TheTechGuide Forum

General Category => Tech Clinic => Topic started by: LyaS on March 06, 2005, 05:55:30 AM

Title: HijackLog stuff
Post by: LyaS on March 06, 2005, 05:55:30 AM: Hi, i download this hijackthis software and did a scan and saved the logfile as follows. Would anyone advise me on what i should do next? Thanks so much ...

Logfile of HijackThis v1.99.1
Scan saved at 6:48:22 PM, on 3/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {58E13390-8F36-11D9-97A9-000C3F263470} - C:\WINDOWS\SYSTEM\BIHJ.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
O4 - HKLM\..\Run: [antiware] C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\GUQSWOGK.EXE
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS\")
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab (http://\"http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by12fd.bay12.Email (http://\"http://by12fd.bay12.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab\")
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/sg/games3.cab (http://\"http://www.netvenda.com/sites/games-intl/sg/games3.cab\")
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab (http://\"http://www.spywarestormer.com/files2/Install.cab\")
O16 - DPF: {0CB2BD5A-7A80-4BA9-B49A-02DC51144BDF} (vciewer control) - http://www.thepaymentcentre.com/build/vciewer.cab (http://\"http://www.thepaymentcentre.com/build/vciewer.cab\")
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab (http://\"http://www.thepaymentcentre.com/build/vbiewer.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab (http://\"http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...Bridge-c135.cab (http://\"http://static.windupdates.com/cab/DownloadsUnlimited/ie/Bridge-c135.cab\")
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_20.exe (http://\"http://216.122.145.208/pi1_20.exe\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab\")
O18 - Filter: text/html - {692A1360-8E85-11D9-97A9-000CCBBC3EF5} - C:\WINDOWS\SYSTEM\BIHJ.DLL
O18 - Filter: text/plain - {692A1360-8E85-11D9-97A9-000CCBBC3EF5} - C:\WINDOWS\SYSTEM\BIHJ.DLL
Title: HijackLog stuff
Post by: guestolo on March 06, 2005, 07:54:22 PM: You have a few problems on your computer

Can you first Access your Add/Remove Programs and uninstall if found
any of the below
POWERSCAN.EXE
Internet Optimizer
isrvs or Istbar
Elitebar

Restart your computer if anything removed

When your back in Windows

Please download FindIt9xme.zip (http://\"http://www.thatcomputerguy.us/downloads/findit9xme.zip\")

UNZIP the contents, then open the folder FindIt9xMe and double click on Findit9xMe.bat. It will run for a bit, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.
I've even heard this running up to 15 minutes
Give it time

Also
Download STARTDRECK (http://\"http://members.blackbox.net/hp_links/21/nikolaus.rameis/_data/startdreck.zip\")

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
Hit: -Unmark all

Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log

Also run one more scan with DLLCompare and post that log too, thanks

Also, post another fresh Hijackthis log
Title: HijackLog stuff
Post by: arro253 on March 07, 2005, 02:45:25 AM: OK, here is the log from the Findit9xme.bat :

header.txt
system.txt
hidden.txt
useragent.txt
locate.txt
qoologic.txt
aspack.txt
umonitor.txt
runkey.txt

And this is the Startdreck log :

»Registry
»Run Keys
»Current User
»Run
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Default User
»Run
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*pccguide.exe="C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
*PCCIOMON.exe="C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
*PCCClient.exe="C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
*Pop3trap.exe="C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe=C:\GUQSWOGK.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
*antiware=C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
+Disabled
*Lexmark X1100 Series="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
*winupdt=RUNDLL32.EXE C:\WINDOWS\KMORICONS.DLL,_mainRD
*winshost.exe=C:\WINDOWS\SYSTEM\winshost.exe
*WinAmpAgent=C:\WINDOWS\svchst.exe /i
*LexStart=lexstart.exe
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*PCCIOMON.exe="C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
*PCCPFW=C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
»RunServicesOnce
**hm=rundll32 C:\WINDOWS\WEN.---,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{5E340B4C-8FBD-11D9-97A9-000C0050587F}
`InprocServer32=C:\WINDOWS\SYSTEM\BIHJ.DLL
»Files
»System/Drivers
»Running Processes
+FFEF5CF9=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF681D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE9F8D=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEADB5=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEE171=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
+FFFE0401=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
+FFFE7A81=C:\WINDOWS\RUNDLL32.EXE
+FFFDB141=C:\WINDOWS\EXPLORER.EXE
+FFFD39E1=C:\WINDOWS\RUNDLL32.EXE
+FFFCCD49=C:\WINDOWS\TASKMON.EXE
+FFFCF0CD=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC385D=C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
+FFFC572D=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
+FFFC7A31=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
+FFFB99F9=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
+FFFBB58D=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFBA955=C:\WINDOWS\RUNDLL32.EXE
+FFFBC94D=C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
+FFFB0BF5=C:\PROGRAM FILES\NOADS\NOADS.EXE
+FFFA08BD=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
+FFFB149D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF904D9=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF958C1=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFCEE09=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF9F235=C:\WINDOWS\SYSTEM\INTERNAT.EXE
+FFF80DB9=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF8FF15=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFE54D19=C:\WINDOWS\SYSTEM\WINOA386.MOD
+FFE65C65=C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
+FFE4A501=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
+FFE439B5=C:\STARTDRECK\STARTDRECK.EXE
»Application specific

I downloaded DLLCompare, but i had a problem when i tried to run it. It said runtime error 52, bad file name or something like that. /dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

Anyway, here's the second Hijackthis log :

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {E96EA461-8FE7-11D9-97A9-000C439096DD} - C:\WINDOWS\SYSTEM\BIHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\GUQSWOGK.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [antiware] C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS\")
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab (http://\"http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by12fd.bay12.Email (http://\"http://by12fd.bay12.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab\")
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/sg/games3.cab (http://\"http://www.netvenda.com/sites/games-intl/sg/games3.cab\")
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab (http://\"http://www.spywarestormer.com/files2/Install.cab\")
O16 - DPF: {0CB2BD5A-7A80-4BA9-B49A-02DC51144BDF} (vciewer control) - http://www.thepaymentcentre.com/build/vciewer.cab (http://\"http://www.thepaymentcentre.com/build/vciewer.cab\")
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab (http://\"http://www.thepaymentcentre.com/build/vbiewer.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab (http://\"http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...Bridge-c135.cab (http://\"http://static.windupdates.com/cab/DownloadsUnlimited/ie/Bridge-c135.cab\")
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_20.exe (http://\"http://216.122.145.208/pi1_20.exe\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab\")
O18 - Filter: text/html - {B464E07C-8F47-11D9-97A9-000C58C7C217} - C:\WINDOWS\SYSTEM\BIHJ.DLL
O18 - Filter: text/plain - {B464E07C-8F47-11D9-97A9-000C58C7C217} - C:\WINDOWS\SYSTEM\BIHJ.DLL

Wow that's a lot. Thanks so much for ur help ...
Title: HijackLog stuff
Post by: guestolo on March 07, 2005, 03:29:47 AM: can I get to run Find9xme.bat again and post the WHOLE log
Ensure you unzipped this and allow it to finish running
and post the whole scan results
Title: HijackLog stuff
Post by: arro253 on March 08, 2005, 11:12:30 AM: Ok, sorry about that, here is the log from Findit :

