,608 msimg32.dll
08/28/2002  03:00 PM           847,872 msimsg.dll
08/28/2002  03:00 PM           143,872 msimtf.dll
08/28/2002  03:00 PM             2,864 WINSOCK.DLL
08/28/2002  03:00 PM           368,710 MSISAM11.DLL
08/28/2002  03:00 PM            39,936 msisip.dll
08/28/2002  03:00 PM            54,272 clusapi.dll
08/28/2002  03:00 PM            30,720 clipsrv.exe
08/28/2002  03:00 PM            93,184 winscard.dll
08/28/2002  03:00 PM            98,816 clipbrd.exe
08/28/2002  03:00 PM            24,576 cliconfg.rll
08/28/2002  03:00 PM            14,848 winrnr.dll
08/28/2002  03:00 PM            45,632 cliconfg.exe
08/28/2002  03:00 PM             2,080 WINOLDAP.MOD
08/28/2002  03:00 PM           762,368 winntbbu.dll
08/28/2002  03:00 PM           127,552 cliconfg.dll
08/28/2002  03:00 PM            71,859 CLICONF.CHM
08/28/2002  03:00 PM            22,528 mslbui.dll
08/28/2002  03:00 PM             5,120 WINNLS.DLL
08/28/2002  03:00 PM           146,432 MSLS31.DLL
08/28/2002  03:00 PM            11,776 WINMSD.EXE
08/28/2002  03:00 PM            61,440 cleanmgr.exe
08/28/2002  03:00 PM           171,520 winmm.dll
08/28/2002  03:00 PM           119,808 WINMINE.EXE
08/28/2002  03:00 PM           129,024 desk.cpl
08/28/2002  03:00 PM           319,760 msnsspc.dll
08/28/2002  03:00 PM            33,280 MSOBJS.DLL
08/28/2002  03:00 PM            10,752 CLB.DLL
08/28/2002  03:00 PM             7,680 CKCNV.EXE
08/28/2002  03:00 PM            20,480 msorc32r.dll
08/28/2002  03:00 PM           131,072 msorcl32.dll
08/28/2002  03:00 PM           339,968 mspaint.exe
08/28/2002  03:00 PM            27,136 mspatcha.dll
08/28/2002  03:00 PM             5,120 cisvc.exe
08/28/2002  03:00 PM           102,912 APCUPS.DLL
08/28/2002  03:00 PM            33,040 DPLAY.DLL
08/28/2002  03:00 PM           330,752 DMCONFIG.DLL
08/28/2002  03:00 PM            47,104 mspmspsv.dll
08/28/2002  03:00 PM            41,984 MSPORTS.DLL
08/28/2002  03:00 PM            45,056 msprivs.dll
08/28/2002  03:00 PM            69,632 MSR2C.DLL
08/28/2002  03:00 PM             7,168 MSR2CENU.DLL
08/28/2002  03:00 PM            60,416 MSRATELC.DLL
08/28/2002  03:00 PM           132,096 msrating.dll
08/28/2002  03:00 PM            73,802 MSRCLR40.DLL
08/28/2002  03:00 PM            25,600 winipsec.dll
08/28/2002  03:00 PM             8,192 CIDAEMON.EXE
08/28/2002  03:00 PM           109,568 CIC.DLL
08/28/2002  03:00 PM            12,498 APPEND.EXE
08/28/2002  03:00 PM            28,746 MSRECR40.DLL
08/28/2002  03:00 PM           115,712 apphelp.dll
08/28/2002  03:00 PM            41,762 CIADV.MSC
08/28/2002  03:00 PM            10,240 msrle32.dll
08/28/2002  03:00 PM             8,192 WINHLP32.EXE
08/28/2002  03:00 PM           172,032 mssap.dll
08/28/2002  03:00 PM            69,632 msscds32.ax
08/28/2002  03:00 PM            61,952 ACELPDEC.AX
08/28/2002  03:00 PM           106,547 msscript.ocx
08/28/2002  03:00 PM            35,840 MSSIGN32.DLL
08/28/2002  03:00 PM             4,608 MSSIP32.DLL
08/28/2002  03:00 PM            32,674 WINHELP.HLP
08/28/2002  03:00 PM             9,216 WINFAX.DLL
08/28/2002  03:00 PM            13,312 MSSWCH.DLL
08/28/2002  03:00 PM             6,656 MSSWCHX.EXE
08/28/2002  03:00 PM           163,328 CIADMIN.DLL
08/28/2002  03:00 PM             7,680 dciman32.dll
08/28/2002  03:00 PM            11,264 CHKNTFS.EXE
08/28/2002  03:00 PM           496,128 mstime.dll
08/28/2002  03:00 PM            11,776 CHKDSK.EXE
08/28/2002  03:00 PM           103,936 mstlsapi.dll
08/28/2002  03:00 PM           388,608 mstsc.exe
08/28/2002  03:00 PM           598,016 mstscax.dll
08/28/2002  03:00 PM           241,725 MSUNI11.DLL
08/28/2002  03:00 PM           182,784 msutb.dll
08/28/2002  03:00 PM           108,544 msv1_0.dll
08/28/2002  03:00 PM         1,355,776 MSVBVM50.DLL
08/28/2002  03:00 PM         1,388,544 msvbvm60.dll
08/28/2002  03:00 PM            35,328 WINCHAT.EXE
08/28/2002  03:00 PM            50,688 msvcirt.dll
08/28/2002  03:00 PM           565,760 MSVCP50.DLL
08/28/2002  03:00 PM           401,462 msvcp60.dll
08/28/2002  03:00 PM           403,456 winbrand.dll
08/28/2002  03:00 PM             7,680 CHCP.COM
08/28/2002  03:00 PM            13,312 WIN87EM.DLL
08/28/2002  03:00 PM            80,384 CHARMAP.EXE
08/28/2002  03:00 PM           323,072 msvcrt.dll
08/28/2002  03:00 PM           253,952 MSVCRT20.DLL
08/28/2002  03:00 PM            65,024 msvcrt40.dll
08/28/2002  03:00 PM           113,664 msvfw32.dll
08/28/2002  03:00 PM            25,600 MSVIDC32.DLL
08/28/2002  03:00 PM            16,896 cfgmgr32.dll
08/28/2002  03:00 PM           126,912 MSVIDEO.DLL
08/28/2002  03:00 PM            66,048 msw3prt.dll
08/28/2002  03:00 PM            32,768