DXCPROP DLL 217,088 12-10-04 11:48p DXCPROP.DLL
QHSF DLL 217,088 12-10-04 11:48p QHSF.DLL
DGDPMESH DLL 217,088 12-10-04 11:48p DGDPMESH.DLL
WSWIZDLL DLL 217,088 12-10-04 11:48p WSWIZDLL.DLL
DSDPMESH DLL 217,088 12-10-04 11:48p DSDPMESH.DLL
CXRDS DLL 217,088 12-10-04 11:48p CXRDS.DLL
NNSWAN16 DLL 217,088 12-10-04 11:48p NNSWAN16.DLL
DQRAWEX DLL 217,088 12-10-04 11:48p DQRAWEX.DLL
FMNTEXT DLL 217,088 12-10-04 11:48p FMNTEXT.DLL
PVPD DLL 217,088 12-10-04 11:48p PVPD.DLL
DUNHPAST DLL 217,088 12-10-04 11:48p DUNHPAST.DLL
RYASIG DLL 217,088 12-10-04 11:48p RYASIG.DLL
WJLDLB32 DLL 217,088 12-10-04 11:48p WJLDLB32.DLL
MGJAVA DLL 217,088 12-10-04 11:48p MGJAVA.DLL
DQCPCSVC DLL 217,088 12-10-04 11:48p DQCPCSVC.DLL
FEPWPP DLL 217,088 12-10-04 11:48p FEPWPP.DLL
MFWLTRES DLL 217,088 12-10-04 11:48p MFWLTRES.DLL
FSNTEXT DLL 217,088 12-10-04 11:48p FSNTEXT.DLL
MDRDO20 DLL 217,088 12-10-04 11:48p MDRDO20.DLL
RVOCURS DLL 217,088 12-10-04 11:48p RVOCURS.DLL
AEDCXC32 DLL 217,088 12-10-04 11:48p AEDCXC32.DLL
ODECNV32 DLL 217,088 12-10-04 11:48p ODECNV32.DLL
RCCHED32 DLL 217,088 12-10-04 11:48p RCCHED32.DLL
MFSTKPRP DLL 217,088 12-10-04 11:48p MFSTKPRP.DLL
VNAR332 DLL 217,088 12-10-04 11:48p VNAR332.DLL
MBVIDC32 DLL 217,088 12-10-04 11:48p MBVIDC32.DLL
PVCN1111 DLL 217,088 12-10-04 11:48p PVCN1111.DLL
LFXUSBCI DLL 217,088 12-10-04 11:48p LFXUSBCI.DLL
MSINCP16 DLL 217,088 12-10-04 11:48p MSINCP16.DLL
HBINK DLL 217,088 12-10-04 11:48p HBINK.DLL
MOCO30 DLL 217,088 12-10-04 11:48p MOCO30.DLL
EJCRYPT DLL 217,088 12-10-04 11:48p EJCRYPT.DLL
DYCPCSVC DLL 217,088 12-10-04 11:48p DYCPCSVC.DLL
OSE2PROX DLL 217,088 12-10-04 11:48p OSE2PROX.DLL
RUAUI DLL 217,088 12-10-04 11:48p RUAUI.DLL
MIWSOSP DLL 217,088 12-10-04 11:48p MIWSOSP.DLL
SDSFMON DLL 217,088 12-10-04 11:48p sdsfmon.dll
TZUMBVW DLL 217,088 12-10-04 11:48p TZUMBVW.DLL
ITSCLASS DLL 217,088 12-10-04 11:48p ITSCLASS.DLL
SMGE DLL 217,088 12-10-04 11:48p sMge.dll
MGLS31 DLL 217,088 12-10-04 11:48p MGLS31.DLL
MLBSYNC DLL 217,088 12-10-04 11:48p mlbsync.dll
LMRAS80N DLL 217,088 12-10-04 11:48p Lmras80n.dll
WNN32S16 DLL 217,088 12-10-04 11:48p WNN32S16.DLL
MYCD30 DLL 217,088 12-10-04 11:48p MYCD30.DLL
LE32 DLL 217,088 12-10-04 11:48p LE32.DLL
XWILEXR DLL 217,088 12-10-04 11:48p XWILEXR.DLL
IGSCLASS DLL 217,088 12-10-04 11:48p IGSCLASS.DLL
OSBC32 DLL 217,088 12-10-04 11:48p OSBC32.DLL
MZC250 DLL 217,088 12-10-04 11:48p MZC250.DLL
QHHNDLR DLL 217,088 12-10-04 11:48p QHHNDLR.DLL
CUSEQCHK DLL 217,088 12-10-04 11:48p CUSEQCHK.DLL
SPP32 DLL 217,088 12-10-04 11:48p SPP32.DLL
CGCARDKS DLL 217,088 12-10-04 11:48p CGCARDKS.DLL
MGDART32 DLL 217,088 12-10-04 11:48p mgdart32.dll
OQCOM400 DLL 217,088 12-10-04 11:48p OQCOM400.DLL
AYICAP32 DLL 217,088 12-10-04 11:48p AYICAP32.DLL
PTTOREC DLL 217,088 12-10-04 11:48p PTTOREC.DLL
TID32 DLL 217,088 12-10-04 11:48p TID32.DLL
DO7VB DLL 217,088 12-10-04 11:48p DO7VB.DLL
IRSTSCH DLL 217,088 12-10-04 11:48p IRSTSCH.DLL
DREML DLL 217,088 12-10-04 11:48p DREML.DLL
OLBCCP32 DLL 217,088 12-10-04 11:48p OLBCCP32.DLL
IGHLPAPI DLL 217,088 12-10-04 11:48p IGHLPAPI.DLL
VLSCRIPT DLL 217,088 12-10-04 11:48p VLSCRIPT.DLL
WJNMM DLL 217,088 12-10-04 11:48p WJNMM.DLL
PBPNDI DLL 217,088 12-10-04 11:48p PBPNDI.DLL
LP32 DLL 217,088 12-10-04 11:48p LP32.DLL
DGIME DLL 217,088 12-10-04 11:48p DGIME.DLL
DNDRM DLL 217,088 12-10-04 11:48p DNDRM.DLL
WU2HELP DLL 217,088 12-10-04 11:48p WU2HELP.DLL
ROASETUP DLL 217,088 12-10-04 11:48p ROASETUP.DLL
MYNETOBJ DLL 217,088 12-10-04 11:48p mynetobj.dll
OWBC32 DLL 217,088 12-10-04 11:48p owbc32.dll
MZWSTR10 DLL 217,088 12-10-04 11:48p MZWSTR10.DLL
BPOWSEUI DLL 217,088 12-10-04 11:48p BPOWSEUI.DLL
MELS31 DLL 217,088 12-10-04 11:48p MELS31.DLL
LWBKPP32 DLL 217,088 12-10-04 11:48p lwbkpp32.dll
LNLMA80N DLL 217,088 12-10-04 11:48p Lnlma80n.dll
IEETWH32 DLL 217,088 12-10-04 11:48p Ieetwh32.dll
AYFSIPC DLL 217,088 12-10-04 11:48p ayfsipc.dll
LHGIF80N DLL 217,088 12-10-04 11:48p Lhgif80n.dll
OKCCLI32 DLL 217,088 12-10-04 11:48p okccli32.dll
UQDERW~1 DLL 217,088 12-10-04 11:48p Uqderwater.dll
WVDMPS DLL 217,088 12-10-04 11:48p wvdmps.dll
BESEBALL DLL 217,088 12-10-04 11:48p BEseball.dll
TDKATI~1 DLL 217,088 12-10-04 11:48p TdkatiRedistributor.dll
MYOEACCT DLL 217,088 12-10-04 11:48p myoeacct.dll
LEBKLCNP DLL 217,088 12-10-04 11:48p lebklcnp.dll
LWLMB80N DLL 217,088 12-10-04 11:48p Lwlmb80n.dll
LTPCD80N DLL 217,088 12-10-04 11:48p Ltpcd80n.dll
DUMM DLL 217,088 12-10-04 11:48p dumm.dll
JJPL400 DLL 217,088 12-10-04 11:48p jjpl400.dll
JBAW400 DLL 217,088 12-10-04 11:48p jbaw400.dll
WNSPDMOE DLL 217,088 12-10-04 11:48p wnspdmoe.dll
WHSDMOE2 DLL 217,088 12-10-04 11:48p whsdmoe2.dll
MUVCIRT DLL 217,088 12-10-04 11:48p muvcirt.dll
MUDXMLC DLL 217,088 12-10-04 11:48p mudxmlc.dll
RMATHUNK DLL 217,088 12-10-04 11:48p RMATHUNK.DLL
MOJT3032 DLL 217,088 12-10-04 11:48p MOJT3032.DLL
LWMAC80N DLL 217,088 12-10-04 11:48p Lwmac80n.dll
MPVCRT20 DLL 217,088 12-10-04 11:48p MPVCRT20.DLL
MLLS31 DLL 217,088 12-10-04 11:48p MLLS31.DLL
MCWDAT10 DLL 217,088 12-10-04 11:48p mcwdat10.dll
RLCRES DLL 217,088 12-10-04 11:48p RLCRES.dll
MTJINT40 DLL 217,088 12-10-04 11:48p mtjint40.dll
AVCTRES DLL 217,088 12-10-04 11:48p avctres.dll
RFCRES DLL 217,088 12-10-04 11:48p RFCRES.dll
LETHK80W DLL 217,088 12-10-04 11:48p Lethk80w.dll
EEENU DLL 217,088 12-10-04 11:48p eeenu.dll
DV120F~1 DLL 217,088 12-10-04 11:48p DV120fc7_32.dll
LBBKCLR2 DLL 217,088 12-10-04 11:48p lbbkclr2.dll
MJSTERY DLL 217,088 12-10-04 11:48p Mjstery.dll
SNMREDIR DLL 217,088 12-10-04 11:48p SnmRedir.dll
BVSEBALL DLL 217,088 12-10-04 11:48p BVseball.dll
LABKUIR DLL 217,088 12-10-04 11:48p labkuir.dll
SBEM0409 DLL 217,088 12-10-04 11:48p SBEM0409.DLL
XGILEXR DLL 217,088 12-10-04 11:48p XGILEXR.DLL
MDJTER35 DLL 217,088 12-10-04 11:48p MDJTER35.DLL
VSB32 DLL 217,088 12-10-04 11:48p VSB32.DLL
COET16 DLL 217,088 12-10-04 11:48p COET16.DLL
PFSPL DLL 217,088 12-10-04 11:48p PFSPL.DLL
CXSEQCHK DLL 217,088 12-10-04 11:48p CXSEQCHK.DLL
AOKRNL32 DLL 217,088 12-10-04 11:48p AOKRNL32.DLL
LEBKPSW DLL 217,088 12-10-04 11:48p lebkpsw.dll
WBPDXM DLL 217,088 12-10-04 11:48p wbpdxm.dll
MRSLGN32 DLL 217,088 12-10-04 11:48p MRSLGN32.DLL
SBORAGE DLL 217,088 12-10-04 11:48p SBORAGE.DLL
OGCCLI32 DLL 217,088 12-10-04 11:48p ogccli32.dll
MO3216 DLL 217,088 12-10-04 11:48p MO3216.DLL
OCECLI32 DLL 217,088 12-10-04 11:48p OCECLI32.DLL
SGMREDIR DLL 217,088 12-10-04 11:48p SgmRedir.dll
DZD9 DLL 217,088 12-10-04 11:48p DZD9.DLL
TDUMBVW DLL 217,088 12-10-04 11:48p TDUMBVW.DLL
FNWPP DLL 217,088 12-10-04 11:48p FNWPP.DLL
IK50_QCX DLL 217,088 12-10-04 11:48p IK50_QCX.DLL
SSORAGE DLL 217,088 12-10-04 11:48p SSORAGE.DLL
ADYCFILT DLL 217,088 12-10-04 11:48p ADYCFILT.DLL
MRCO30 DLL 217,088 12-10-04 11:48p MRCO30.DLL
SNROBJ DLL 217,088 12-10-04 11:48p SNROBJ.DLL
RFCNCL DLL 217,088 12-10-04 11:48p RFCNCL.DLL
DBIDEO DLL 217,088 12-10-04 11:48p DBIDEO.DLL
FCOD DLL 217,088 12-10-04 11:48p fcod.dll
TNOLHELP DLL 217,088 12-10-04 11:48p TNOLHELP.DLL
ULL DLL 217,088 12-10-04 11:48p ULL.DLL
IOMIGRAT DLL 217,088 12-10-04 11:48p IOMIGRAT.DLL
SOSCRAP DLL 217,088 12-10-04 11:48p SOSCRAP.DLL
OXE2NLS DLL 217,088 12-10-04 11:48p OXE2NLS.DLL
AQRULES DLL 217,088 12-10-04 11:48p aqrules.dll
CKUINF32 DLL 217,088 12-10-04 11:48p CKUINF32.DLL
HMSETUP DLL 217,088 12-10-04 11:48p hmsetup.dll
DPDRM DLL 217,088 12-10-04 11:48p DPDRM.DLL
TGEMBED DLL 217,088 12-10-04 11:48p tGembed.dll
MLPATCHA DLL 217,088 12-10-04 11:48p mlpatcha.dll
PYDX5032 DLL 217,088 12-10-04 11:48p pydx5032.dll
PDCRT DLL 217,088 12-10-04 11:48p pdcrt.dll
DLD9 DLL 217,088 12-10-04 11:48p DLD9.DLL
AODCXC32 DLL 217,088 12-10-04 11:48p AODCXC32.DLL
MUDART32 DLL 217,088 12-10-04 11:48p mudart32.dll
RZCLTSPX DLL 217,088 12-10-04 11:48p RZCLTSPX.DLL
WYHEXT DLL 217,088 12-10-04 11:48p WYHEXT.DLL
LRBKPSW DLL 217,088 12-10-04 11:48p lrbkpsw.dll
LUXBCE DLL 217,088 12-10-04 11:48p LuxBce.Dll
OZBCJI32 DLL 217,088 12-10-04 11:48p ozbcji32.dll
DIBAND DLL 217,088 12-10-04 11:48p DIBAND.DLL
PGTOREC DLL 217,088 12-10-04 11:48p PGTOREC.DLL
WFVDMOE DLL 217,088 12-10-04 11:48p wfvdmoe.dll
CMT32 DLL 217,088 12-10-04 11:48p CMT32.DLL
AJPXEC32 DLL 217,088 12-10-04 11:48p AJPXEC32.DLL
QCWMCI32 DLL 217,088 12-10-04 11:48p QCWMCI32.DLL
MIBE DLL 217,088 12-10-04 11:48p mibe.dll
OGE2NLS DLL 217,088 12-10-04 11:48p OGE2NLS.DLL
RJCNCL DLL 217,088 12-10-04 11:48p RJCNCL.DLL
LSXP2P32 DLL 217,088 12-10-04 11:48p lsxp2p32.dll
CKFVIEW DLL 217,088 12-10-04 11:48p ckfview.dll
OVECLI32 DLL 217,088 12-10-04 11:48p OVECLI32.DLL
SHLWOA DLL 217,088 12-10-04 11:48p shlwoa.dll
SELSTR DLL 217,088 12-10-04 11:48p selstr.dll
PITOREC DLL 217,088 12-10-04 11:48p PITOREC.DLL
LZAVI80N DLL 217,088 12-10-04 11:48p Lzavi80n.dll
MZOEACCT DLL 217,088 12-10-04 11:48p mzoeacct.dll
NGTAPI32 DLL 217,088 12-10-04 11:48p NGTAPI32.DLL
IISAPI32 DLL 217,088 12-10-04 11:48p IISAPI32.DLL
TBKATI~1 DLL 217,088 12-10-04 11:48p TbkatiClient.dll
OMCCLI32 DLL 217,088 12-10-04 11:48p omccli32.dll
DFWSOCK DLL 217,088 12-10-04 11:48p DFWSOCK.DLL
VCA6 DLL 217,088 12-10-04 11:48p VCA6.DLL
MRVCRT DLL 217,088 12-10-04 11:48p MRVCRT.DLL
WDASPI32 DLL 217,088 12-10-04 11:48p WDASPI32.DLL
PPCRT DLL 217,088 12-10-04 11:48p ppcrt.dll
WSPASF DLL 217,088 12-10-04 11:48p wspasf.dll
JSNGLE DLL 217,088 12-10-04 11:48p Jsngle.dll
TXKATI~1 DLL 217,088 12-10-04 11:48p TxkatiClientInstaller.dll
RNVPSP DLL 217,088 12-10-04 11:48p RNVPSP.DLL
SBMSCRPT DLL 217,088 12-10-04 11:48p SBMSCRPT.DLL
MKBE DLL 217,088 12-10-04 11:48p mkbe.dll
IQFG95 DLL 217,088 12-10-04 11:48p iqfg95.dll
RXBOEX32 DLL 217,088 12-10-04 11:48p rxboex32.dll
IKWPHBK DLL 217,088 12-10-04 11:48p ikwphbk.dll
WZN32S16 DLL 217,088 12-10-04 11:48p WZN32S16.DLL
MTIMRT32 DLL 217,088 12-10-04 11:48p MTIMRT32.DLL
AZFSIPC DLL 217,088 12-10-04 11:48p azfsipc.dll
RECHED20 DLL 217,088 12-10-04 11:48p RECHED20.DLL
SNRAPI DLL 217,088 12-10-04 11:48p SNRAPI.DLL
OJMREG DLL 217,088 12-10-04 11:48p OJMREG.DLL
JPAW400 DLL 217,088 12-10-04 11:48p jpaw400.dll
GRHAND DLL 217,088 12-10-04 11:48p grhand.dll
MVPIU DLL 217,088 12-10-04 11:48p MVPIU.DLL
MNXML3A DLL 217,088 12-10-04 11:48p MNXML3A.DLL
FIPWPP DLL 217,088 12-10-04 11:48p FIPWPP.DLL
FLWPP DLL 217,088 12-10-04 11:48p FLWPP.DLL
MERATING DLL 217,088 12-10-04 11:48p MERATING.DLL
RCATHUNK DLL 217,088 12-10-04 11:48p RCATHUNK.DLL
IKM32 DLL 217,088 12-10-04 11:48p IKM32.DLL
OBE2PROX DLL 217,088 12-10-04 11:48p OBE2PROX.DLL
LRLMB80N DLL 217,088 12-10-04 11:48p Lrlmb80n.dll
NCICD DLL 217,088 12-10-04 11:48p NCICD.DLL
MCSTKPRP DLL 217,088 12-10-04 11:48p MCSTKPRP.DLL
MHJINT40 DLL 217,088 12-10-04 11:48p mhjint40.dll
SUS3D630 DLL 217,088 12-10-04 11:48p sus3d630.dll
LKBKUPDR DLL 217,088 12-10-04 11:48p lkbkupdr.dll
SIELL DLL 217,088 12-10-04 11:48p SIELL.DLL
MQVCRT DLL 217,088 12-10-04 11:48p MQVCRT.DLL
PJTOREC DLL 217,088 12-10-04 11:48p PJTOREC.DLL
WJSDMOE2 DLL 217,088 12-10-04 11:48p wjsdmoe2.dll
USDM16 DLL 217,088 12-10-04 11:48p USDM16.DLL
LDPCX80N DLL 217,088 12-10-04 11:48p Ldpcx80n.dll
POPD32 DLL 217,088 12-10-04 11:48p POPD32.DLL
MZFS2 DLL 217,088 12-10-04 11:48p MZFS2.DLL
MNCPXL32 DLL 217,088 12-10-04 11:48p MNCPXL32.DLL
XBILEXR DLL 217,088 12-10-04 11:48p XBILEXR.DLL
JASH400 DLL 217,088 12-10-04 11:48p jash400.dll
QSHNDLR DLL 217,088 12-10-04 11:48p QSHNDLR.DLL
LVLMA80N DLL 217,088 12-10-04 11:48p Lvlma80n.dll
MKJT3032 DLL 217,088 12-10-04 11:48p MKJT3032.DLL
QQGR DLL 217,088 12-10-04 11:48p QQGR.DLL
ADCTRES DLL 217,088 12-10-04 11:48p adctres.dll
MGPRINT DLL 217,088 12-10-04 11:48p MGPRINT.DLL
LKMAC80N DLL 217,088 12-10-04 11:48p Lkmac80n.dll
NOSWAN16 DLL 217,088 12-10-04 11:48p NOSWAN16.DLL
RACNS4 DLL 217,088 12-10-04 11:48p RACNS4.DLL
FGWPP DLL 217,088 12-10-04 11:48p FGWPP.DLL
HAINKPRX DLL 217,088 12-10-04 11:48p HAINKPRX.DLL
MIMCI2 DLL 217,088 12-10-04 11:48p MIMCI2.DLL
DSTMSFT DLL 217,088 12-10-04 11:48p DSTMSFT.DLL
DYMSSHRN DLL 217,088 12-10-04 11:48p dymsshrn.dll
DHCOMPOS DLL 217,088 12-10-04 11:48p DHCOMPOS.DLL
247 file(s) 53,620,736 bytes
0 dir(s) 7,697.98 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1546-0CF5
Directory of C:\WINDOWS\SYSTEM