Title: hjt log
Post by: guestolo on February 06, 2005, 10:48:08 PM

Can you delete these 2 files in the System32 folder

klo5.sys
ps.a3d

One last request and I'll leave you alone

That RegSrch.Vbs tool I had you download earlier

Could you open it up and add these to the box one at a time and hit OK after each
Post back the results>>if any

drct16

vdmt16

winlow

Thanks, how's everything running?

EDIT>>Do you recognize all software installed in the Add/Remove programs?
Anything look unfamiliar?

Title: hjt log
Post by: kit23 on February 07, 2005, 12:16:58 AM

here are the results(nothing for drct16)
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "vdmt16" 2/6/2005 11:05:32 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"


and


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "winlow" 2/6/2005 11:09:11 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"


in terms of the add/remove programs, nothing obviously wrong. but there are things i could be easily fooled about, such as MDS search booster

things seem to be working fine, normal in fact.

Title: hjt log
Post by: guestolo on February 07, 2005, 12:32:56 AM

Try this kit

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as Remove.reg

Save this file on the desktop

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster]

Close out all windows and double click on Remove.reg
Allow it to merge to the registry

Restart your computer

Open RegSrch.vbs and search for
VDMT16
WINLOW

If any entries post them

Look in add/Remove programs for
MDS search booster

Hopefully it is gone, you don't want it.....

Title: hjt log
Post by: kit23 on February 07, 2005, 04:59:33 PM

well the mds search booster is gone

registry still has those 2:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "VDMT16" 2/7/2005 3:55:47 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "WINLOW" 2/7/2005 3:57:10 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

Title: hjt log
Post by: guestolo on February 07, 2005, 05:30:11 PM

Can you manually navigate to those entries in bold in the registry

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]


Left click to highlight and then Right click on them and delete them

If they won't remove
Download Registrar Lite from here:
A small download
http://www.resplendence.com/download/reglite.exe (http://\"http://www.resplendence.com/download/reglite.exe\")
Hold onto this if you want, it's a great utility
Double click and run the installer
Once installed

Restart into safe mode
Use Registrar lite
and navigate to those entries
Highlight the key
EG>>> LEGACY_WINLOW>>Right click and choose DELETE
If it won't delete
Right click on it and select Properties
Take Ownership and then try deleting it

Restart back to Normal mode
Let me know if there gone

Could you also make a log from the Command Prompt you made earlier and post it
Thanks

Title: hjt log
Post by: kit23 on February 07, 2005, 06:06:36 PM

ok.

the 2 keys were not found initially in the current control set
all were gone after i used registrar lite (though i had to delete the subfolder first).

here's another log

 Volume in drive C has no label.
 Volume Serial Number is 78E6-2519

 Directory of C:\WINDOWS\SYSTEM32

~REMOVED LOG~

Title: hjt log
Post by: guestolo on February 07, 2005, 06:11:03 PM

Good work Kit, thanks for all the help

Are you saying you had to remove
LEGACY_VDMT16\0000 <<as an example, beforehand?

Title: hjt log
Post by: kit23 on February 07, 2005, 06:39:39 PM

exactly. had to delete the 0000 first and then the legacy vdmt16. wouldn't allow it the other way around. even with registrar lite and taking ownership, etc.

thanks for your tireless efforts
by the way, besides backdoor/haxdoor what were the names of the other viruses?

Title: hjt log
Post by: guestolo on February 07, 2005, 06:45:16 PM

You should be able to go back on your posts that included
the scans by eScan and track them down

Newer Haxdoor infection was the most difficult, stubborn bugger.......

But you also showed remnants of Troj/PPdoor-A trojan among others

It looks like you got it all  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

I'm going to leave this topic open for a few days
If I don't hear back from you about any problems
I'll lock it up

Stay safe Kit, and again Thanks for everything