VMSS <DIR> 03-07-05 7:10p vmss
WSXSVC <DIR> 03-07-05 7:10p wsxsvc
LXBKMA GID 40,613 10-20-04 10:33p lxbkma.GID
FOLDER HTT 13,122 06-23-04 1:42p folder.htt
DESKTOP INI 266 06-23-04 1:42p desktop.ini
JETERR35 GID 10,820 02-03-04 8:44p jeterr35.GID
FIZ2 1,057 01-21-04 12:32p fiz2
FIZ1 1,355 01-21-04 11:53a fiz1
KYF DAT 1,865,021 01-21-04 11:24a kyf.dat
FFASTLOG TXT 23,598 01-05-04 5:29p FFASTLOG.TXT
8 file(s) 1,955,852 bytes
2 dir(s) 7,697.97 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6122F8E0-90E6-11D9-97A9-000C7629D3F9}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
dxcprop.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
qhsf.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dgdpmesh.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wswizdll.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dsdpmesh.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
cxrds.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
nnswan16.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dqrawex.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
fmntext.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pvpd.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dunhpast.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ryasig.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wjldlb32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mgjava.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dqcpcsvc.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
fepwpp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mfwltres.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
fsntext.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mdrdo20.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rvocurs.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
aedcxc32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
odecnv32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rcched32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mfstkprp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
vnar332.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mbvidc32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pvcn1111.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lfxusbci.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
msincp16.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
hbink.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
moco30.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ejcrypt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dycpcsvc.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ose2prox.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ruaui.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
miwsosp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
sdsfmon.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
tzumbvw.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
itsclass.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
smge.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mgls31.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mlbsync.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lmras80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wnn32s16.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mycd30.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
le32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
xwilexr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
igsclass.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
osbc32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mzc250.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
qhhndlr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
cuseqchk.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
spp32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
cgcardks.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mgdart32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
oqcom400.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ayicap32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pttorec.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
tid32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
do7vb.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
irstsch.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dreml.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
olbccp32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ighlpapi.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
vlscript.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wjnmm.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pbpndi.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lp32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dgime.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dndrm.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wu2help.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
roasetup.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mynetobj.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
owbc32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mzwstr10.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
bpowseui.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mels31.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lwbkpp32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lnlma80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ieetwh32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ayfsipc.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lhgif80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
okccli32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
uqderw~1.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wvdmps.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
beseball.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
tdkati~1.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
myoeacct.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lebklcnp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lwlmb80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ltpcd80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dumm.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
jjpl400.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
jbaw400.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wnspdmoe.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
whsdmoe2.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
muvcirt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mudxmlc.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rmathunk.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mojt3032.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lwmac80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mpvcrt20.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mlls31.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mcwdat10.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rlcres.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mtjint40.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
avctres.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rfcres.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lethk80w.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
eeenu.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dv120f~1.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lbbkclr2.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mjstery.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
snmredir.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
bvseball.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
labkuir.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
sbem0409.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
xgilexr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mdjter35.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
vsb32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
coet16.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pfspl.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
cxseqchk.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
aokrnl32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lebkpsw.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wbpdxm.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mrslgn32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
sborage.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ogccli32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mo3216.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ocecli32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
sgmredir.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dzd9.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
tdumbvw.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
fnwpp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ik50_qcx.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ssorage.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
adycfilt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mrco30.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
snrobj.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rfcncl.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dbideo.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
fcod.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
tnolhelp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ull.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
iomigrat.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
soscrap.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
oxe2nls.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
aqrules.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ckuinf32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
hmsetup.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dpdrm.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
tgembed.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mlpatcha.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pydx5032.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pdcrt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dld9.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
aodcxc32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mudart32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rzcltspx.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wyhext.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lrbkpsw.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
luxbce.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ozbcji32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
diband.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pgtorec.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wfvdmoe.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
cmt32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ajpxec32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
qcwmci32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mibe.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
oge2nls.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rjcncl.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lsxp2p32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ckfview.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ovecli32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
shlwoa.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
selstr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pitorec.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lzavi80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mzoeacct.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ngtapi32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
iisapi32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
tbkati~1.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
omccli32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dfwsock.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
vca6.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mrvcrt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wdaspi32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ppcrt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wspasf.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
jsngle.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
txkati~1.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rnvpsp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
sbmscrpt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mkbe.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
iqfg95.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rxboex32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ikwphbk.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wzn32s16.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mtimrt32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
azfsipc.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
reched20.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
snrapi.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ojmreg.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
jpaw400.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
grhand.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mvpiu.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mnxml3a.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
fipwpp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
flwpp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
merating.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
rcathunk.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ikm32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
obe2prox.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lrlmb80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ncicd.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mcstkprp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mhjint40.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
sus3d630.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lkbkupdr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
siell.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mqvcrt.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
pjtorec.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
wjsdmoe2.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
usdm16.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
ldpcx80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
popd32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mzfs2.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mncpxl32.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
xbilexr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
jash400.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
qshndlr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lvlma80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mkjt3032.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
qqgr.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
adctres.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mgprint.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
lkmac80n.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
noswan16.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
racns4.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
fgwpp.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
hainkprx.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
mimci2.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dstmsft.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dymsshrn.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K
dhcompos.dll Fri Dec 10 2004 11:48:58p ..S.R 217,088 212.00 K

247 items found: 247 files, 0 directories.
Total of file sizes: 53,620,736 bytes 51.14 M

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\jesterss.dll: .aspack
C:\WINDOWS\SYSTEM\fastvideoplayer.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\DXCPROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\QHSF.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGDPMESH.DLL: UMonitor
C:\WINDOWS\SYSTEM\WSWIZDLL.DLL: UMonitor
C:\WINDOWS\SYSTEM\DSDPMESH.DLL: UMonitor
C:\WINDOWS\SYSTEM\CXRDS.DLL: UMonitor
C:\WINDOWS\SYSTEM\NNSWAN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQRAWEX.DLL: UMonitor
C:\WINDOWS\SYSTEM\FMNTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PVPD.DLL: UMonitor
C:\WINDOWS\SYSTEM\DUNHPAST.DLL: UMonitor
C:\WINDOWS\SYSTEM\RYASIG.DLL: UMonitor
C:\WINDOWS\SYSTEM\WJLDLB32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MGJAVA.DLL: UMonitor
C:\WINDOWS\SYSTEM\DQCPCSVC.DLL: UMonitor
C:\WINDOWS\SYSTEM\FEPWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MFWLTRES.DLL: UMonitor
C:\WINDOWS\SYSTEM\FSNTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MDRDO20.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVOCURS.DLL: UMonitor
C:\WINDOWS\SYSTEM\AEDCXC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ODECNV32.DLL: UMonitor
C:\WINDOWS\SYSTEM\RCCHED32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MFSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\VNAR332.DLL: UMonitor
C:\WINDOWS\SYSTEM\MBVIDC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PVCN1111.DLL: UMonitor
C:\WINDOWS\SYSTEM\LFXUSBCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MSINCP16.DLL: UMonitor
C:\WINDOWS\SYSTEM\HBINK.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\EJCRYPT.DLL: UMonitor
C:\WINDOWS\SYSTEM\DYCPCSVC.DLL: UMonitor
C:\WINDOWS\SYSTEM\OSE2PROX.DLL: UMonitor
C:\WINDOWS\SYSTEM\RUAUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MIWSOSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\sdsfmon.dll: UMonitor
C:\WINDOWS\SYSTEM\TZUMBVW.DLL: UMonitor
C:\WINDOWS\SYSTEM\ITSCLASS.DLL: UMonitor
C:\WINDOWS\SYSTEM\sMge.dll: UMonitor
C:\WINDOWS\SYSTEM\MGLS31.DLL: UMonitor
C:\WINDOWS\SYSTEM\mlbsync.dll: UMonitor
C:\WINDOWS\SYSTEM\Lmras80n.dll: UMonitor
C:\WINDOWS\SYSTEM\WNN32S16.DLL: UMonitor
C:\WINDOWS\SYSTEM\MYCD30.DLL: UMonitor
C:\WINDOWS\SYSTEM\LE32.DLL: UMonitor
C:\WINDOWS\SYSTEM\XWILEXR.DLL: UMonitor
C:\WINDOWS\SYSTEM\IGSCLASS.DLL: UMonitor
C:\WINDOWS\SYSTEM\OSBC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MZC250.DLL: UMonitor
C:\WINDOWS\SYSTEM\QHHNDLR.DLL: UMonitor
C:\WINDOWS\SYSTEM\CUSEQCHK.DLL: UMonitor
C:\WINDOWS\SYSTEM\SPP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\CGCARDKS.DLL: UMonitor
C:\WINDOWS\SYSTEM\mgdart32.dll: UMonitor
C:\WINDOWS\SYSTEM\OQCOM400.DLL: UMonitor
C:\WINDOWS\SYSTEM\AYICAP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\PTTOREC.DLL: UMonitor
C:\WINDOWS\SYSTEM\TID32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DO7VB.DLL: UMonitor
C:\WINDOWS\SYSTEM\IRSTSCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\DREML.DLL: UMonitor
C:\WINDOWS\SYSTEM\OLBCCP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IGHLPAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\VLSCRIPT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WJNMM.DLL: UMonitor
C:\WINDOWS\SYSTEM\PBPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\DGIME.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNDRM.DLL: UMonitor
C:\WINDOWS\SYSTEM\WU2HELP.DLL: UMonitor
C:\WINDOWS\SYSTEM\ROASETUP.DLL: UMonitor
C:\WINDOWS\SYSTEM\mynetobj.dll: UMonitor
C:\WINDOWS\SYSTEM\owbc32.dll: UMonitor
C:\WINDOWS\SYSTEM\MZWSTR10.DLL: UMonitor
C:\WINDOWS\SYSTEM\BPOWSEUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MELS31.DLL: UMonitor
C:\WINDOWS\SYSTEM\DzCNDI.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\DzCNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe: UMonitor
C:\WINDOWS\SYSTEM\lwbkpp32.dll: UMonitor
C:\WINDOWS\SYSTEM\Lnlma80n.dll: UMonitor
C:\WINDOWS\SYSTEM\onccli32.dll: UMonitor
C:\WINDOWS\SYSTEM\Ieetwh32.dll: UMonitor
C:\WINDOWS\SYSTEM\ayfsipc.dll: UMonitor
C:\WINDOWS\SYSTEM\Lhgif80n.dll: UMonitor
C:\WINDOWS\SYSTEM\okccli32.dll: UMonitor
C:\WINDOWS\SYSTEM\Uqderwater.dll: UMonitor
C:\WINDOWS\SYSTEM\wvdmps.dll: UMonitor
C:\WINDOWS\SYSTEM\BEseball.dll: UMonitor
C:\WINDOWS\SYSTEM\TdkatiRedistributor.dll: UMonitor
C:\WINDOWS\SYSTEM\myoeacct.dll: UMonitor
C:\WINDOWS\SYSTEM\lebklcnp.dll: UMonitor
C:\WINDOWS\SYSTEM\Lwlmb80n.dll: UMonitor
C:\WINDOWS\SYSTEM\Ltpcd80n.dll: UMonitor
C:\WINDOWS\SYSTEM\dumm.dll: UMonitor
C:\WINDOWS\SYSTEM\jjpl400.dll: UMonitor
C:\WINDOWS\SYSTEM\jbaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\wnspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\whsdmoe2.dll: UMonitor
C:\WINDOWS\SYSTEM\muvcirt.dll: UMonitor
C:\WINDOWS\SYSTEM\mudxmlc.dll: UMonitor
C:\WINDOWS\SYSTEM\RMATHUNK.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOJT3032.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lwmac80n.dll: UMonitor
C:\WINDOWS\SYSTEM\MPVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\MLLS31.DLL: UMonitor
C:\WINDOWS\SYSTEM\mcwdat10.dll: UMonitor
C:\WINDOWS\SYSTEM\RLCRES.dll: UMonitor
C:\WINDOWS\SYSTEM\mtjint40.dll: UMonitor
C:\WINDOWS\SYSTEM\avctres.dll: UMonitor
C:\WINDOWS\SYSTEM\RFCRES.dll: UMonitor
C:\WINDOWS\SYSTEM\Lethk80w.dll: UMonitor
C:\WINDOWS\SYSTEM\eeenu.dll: UMonitor
C:\WINDOWS\SYSTEM\DV120fc7_32.dll: UMonitor
C:\WINDOWS\SYSTEM\lbbkclr2.dll: UMonitor
C:\WINDOWS\SYSTEM\Mjstery.dll: UMonitor
C:\WINDOWS\SYSTEM\SnmRedir.dll: UMonitor
C:\WINDOWS\SYSTEM\BVseball.dll: UMonitor
C:\WINDOWS\SYSTEM\labkuir.dll: UMonitor
C:\WINDOWS\SYSTEM\SBEM0409.DLL: UMonitor
C:\WINDOWS\SYSTEM\XGILEXR.DLL: UMonitor
C:\WINDOWS\SYSTEM\MDJTER35.DLL: UMonitor
C:\WINDOWS\SYSTEM\VSB32.DLL: UMonitor
C:\WINDOWS\SYSTEM\COET16.DLL: UMonitor
C:\WINDOWS\SYSTEM\PFSPL.DLL: UMonitor
C:\WINDOWS\SYSTEM\CXSEQCHK.DLL: UMonitor
C:\WINDOWS\SYSTEM\AOKRNL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\lebkpsw.dll: UMonitor
C:\WINDOWS\SYSTEM\wbpdxm.dll: UMonitor
C:\WINDOWS\SYSTEM\MRSLGN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SBORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\ogccli32.dll: UMonitor
C:\WINDOWS\SYSTEM\MO3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\OCECLI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SgmRedir.dll: UMonitor
C:\WINDOWS\SYSTEM\DZD9.DLL: UMonitor
C:\WINDOWS\SYSTEM\TDUMBVW.DLL: UMonitor
C:\WINDOWS\SYSTEM\FNWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\IK50_QCX.DLL: UMonitor
C:\WINDOWS\SYSTEM\SSORAGE.DLL: UMonitor
C:\WINDOWS\SYSTEM\ADYCFILT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\SNROBJ.DLL: UMonitor
C:\WINDOWS\SYSTEM\RFCNCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\DBIDEO.DLL: UMonitor
C:\WINDOWS\SYSTEM\fcod.dll: UMonitor
C:\WINDOWS\SYSTEM\TNOLHELP.DLL: UMonitor
C:\WINDOWS\SYSTEM\ULL.DLL: UMonitor
C:\WINDOWS\SYSTEM\IOMIGRAT.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOSCRAP.DLL: UMonitor
C:\WINDOWS\SYSTEM\OXE2NLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\aqrules.dll: UMonitor
C:\WINDOWS\SYSTEM\CKUINF32.DLL: UMonitor
C:\WINDOWS\SYSTEM\hmsetup.dll: UMonitor
C:\WINDOWS\SYSTEM\DPDRM.DLL: UMonitor
C:\WINDOWS\SYSTEM\tGembed.dll: UMonitor
C:\WINDOWS\SYSTEM\mlpatcha.dll: UMonitor
C:\WINDOWS\SYSTEM\pydx5032.dll: UMonitor
C:\WINDOWS\SYSTEM\pdcrt.dll: UMonitor
C:\WINDOWS\SYSTEM\DLD9.DLL: UMonitor
C:\WINDOWS\SYSTEM\AODCXC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\mudart32.dll: UMonitor
C:\WINDOWS\SYSTEM\RZCLTSPX.DLL: UMonitor
C:\WINDOWS\SYSTEM\WYHEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\lrbkpsw.dll: UMonitor
C:\WINDOWS\SYSTEM\LuxBce.Dll: UMonitor
C:\WINDOWS\SYSTEM\ozbcji32.dll: UMonitor
C:\WINDOWS\SYSTEM\DIBAND.DLL: UMonitor
C:\WINDOWS\SYSTEM\PGTOREC.DLL: UMonitor
C:\WINDOWS\SYSTEM\wfvdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\CMT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\AJPXEC32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QCWMCI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\mibe.dll: UMonitor
C:\WINDOWS\SYSTEM\OGE2NLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\RJCNCL.DLL: UMonitor
C:\WINDOWS\SYSTEM\lsxp2p32.dll: UMonitor
C:\WINDOWS\SYSTEM\ckfview.dll: UMonitor
C:\WINDOWS\SYSTEM\OVECLI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\shlwoa.dll: UMonitor
C:\WINDOWS\SYSTEM\selstr.dll: UMonitor
C:\WINDOWS\SYSTEM\PITOREC.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lzavi80n.dll: UMonitor
C:\WINDOWS\SYSTEM\mzoeacct.dll: UMonitor
C:\WINDOWS\SYSTEM\NGTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IISAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\TbkatiClient.dll: UMonitor
C:\WINDOWS\SYSTEM\omccli32.dll: UMonitor
C:\WINDOWS\SYSTEM\DFWSOCK.DLL: UMonitor
C:\WINDOWS\SYSTEM\VCA6.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRVCRT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WDASPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ppcrt.dll: UMonitor
C:\WINDOWS\SYSTEM\wspasf.dll: UMonitor
C:\WINDOWS\SYSTEM\Jsngle.dll: UMonitor
C:\WINDOWS\SYSTEM\TxkatiClientInstaller.dll: UMonitor
C:\WINDOWS\SYSTEM\RNVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\SBMSCRPT.DLL: UMonitor
C:\WINDOWS\SYSTEM\mkbe.dll: UMonitor
C:\WINDOWS\SYSTEM\iqfg95.dll: UMonitor
C:\WINDOWS\SYSTEM\rxboex32.dll: UMonitor
C:\WINDOWS\SYSTEM\ikwphbk.dll: UMonitor
C:\WINDOWS\SYSTEM\WZN32S16.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTIMRT32.DLL: UMonitor
C:\WINDOWS\SYSTEM\azfsipc.dll: UMonitor
C:\WINDOWS\SYSTEM\RECHED20.DLL: UMonitor
C:\WINDOWS\SYSTEM\SNRAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\OJMREG.DLL: UMonitor
C:\WINDOWS\SYSTEM\jpaw400.dll: UMonitor
C:\WINDOWS\SYSTEM\grhand.dll: UMonitor
C:\WINDOWS\SYSTEM\MVPIU.DLL: UMonitor
C:\WINDOWS\SYSTEM\MNXML3A.DLL: UMonitor
C:\WINDOWS\SYSTEM\FIPWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\FLWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MERATING.DLL: UMonitor
C:\WINDOWS\SYSTEM\RCATHUNK.DLL: UMonitor
C:\WINDOWS\SYSTEM\IKM32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OBE2PROX.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lrlmb80n.dll: UMonitor
C:\WINDOWS\SYSTEM\NCICD.DLL: UMonitor
C:\WINDOWS\SYSTEM\MCSTKPRP.DLL: UMonitor
C:\WINDOWS\SYSTEM\mhjint40.dll: UMonitor
C:\WINDOWS\SYSTEM\sus3d630.dll: UMonitor
C:\WINDOWS\SYSTEM\lkbkupdr.dll: UMonitor
C:\WINDOWS\SYSTEM\SIELL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MQVCRT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PJTOREC.DLL: UMonitor
C:\WINDOWS\SYSTEM\wjsdmoe2.dll: UMonitor
C:\WINDOWS\SYSTEM\USDM16.DLL: UMonitor
C:\WINDOWS\SYSTEM\Ldpcx80n.dll: UMonitor
C:\WINDOWS\SYSTEM\POPD32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MZFS2.DLL: UMonitor
C:\WINDOWS\SYSTEM\MNCPXL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\XBILEXR.DLL: UMonitor
C:\WINDOWS\SYSTEM\jash400.dll: UMonitor
C:\WINDOWS\SYSTEM\QSHNDLR.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lvlma80n.dll: UMonitor
C:\WINDOWS\SYSTEM\MKJT3032.DLL: UMonitor
C:\WINDOWS\SYSTEM\QQGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\adctres.dll: UMonitor
C:\WINDOWS\SYSTEM\MGPRINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\Lkmac80n.dll: UMonitor
C:\WINDOWS\SYSTEM\NOSWAN16.DLL: UMonitor
C:\WINDOWS\SYSTEM\RACNS4.DLL: UMonitor
C:\WINDOWS\SYSTEM\FGWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\HAINKPRX.DLL: UMonitor
C:\WINDOWS\SYSTEM\MIMCI2.DLL: UMonitor
C:\WINDOWS\SYSTEM\DSTMSFT.DLL: UMonitor
C:\WINDOWS\SYSTEM\dymsshrn.dll: UMonitor
C:\WINDOWS\SYSTEM\DHCOMPOS.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\""
"PCCIOMON.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCIOMON.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"sp"="rundll32 C:\\WINDOWS\\TEMP\\SE.DLL,DllInstall"
"antiware"="C:\\WINDOWS\\SYSTEM\\ELITEKBW32.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disabled]
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"winupdt"="RUNDLL32.EXE C:\\WINDOWS\\KMORICONS.DLL,_mainRD"
"winshost.exe"="C:\\WINDOWS\\SYSTEM\\winshost.exe"
"WinAmpAgent"="C:\\WINDOWS\\svchst.exe /i"
"LexStart"="lexstart.exe"
Title: HijackLog stuff
Post by: guestolo on March 09, 2005, 11:33:15 PM: Very sorry for the late reply, if you still need a hand I need you to follow these instructions, we have a large number of files to clean out, so this may take a few attempts
The more you restart the computer, the more files will be added

Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice

Please copy and paste these instructions to an empty Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Run Pocket KillBox>>Now you have Killbox and this notepad file open

At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them
click on Tools --> Select Delete Temp Files. Click OK.

Again, in Killbox
At the main screen of Pocket Killbox

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\DXCPROP.DLL

Press the Delete button>>The Red circle and a white X
Do the same for the rest of these below
Keep track of any files that won't delete, we'll need those in a bit

C:\WINDOWS\SYSTEM\QHSF.DLL
C:\WINDOWS\SYSTEM\DGDPMESH.DLL
C:\WINDOWS\SYSTEM\WSWIZDLL.DLL
C:\WINDOWS\SYSTEM\DSDPMESH.DLL
C:\WINDOWS\SYSTEM\CXRDS.DLL
C:\WINDOWS\SYSTEM\NNSWAN16.DLL
C:\WINDOWS\SYSTEM\DQRAWEX.DLL
C:\WINDOWS\SYSTEM\FMNTEXT.DLL
C:\WINDOWS\SYSTEM\PVPD.DLL
C:\WINDOWS\SYSTEM\DUNHPAST.DLL
C:\WINDOWS\SYSTEM\RYASIG.DLL
C:\WINDOWS\SYSTEM\WJLDLB32.DLL
C:\WINDOWS\SYSTEM\MGJAVA.DLL
C:\WINDOWS\SYSTEM\DQCPCSVC.DLL
C:\WINDOWS\SYSTEM\FEPWPP.DLL
C:\WINDOWS\SYSTEM\MFWLTRES.DLL
C:\WINDOWS\SYSTEM\FSNTEXT.DLL
C:\WINDOWS\SYSTEM\MDRDO20.DLL
C:\WINDOWS\SYSTEM\RVOCURS.DLL
C:\WINDOWS\SYSTEM\AEDCXC32.DLL
C:\WINDOWS\SYSTEM\ODECNV32.DLL
C:\WINDOWS\SYSTEM\RCCHED32.DLL
C:\WINDOWS\SYSTEM\MFSTKPRP.DLL
C:\WINDOWS\SYSTEM\VNAR332.DLL
C:\WINDOWS\SYSTEM\MBVIDC32.DLL
C:\WINDOWS\SYSTEM\PVCN1111.DLL
C:\WINDOWS\SYSTEM\LFXUSBCI.DLL
C:\WINDOWS\SYSTEM\MSINCP16.DLL
C:\WINDOWS\SYSTEM\HBINK.DLL
C:\WINDOWS\SYSTEM\MOCO30.DLL
C:\WINDOWS\SYSTEM\EJCRYPT.DLL
C:\WINDOWS\SYSTEM\DYCPCSVC.DLL
C:\WINDOWS\SYSTEM\OSE2PROX.DLL
C:\WINDOWS\SYSTEM\RUAUI.DLL
C:\WINDOWS\SYSTEM\MIWSOSP.DLL
C:\WINDOWS\SYSTEM\sdsfmon.dll
C:\WINDOWS\SYSTEM\TZUMBVW.DLL
C:\WINDOWS\SYSTEM\ITSCLASS.DLL
C:\WINDOWS\SYSTEM\sMge.dll
C:\WINDOWS\SYSTEM\MGLS31.DLL
C:\WINDOWS\SYSTEM\mlbsync.dll
C:\WINDOWS\SYSTEM\Lmras80n.dll
C:\WINDOWS\SYSTEM\WNN32S16.DLL
C:\WINDOWS\SYSTEM\MYCD30.DLL
C:\WINDOWS\SYSTEM\LE32.DLL
C:\WINDOWS\SYSTEM\XWILEXR.DLL
C:\WINDOWS\SYSTEM\IGSCLASS.DLL
C:\WINDOWS\SYSTEM\OSBC32.DLL
C:\WINDOWS\SYSTEM\MZC250.DLL
C:\WINDOWS\SYSTEM\QHHNDLR.DLL
C:\WINDOWS\SYSTEM\CUSEQCHK.DLL
C:\WINDOWS\SYSTEM\SPP32.DLL
C:\WINDOWS\SYSTEM\CGCARDKS.DLL
C:\WINDOWS\SYSTEM\mgdart32.dll
C:\WINDOWS\SYSTEM\OQCOM400.DLL
C:\WINDOWS\SYSTEM\AYICAP32.DLL
C:\WINDOWS\SYSTEM\PTTOREC.DLL
C:\WINDOWS\SYSTEM\TID32.DLL
C:\WINDOWS\SYSTEM\DO7VB.DLL
C:\WINDOWS\SYSTEM\IRSTSCH.DLL
C:\WINDOWS\SYSTEM\DREML.DLL
C:\WINDOWS\SYSTEM\OLBCCP32.DLL
C:\WINDOWS\SYSTEM\IGHLPAPI.DLL
C:\WINDOWS\SYSTEM\VLSCRIPT.DLL
C:\WINDOWS\SYSTEM\WJNMM.DLL
C:\WINDOWS\SYSTEM\PBPNDI.DLL
C:\WINDOWS\SYSTEM\LP32.DLL
C:\WINDOWS\SYSTEM\DGIME.DLL
C:\WINDOWS\SYSTEM\DNDRM.DLL
C:\WINDOWS\SYSTEM\WU2HELP.DLL
C:\WINDOWS\SYSTEM\ROASETUP.DLL
C:\WINDOWS\SYSTEM\mynetobj.dll
C:\WINDOWS\SYSTEM\owbc32.dll
C:\WINDOWS\SYSTEM\MZWSTR10.DLL
C:\WINDOWS\SYSTEM\BPOWSEUI.DLL
C:\WINDOWS\SYSTEM\MELS31.DLL
C:\WINDOWS\SYSTEM\DzCNDI.DLL
C:\WINDOWS\SYSTEM\UpdInstall.exe
C:\WINDOWS\SYSTEM\UpdInstall.exe
C:\WINDOWS\SYSTEM\lwbkpp32.dll
C:\WINDOWS\SYSTEM\Lnlma80n.dll
C:\WINDOWS\SYSTEM\onccli32.dll
C:\WINDOWS\SYSTEM\Ieetwh32.dll
C:\WINDOWS\SYSTEM\ayfsipc.dll
C:\WINDOWS\SYSTEM\Lhgif80n.dll
C:\WINDOWS\SYSTEM\okccli32.dll
C:\WINDOWS\SYSTEM\Uqderwater.dll
C:\WINDOWS\SYSTEM\wvdmps.dll
C:\WINDOWS\SYSTEM\BEseball.dll
C:\WINDOWS\SYSTEM\TdkatiRedistributor.dll
C:\WINDOWS\SYSTEM\myoeacct.dll
C:\WINDOWS\SYSTEM\lebklcnp.dll
C:\WINDOWS\SYSTEM\Lwlmb80n.dll
C:\WINDOWS\SYSTEM\Ltpcd80n.dll
C:\WINDOWS\SYSTEM\dumm.dll
C:\WINDOWS\SYSTEM\jjpl400.dll
C:\WINDOWS\SYSTEM\jbaw400.dll
C:\WINDOWS\SYSTEM\wnspdmoe.dll
C:\WINDOWS\SYSTEM\whsdmoe2.dll
C:\WINDOWS\SYSTEM\muvcirt.dll
C:\WINDOWS\SYSTEM\mudxmlc.dll
C:\WINDOWS\SYSTEM\RMATHUNK.DLL
C:\WINDOWS\SYSTEM\MOJT3032.DLL
C:\WINDOWS\SYSTEM\Lwmac80n.dll
C:\WINDOWS\SYSTEM\MPVCRT20.DLL
C:\WINDOWS\SYSTEM\MLLS31.DLL
C:\WINDOWS\SYSTEM\mcwdat10.dll
C:\WINDOWS\SYSTEM\RLCRES.dll
C:\WINDOWS\SYSTEM\mtjint40.dll
C:\WINDOWS\SYSTEM\avctres.dll
C:\WINDOWS\SYSTEM\RFCRES.dll
C:\WINDOWS\SYSTEM\Lethk80w.dll
C:\WINDOWS\SYSTEM\eeenu.dll
C:\WINDOWS\SYSTEM\DV120fc7_32.dll
C:\WINDOWS\SYSTEM\lbbkclr2.dll
C:\WINDOWS\SYSTEM\Mjstery.dll
C:\WINDOWS\SYSTEM\SnmRedir.dll
C:\WINDOWS\SYSTEM\BVseball.dll
C:\WINDOWS\SYSTEM\labkuir.dll
C:\WINDOWS\SYSTEM\SBEM0409.DLL
C:\WINDOWS\SYSTEM\XGILEXR.DLL
C:\WINDOWS\SYSTEM\MDJTER35.DLL
C:\WINDOWS\SYSTEM\VSB32.DLL
C:\WINDOWS\SYSTEM\COET16.DLL
C:\WINDOWS\SYSTEM\PFSPL.DLL
C:\WINDOWS\SYSTEM\CXSEQCHK.DLL
C:\WINDOWS\SYSTEM\AOKRNL32.DLL
C:\WINDOWS\SYSTEM\lebkpsw.dll
C:\WINDOWS\SYSTEM\wbpdxm.dll
C:\WINDOWS\SYSTEM\MRSLGN32.DLL
C:\WINDOWS\SYSTEM\SBORAGE.DLL
C:\WINDOWS\SYSTEM\ogccli32.dll
C:\WINDOWS\SYSTEM\MO3216.DLL
C:\WINDOWS\SYSTEM\OCECLI32.DLL
C:\WINDOWS\SYSTEM\SgmRedir.dll
C:\WINDOWS\SYSTEM\DZD9.DLL
C:\WINDOWS\SYSTEM\TDUMBVW.DLL
C:\WINDOWS\SYSTEM\FNWPP.DLL
C:\WINDOWS\SYSTEM\IK50_QCX.DLL
C:\WINDOWS\SYSTEM\SSORAGE.DLL
C:\WINDOWS\SYSTEM\ADYCFILT.DLL
C:\WINDOWS\SYSTEM\MRCO30.DLL
C:\WINDOWS\SYSTEM\SNROBJ.DLL
C:\WINDOWS\SYSTEM\RFCNCL.DLL
C:\WINDOWS\SYSTEM\DBIDEO.DLL
C:\WINDOWS\SYSTEM\fcod.dll
C:\WINDOWS\SYSTEM\TNOLHELP.DLL
C:\WINDOWS\SYSTEM\ULL.DLL
C:\WINDOWS\SYSTEM\IOMIGRAT.DLL
C:\WINDOWS\SYSTEM\SOSCRAP.DLL
C:\WINDOWS\SYSTEM\OXE2NLS.DLL
C:\WINDOWS\SYSTEM\aqrules.dll
C:\WINDOWS\SYSTEM\CKUINF32.DLL
C:\WINDOWS\SYSTEM\hmsetup.dll
C:\WINDOWS\SYSTEM\DPDRM.DLL
C:\WINDOWS\SYSTEM\tGembed.dll
C:\WINDOWS\SYSTEM\mlpatcha.dll
C:\WINDOWS\SYSTEM\pydx5032.dll
C:\WINDOWS\SYSTEM\pdcrt.dll
C:\WINDOWS\SYSTEM\DLD9.DLL
C:\WINDOWS\SYSTEM\AODCXC32.DLL
C:\WINDOWS\SYSTEM\mudart32.dll
C:\WINDOWS\SYSTEM\RZCLTSPX.DLL
C:\WINDOWS\SYSTEM\WYHEXT.DLL
C:\WINDOWS\SYSTEM\lrbkpsw.dll
C:\WINDOWS\SYSTEM\LuxBce.Dll
C:\WINDOWS\SYSTEM\ozbcji32.dll
C:\WINDOWS\SYSTEM\DIBAND.DLL
C:\WINDOWS\SYSTEM\PGTOREC.DLL
C:\WINDOWS\SYSTEM\wfvdmoe.dll
C:\WINDOWS\SYSTEM\CMT32.DLL
C:\WINDOWS\SYSTEM\AJPXEC32.DLL
C:\WINDOWS\SYSTEM\QCWMCI32.DLL
C:\WINDOWS\SYSTEM\mibe.dll
C:\WINDOWS\SYSTEM\OGE2NLS.DLL
C:\WINDOWS\SYSTEM\RJCNCL.DLL
C:\WINDOWS\SYSTEM\lsxp2p32.dll
C:\WINDOWS\SYSTEM\ckfview.dll
C:\WINDOWS\SYSTEM\OVECLI32.DLL
C:\WINDOWS\SYSTEM\shlwoa.dll
C:\WINDOWS\SYSTEM\selstr.dll
C:\WINDOWS\SYSTEM\PITOREC.DLL
C:\WINDOWS\SYSTEM\Lzavi80n.dll
C:\WINDOWS\SYSTEM\mzoeacct.dll
C:\WINDOWS\SYSTEM\NGTAPI32.DLL
C:\WINDOWS\SYSTEM\IISAPI32.DLL
C:\WINDOWS\SYSTEM\TbkatiClient.dll
C:\WINDOWS\SYSTEM\omccli32.dll
C:\WINDOWS\SYSTEM\DFWSOCK.DLL
C:\WINDOWS\SYSTEM\VCA6.DLL
C:\WINDOWS\SYSTEM\MRVCRT.DLL
C:\WINDOWS\SYSTEM\WDASPI32.DLL
C:\WINDOWS\SYSTEM\ppcrt.dll
C:\WINDOWS\SYSTEM\wspasf.dll
C:\WINDOWS\SYSTEM\Jsngle.dll
C:\WINDOWS\SYSTEM\TxkatiClientInstaller.dll
C:\WINDOWS\SYSTEM\RNVPSP.DLL
C:\WINDOWS\SYSTEM\SBMSCRPT.DLL
C:\WINDOWS\SYSTEM\mkbe.dll
C:\WINDOWS\SYSTEM\iqfg95.dll
C:\WINDOWS\SYSTEM\rxboex32.dll
C:\WINDOWS\SYSTEM\ikwphbk.dll
C:\WINDOWS\SYSTEM\WZN32S16.DLL
C:\WINDOWS\SYSTEM\MTIMRT32.DLL
C:\WINDOWS\SYSTEM\azfsipc.dll
C:\WINDOWS\SYSTEM\RECHED20.DLL
C:\WINDOWS\SYSTEM\SNRAPI.DLL
C:\WINDOWS\SYSTEM\OJMREG.DLL
C:\WINDOWS\SYSTEM\jpaw400.dll
C:\WINDOWS\SYSTEM\grhand.dll
C:\WINDOWS\SYSTEM\MVPIU.DLL
C:\WINDOWS\SYSTEM\MNXML3A.DLL
C:\WINDOWS\SYSTEM\FIPWPP.DLL
C:\WINDOWS\SYSTEM\FLWPP.DLL
C:\WINDOWS\SYSTEM\MERATING.DLL
C:\WINDOWS\SYSTEM\RCATHUNK.DLL
C:\WINDOWS\SYSTEM\IKM32.DLL
C:\WINDOWS\SYSTEM\OBE2PROX.DLL
C:\WINDOWS\SYSTEM\Lrlmb80n.dll
C:\WINDOWS\SYSTEM\NCICD.DLL
C:\WINDOWS\SYSTEM\MCSTKPRP.DLL
C:\WINDOWS\SYSTEM\mhjint40.dll
C:\WINDOWS\SYSTEM\sus3d630.dll
C:\WINDOWS\SYSTEM\lkbkupdr.dll
C:\WINDOWS\SYSTEM\SIELL.DLL
C:\WINDOWS\SYSTEM\MQVCRT.DLL
C:\WINDOWS\SYSTEM\PJTOREC.DLL
C:\WINDOWS\SYSTEM\wjsdmoe2.dll
C:\WINDOWS\SYSTEM\USDM16.DLL
C:\WINDOWS\SYSTEM\Ldpcx80n.dll
C:\WINDOWS\SYSTEM\POPD32.DLL
C:\WINDOWS\SYSTEM\MZFS2.DLL
C:\WINDOWS\SYSTEM\MNCPXL32.DLL
C:\WINDOWS\SYSTEM\XBILEXR.DLL
C:\WINDOWS\SYSTEM\jash400.dll
C:\WINDOWS\SYSTEM\QSHNDLR.DLL
C:\WINDOWS\SYSTEM\Lvlma80n.dll
C:\WINDOWS\SYSTEM\MKJT3032.DLL
C:\WINDOWS\SYSTEM\QQGR.DLL
C:\WINDOWS\SYSTEM\adctres.dll
C:\WINDOWS\SYSTEM\MGPRINT.DLL
C:\WINDOWS\SYSTEM\Lkmac80n.dll
C:\WINDOWS\SYSTEM\NOSWAN16.DLL
C:\WINDOWS\SYSTEM\RACNS4.DLL
C:\WINDOWS\SYSTEM\FGWPP.DLL
C:\WINDOWS\SYSTEM\HAINKPRX.DLL
C:\WINDOWS\SYSTEM\MIMCI2.DLL
C:\WINDOWS\SYSTEM\DSTMSFT.DLL
C:\WINDOWS\SYSTEM\dymsshrn.dll
C:\WINDOWS\SYSTEM\DHCOMPOS.DLL

For any file that wouldn't delete, again copy and paste that entry into Killbox, but this time, use the Delete on Reboot radio button
Press the button with a red circle and a white X.
If asked to Reboot now, don't until you have entered the last entry
After entering the the last path to any file that wouldn't delete
Allow the computer to Reboot
or Restart the computer anyways

When your back in Windows

Open Hijackthis>>Open Misc Tools>>Open Hosts File Manager
Delete any lines Below
127.0.0.1 localhost <--don't delete this and nothing above
But only any below that entry you didn't add yourself or don't recognize

Run Findit9xme.bat again and post the Whole log

Also, Download and save to Desktop
VX2 Finder.exe (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")
Open it and click the
"Click to Find VX2.BetterInternet"
Let it complete the scan>>This won't take log
Make a log and post it back here

Also post back with a fresh hijackthis log

Try not too restart the computer again until we have tried another round of fixes
Title: HijackLog stuff
Post by: arro253 on March 10, 2005, 06:19:31 AM: Hey .. don't worry about it. Anyway, ok, i downloaded pocket killbox and deleted the files you asked me to.

i checked Hijackthis>>Open Misc Tools>>Open Hosts File Manager but i didn't see "127.0.0.1 localhost" so i left it.

This is the fresh Findit9xme.bat log :

MBEGGR~1 DLL 227,104 03-10-05 1:15p mbeggrpid.dll
LSRAS80N DLL 227,104 03-10-05 1:15p Lsras80n.dll
DNEML DLL 227,104 03-10-05 1:15p DNEML.DLL
LAIMG80N DLL 227,104 03-10-05 1:15p Laimg80n.dll
DOD9 DLL 227,104 03-10-05 1:15p DOD9.DLL
IJFRARED DLL 227,104 03-10-05 1:15p IJFRARED.DLL
DDDIM700 DLL 227,104 03-10-05 1:15p DDDIM700.DLL
LWPCD80N DLL 227,104 03-10-05 1:15p Lwpcd80n.dll
HKDLR32 DLL 227,104 03-10-05 1:15p HKDLR32.DLL
BIWMP3 DLL 227,104 03-10-05 1:15p biwmp3.dll
SIKIT432 DLL 227,104 03-10-05 1:15p SIKIT432.DLL
CZBINET DLL 227,104 03-10-05 1:15p CZBINET.DLL
LPKODAK DLL 227,104 03-10-05 1:15p Lpkodak.dll
IRDKCS32 DLL 227,104 03-10-05 1:15p IRDKCS32.DLL
SYNTFNT DLL 227,104 03-10-05 1:15p SYntfNT.dll
PACN1111 DLL 227,104 03-10-05 1:15p PACN1111.DLL
BYSEBALL DLL 227,104 03-10-05 1:15p BYseball.dll
SNS3D630 DLL 227,104 03-10-05 1:15p sns3d630.dll
QHSF DLL 217,088 12-10-04 11:48p QHSF.DLL
MUDXMLC DLL 217,088 12-10-04 11:48p mudxmlc.dll
PGTOREC DLL 217,088 12-10-04 11:48p PGTOREC.DLL
OGE2NLS DLL 217,088 12-10-04 11:48p OGE2NLS.DLL
JSNGLE DLL 217,088 12-10-04 11:48p Jsngle.dll
WUPASF DLL 217,088 12-10-04 11:48p wupasf.dll
EIEXCH32 DLL 217,088 12-10-04 11:48p EIEXCH32.DLL
AJMUI DLL 217,088 12-10-04 11:48p AJMUI.DLL
LMBKLCNP DLL 217,088 12-10-04 11:48p lmbklcnp.dll
MZANG DLL 217,088 12-10-04 11:48p MZANG.DLL
MBIQTZ32 DLL 217,088 12-10-04 11:48p MBIQTZ32.DLL
MTDART32 DLL 217,088 12-10-04 11:48p mtdart32.dll
WTDAP32 DLL 217,088 12-10-04 11:48p WTDAP32.DLL
CSMDLG32 DLL 217,088 12-10-04 11:48p CSMDLG32.DLL
MPXML3R DLL 217,088 12-10-04 11:48p MPXML3R.DLL
ORBCCR32 DLL 217,088 12-10-04 11:48p orbccr32.dll
34 file(s) 7,561,280 bytes
0 dir(s) 7,651.05 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1546-0CF5
Directory of C:\WINDOWS\SYSTEM

VMSS <DIR> 03-07-05 7:10p vmss
WSXSVC <DIR> 03-07-05 7:10p wsxsvc
LXBKMA GID 40,613 10-20-04 10:33p lxbkma.GID
FOLDER HTT 13,122 06-23-04 1:42p folder.htt
DESKTOP INI 266 06-23-04 1:42p desktop.ini
JETERR35 GID 10,820 02-03-04 8:44p jeterr35.GID
FIZ2 1,057 01-21-04 12:32p fiz2
FIZ1 1,355 01-21-04 11:53a fiz1
KYF DAT 1,865,021 01-21-04 11:24a kyf.dat
FFASTLOG TXT 23,598 01-05-04 5:29p FFASTLOG.TXT
8 file(s) 1,955,852 bytes
2 dir(s) 7,651.04 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{25782FD8-7F18-DFC3-CF5A-437063ED4CE2}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
mbeggr~1.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
lsras80n.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
dneml.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
laimg80n.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
dod9.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
ijfrared.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
dddim700.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
lwpcd80n.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
hkdlr32.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
biwmp3.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
sikit432.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
czbinet.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
lpkodak.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
irdkcs32.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
syntfnt.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
pacn1111.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
byseball.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
sns3d630.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K

18 items found: 18 files, 0 directories.
Total of file sizes: 4,087,872 bytes 3.90 M

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\jesterss.dll: .aspack
C:\WINDOWS\SYSTEM\fastvideoplayer.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\QHSF.DLL: UMonitor
C:\WINDOWS\SYSTEM\mudxmlc.dll: UMonitor
C:\WINDOWS\SYSTEM\PGTOREC.DLL: UMonitor
C:\WINDOWS\SYSTEM\OGE2NLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\Jsngle.dll: UMonitor
C:\WINDOWS\SYSTEM\wupasf.dll: UMonitor
C:\WINDOWS\SYSTEM\EIEXCH32.DLL: UMonitor
C:\WINDOWS\SYSTEM\AJMUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\lmbklcnp.dll: UMonitor
C:\WINDOWS\SYSTEM\MZANG.DLL: UMonitor
C:\WINDOWS\SYSTEM\MBIQTZ32.DLL: UMonitor
C:\WINDOWS\SYSTEM\mtdart32.dll: UMonitor
C:\WINDOWS\SYSTEM\WTDAP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\CSMDLG32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPXML3R.DLL: UMonitor
C:\WINDOWS\SYSTEM\orbccr32.dll: UMonitor

----> i downloaded VX2 Finder.exe but couldnt run it. Something about it being only for ntsystems whatever.

And here is a fresh Hijackthis log :

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
C:\WINDOWS\NEWSD.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\IMPORTANT FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O2 - BHO: (no name) - {8E6354E6-9191-11D9-97A9-000C196928D0} - C:\WINDOWS\SYSTEM\BIHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [antiware] C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
O4 - HKLM\..\Run: [newsfeed12] C:\WINDOWS\newsd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS\")
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab (http://\"http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by12fd.bay12.Email (http://\"http://by12fd.bay12.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab\")
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/sg/games3.cab (http://\"http://www.netvenda.com/sites/games-intl/sg/games3.cab\")
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab (http://\"http://www.spywarestormer.com/files2/Install.cab\")
O16 - DPF: {0CB2BD5A-7A80-4BA9-B49A-02DC51144BDF} (vciewer control) - http://www.thepaymentcentre.com/build/vciewer.cab (http://\"http://www.thepaymentcentre.com/build/vciewer.cab\")
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab (http://\"http://www.thepaymentcentre.com/build/vbiewer.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab (http://\"http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...Bridge-c135.cab (http://\"http://static.windupdates.com/cab/DownloadsUnlimited/ie/Bridge-c135.cab\")
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_20.exe (http://\"http://216.122.145.208/pi1_20.exe\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab\")
O18 - Filter: text/html - {B464E07C-8F47-11D9-97A9-000C58C7C217} - C:\WINDOWS\SYSTEM\BIHJ.DLL
O18 - Filter: text/plain - {B464E07C-8F47-11D9-97A9-000C58C7C217} - C:\WINDOWS\SYSTEM\BIHJ.DLL
Title: HijackLog stuff
Post by: guestolo on March 10, 2005, 05:33:19 PM: Let's start Round 2 /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

I need you too Download a couple tools

===Download the The Hoster (http://\"http://members.aol.com/toadbee/hoster.zip\")
Unzip it to a folder
We'll need this later

===Download and UNZIP too Desktop LSPFIX.zip from this link
http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
We'll need this later

===That link I directed you too for the Download of VX2 finder is definitely a
9x version
Where did you download your version from
Please try and redownload VX2 finder
From CLICK HERE (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")
Save it too your desktop
We'll need this later

===Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop

===Download and save too Desktop RunFix.zip
Unzip the contents too Desktop so you now have Runfix.reg on the desktop
[attachment=57:attachment]
We'll need this later

Again, Please Print out the rest of these instructions
And also save them too a Notepad file on the desktop
You will need both
Close down all unnecessary windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O2 - BHO: (no name) - {8E6354E6-9191-11D9-97A9-000C196928D0} - C:\WINDOWS\SYSTEM\BIHJ.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [antiware] C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
O4 - HKLM\..\Run: [newsfeed12] C:\WINDOWS\newsd.exe

O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab\")
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/sg/games3.cab (http://\"http://www.netvenda.com/sites/games-intl/sg/games3.cab\")

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab (http://\"http://www.spywarestormer.com/files2/Install.cab\")
O16 - DPF: {0CB2BD5A-7A80-4BA9-B49A-02DC51144BDF} (vciewer control) - http://www.thepaymentcentre.com/build/vciewer.cab (http://\"http://www.thepaymentcentre.com/build/vciewer.cab\")

O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab (http://\"http://www.thepaymentcentre.com/build/vbiewer.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab (http://\"http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab\")

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...Bridge-c135.cab (http://\"http://static.windupdates.com/cab/Download...Bridge-c135.cab\")
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_20.exe (http://\"http://216.122.145.208/pi1_20.exe\")

O18 - Filter: text/html - {B464E07C-8F47-11D9-97A9-000C58C7C217} - C:\WINDOWS\SYSTEM\BIHJ.DLL
O18 - Filter: text/plain - {B464E07C-8F47-11D9-97A9-000C58C7C217} - C:\WINDOWS\SYSTEM\BIHJ.DLL

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Open these instructions and leave them open until we have restarted your computer

Run Pocket KillBox>>Now you have Killbox and this notepad file open

At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them
Also end task on these ones too, if you can
ELITEKBW32.EXE
NEWSD.EXE

click on Tools --> Select Delete Temp Files. Click OK.

Again, in Killbox
At the main screen of Pocket Killbox

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\mbeggrpid.dll

Press the Delete button>>The Red circle and a white X
Do the same for the rest of these below
Keep track of any files that won't delete, we'll need those in a bit

C:\WINDOWS\SYSTEM\lsras80n.dll
C:\WINDOWS\SYSTEM\dneml.dll
C:\WINDOWS\SYSTEM\laimg80n.dll
C:\WINDOWS\SYSTEM\dod9.dll
C:\WINDOWS\SYSTEM\ijfrared.dll
C:\WINDOWS\SYSTEM\dddim700.dll
C:\WINDOWS\SYSTEM\lwpcd80n.dll
C:\WINDOWS\SYSTEM\hkdlr32.dll
C:\WINDOWS\SYSTEM\biwmp3.dll
C:\WINDOWS\SYSTEM\sikit432.dll
C:\WINDOWS\SYSTEM\czbinet.dll
C:\WINDOWS\SYSTEM\lpkodak.dll
C:\WINDOWS\SYSTEM\irdkcs32.dll
C:\WINDOWS\SYSTEM\syntfnt.dll
C:\WINDOWS\SYSTEM\pacn1111.dll
C:\WINDOWS\SYSTEM\byseball.dll
C:\WINDOWS\SYSTEM\sns3d630.dll
C:\WINDOWS\SYSTEM\orbccr32.dll
C:\WINDOWS\SYSTEM\MPXML3R.DLL
C:\WINDOWS\SYSTEM\CSMDLG32.DLL
C:\WINDOWS\SYSTEM\WTDAP32.DLL
C:\WINDOWS\SYSTEM\mtdart32.dll
C:\WINDOWS\SYSTEM\MBIQTZ32.DLL
C:\WINDOWS\SYSTEM\MZANG.DLL
C:\WINDOWS\SYSTEM\lmbklcnp.dll
C:\WINDOWS\SYSTEM\AJMUI.DLL
C:\WINDOWS\SYSTEM\EIEXCH32.DLL
C:\WINDOWS\SYSTEM\wupasf.dll
C:\WINDOWS\SYSTEM\Jsngle.dll
C:\WINDOWS\SYSTEM\OGE2NLS.DLL
C:\WINDOWS\SYSTEM\PGTOREC.DLL
C:\WINDOWS\SYSTEM\mudxmlc.dll
C:\WINDOWS\SYSTEM\QHSF.DLL
C:\WINDOWS\KMORICONS.DLL
C:\WINDOWS\SYSTEM\ELITEKBW32.EXE
C:\WINDOWS\TEMP\\SE.DLL
C:\WINDOWS\SYSTEM\fiz2
C:\WINDOWS\SYSTEM\fiz1
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\SYSTEM\winshost.exe
C:\WINDOWS\svchst.exe
C:\WINDOWS\hosts

For any file that wouldn't delete, again copy and paste that entry into Killbox, but this time, use the Delete on Reboot radio button
Press the button with a red circle and a white X.

Finally, copy and paste this entry into Killbox and use the "Delete On Reboot Option"
Additionally, use the "Unregister .dll before deleting" option

C:\WINDOWS\SYSTEM\fastvideoplayer.dll

Don't restart yet, Instead Double Click on RunFix.reg and allow to merge to the Registry

Then click the START button
SHUTDOWN>>>Select "Restart in MS-Dos Mode"
Hit OK

At restart you should be at this prompt

C:\WINDOWS>

Type in the below excluding the (Enter), that indicates hitting Enter on your Keyboard>>>Take note of all the spaces too

attrib -r -s -h C:\WINDOWS\WEN.--- (Enter)
del Wen.--- (Enter)

=====================================
To see what it looks like with an = sign indicating where a single space should be
attrib=-r=-s=-h=C:\WINDOWS\WEN.---
del=Wen.---

Ensure to include the three dashes after Wen.
=====================================
Hit Ctrl+Alt+Del to Restart back to Normal mode

Don't open a browser yet

Back in Normal mode delete these folders if found
C:\WINDOWS\SYSTEM\vmss <--folder
C:\WINDOWS\SYSTEM\wsxsvc <--folder

Again Double click on RunFix.reg and allow to merge to the registry

Open VX2 Finder and Click to Find VX2.BetterInternet
Then click the User Agent$ button on the right hand side

Open Hoster>>If prompted that no Hosts found, let it Create one
Click "Restore Original Hosts"

Run another scan with Findit9xMe.bat and post back a new log

Post back a fresh Hijackthis log

Post back a new log from Startdreck too
Title: HijackLog stuff
Post by: arro253 on March 11, 2005, 12:47:37 PM: This is a fresh Findit log :

XUREC DLL 227,104 03-10-05 1:15p XUREC.DLL
TTPI DLL 227,104 03-10-05 1:15p TTPI.DLL
RQUTETAB DLL 227,104 03-10-05 1:15p RQUTETAB.DLL
OCEPRO32 DLL 227,104 03-10-05 1:15p OCEPRO32.DLL
DDSPDIB DLL 227,104 03-10-05 1:15p DDSPDIB.DLL
REUTETAB DLL 227,104 03-10-05 1:15p REUTETAB.DLL
IVDKCS32 DLL 227,104 03-10-05 1:15p IVDKCS32.DLL
PGCN20 DLL 227,104 03-10-05 1:15p pgcn20.dll
UODERW~1 DLL 227,104 03-10-05 1:15p Uoderwater.dll
9 file(s) 2,043,936 bytes
0 dir(s) 7,608.05 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1546-0CF5
Directory of C:\WINDOWS\SYSTEM

LXBKMA GID 40,613 10-20-04 10:33p lxbkma.GID
FOLDER HTT 13,122 06-23-04 1:42p folder.htt
DESKTOP INI 266 06-23-04 1:42p desktop.ini
JETERR35 GID 10,820 02-03-04 8:44p jeterr35.GID
FFASTLOG TXT 23,598 01-05-04 5:29p FFASTLOG.TXT
5 file(s) 88,419 bytes
0 dir(s) 7,608.05 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
xurec.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
ttpi.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
rqutetab.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
ocepro32.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
ddspdib.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
reutetab.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
ivdkcs32.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
pgcn20.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K
uoderw~1.dll Thu Mar 10 2005 1:15:42p ..S.R 227,104 221.78 K

9 items found: 9 files, 0 directories.
Total of file sizes: 2,043,936 bytes 1.95 M

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\jesterss.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\""
"PCCIOMON.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCIOMON.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disabled]
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""

This is a fresh Hijackthislog :

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\IMPORTANT FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS\")
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab (http://\"http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by12fd.bay12.Email (http://\"http://by12fd.bay12.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab\")

This is a fresh startdreck log :

»Registry
»Run Keys
»Current User
»Run
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Default User
»Run
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*pccguide.exe="C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
*PCCIOMON.exe="C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
*PCCClient.exe="C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
*Pop3trap.exe="C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
+Disabled
*Lexmark X1100 Series="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*PCCIOMON.exe="C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
*PCCPFW=C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\IMPORTANT FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
`HTML Application= [key or value does not exist]
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\STRINGS.EXE
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\STRINGS.EXE
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FFEF5995=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF6D71=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE9AE1=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEA8D9=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEE41D=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
+FFFE016D=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
+FFFD9005=C:\WINDOWS\EXPLORER.EXE
+FFFD13F5=C:\WINDOWS\TASKMON.EXE
+FFFD3955=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD53CD=C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
+FFFD70A5=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
+FFFD61D1=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
+FFFCB891=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
+FFFCC181=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFCF025=C:\PROGRAM FILES\NOADS\NOADS.EXE
+FFFC12A1=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFB9335=C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
+FFFA9F21=C:\WINDOWS\SYSTEM\INTERNAT.EXE
+FFFB6CE1=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFA0A51=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFB30B5=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
+FFFB7441=C:\WINDOWS\NOTEPAD.EXE
+FFF8BCC9=C:\IMPORTANT FILES\STARTDRECK.EXE
»NT Services
»Application specific
Title: HijackLog stuff
Post by: guestolo on March 12, 2005, 02:27:33 AM: Well, we nailed part of the infection
Your log is looking much better

Files are less and take a look at this entry in the Startdreck log
RunServicesOnce<<this one, no file, you got rid of it

Let's try and kill the rest of it

Download and save to desktop Remove.zip
[attachment=59:attachment]
UNZIP it to desktop, you should now have Remove.reg on your desktop
Don't run it yet

Save these instructions on your desktop in an empty Notepad file
Disconnect from the Internet

===Do another scan with Hijackthis and put a check next to these entries:

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZCxdm410XXUS\")

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Run Pocket KillBox>>Now you have Killbox and this notepad file open

At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

click on Tools --> Select Delete Temp Files. Click OK.

Again, in Killbox
At the main screen of Pocket Killbox

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\XUREC.DLL

Press the Delete button>>The Red circle and a white X
Do the same for the rest of these below
Keep track of any files that won't delete, we'll need those in a bit

C:\WINDOWS\SYSTEM\TTPI.DLL
C:\WINDOWS\SYSTEM\RQUTETAB.DLL
C:\WINDOWS\SYSTEM\OCEPRO32.DLL
C:\WINDOWS\SYSTEM\DDSPDIB.DLL
C:\WINDOWS\SYSTEM\REUTETAB.DLL
C:\WINDOWS\SYSTEM\IVDKCS32.DLL
C:\WINDOWS\SYSTEM\pgcn20.dll
C:\WINDOWS\SYSTEM\Uoderwater.dll

For any file that wouldn't delete, again copy and paste that entry into Killbox, but this time, use the Delete on Reboot radio button
Press the button with a red circle and a white X.

Restart the computer
Double click on Remove.reg and allow to merge to the registry

Once again, post back with a Fresh Find9XMe.bat log

Also post back a fresh Hijackthis log
Title: HijackLog stuff
Post by: arro253 on March 14, 2005, 12:18:27 PM: Well, that's good to know. /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Ok, done that, and here are fresh logs from Findit and Hijackthis respectively :

Directory of C:\WINDOWS\SYSTEM

LXBKMA GID 40,613 10-20-04 10:33p lxbkma.GID
FOLDER HTT 13,122 06-23-04 1:42p folder.htt
DESKTOP INI 266 06-23-04 1:42p desktop.ini
JETERR35 GID 10,820 02-03-04 8:44p jeterr35.GID
FFASTLOG TXT 23,598 01-05-04 5:29p FFASTLOG.TXT
5 file(s) 88,419 bytes
0 dir(s) 7,635.86 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\jesterss.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\""
"PCCIOMON.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCIOMON.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disabled]
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""

---------------> (Hijackthis log)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\IMPORTANT FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - HKCU\..\Run: [ares] "C:\MY DOCUMENTS\APEX\ARES.EXE" -h
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: STRINGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab (http://\"http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by12fd.bay12.Email (http://\"http://by12fd.bay12.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab\")
Title: HijackLog stuff
Post by: guestolo on March 14, 2005, 08:43:37 PM: Just for backup purposes could you please manually backup your registry
Go to START>>RUN>>type in regedit
Hit OK
In the Reg. Editor>>>Ensure "My Computer" is highlighted
Click "Registry" at the top
"Export Registry File"
In the new box>> Save in "MyDocuments"
File Name>>Give it a Name Backup >>>Click SAVE
Let it finish saving and then Exit the Registry Editor

Do another scan with Hijackthis and put a check next to these entries:

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab (http://\"http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002144.cab\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Disconnect completely from the Internet
Close down all Browser windows, including this one

Ensure that you unzipped LSP fix earlier and your not running it from within the Zipped file
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down a bit to see it, Finish is NOT the X button at the top

Restart the computer

Post back a fresh Hijackthis log afterwards
Title: HijackLog stuff
Post by: arro253 on March 19, 2005, 03:57:24 AM: OK, here is the fresh Hijackthis log :

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\IMPORTANT FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - HKCU\..\Run: [ares] "C:\MY DOCUMENTS\APEX\ARES.EXE" -h
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: STRINGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab (http://\"http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by12fd.bay12.Email (http://\"http://by12fd.bay12.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
Title: HijackLog stuff
Post by: guestolo on March 19, 2005, 11:28:21 AM: Looks good, how's everything on your end?
you can send this file to your recycle bin
c:\windows\system\aklsp.dll <--file if found

With all other windows closed, including this one have Hijackthis fix this entry
O4 - Startup: STRINGS.EXE

No rush restarting, that's just a leftover entry from Findit.bat

You should run a Spyware Checker thru your computer
This is your for free and hang onto
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Stay safe /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />