Show Posts

1

Tech Clinic / hjt log

« on: February 07, 2005, 06:39:39 PM »

exactly. had to delete the 0000 first and then the legacy vdmt16. wouldn't allow it the other way around. even with registrar lite and taking ownership, etc.

thanks for your tireless efforts
by the way, besides backdoor/haxdoor what were the names of the other viruses?

2

Tech Clinic / hjt log

« on: February 07, 2005, 06:06:36 PM »

ok.

the 2 keys were not found initially in the current control set
all were gone after i used registrar lite (though i had to delete the subfolder first).

here's another log

Volume in drive C has no label.
Volume Serial Number is 78E6-2519

Directory of C:\WINDOWS\SYSTEM32

~REMOVED LOG~

3

Tech Clinic / hjt log

« on: February 07, 2005, 04:59:33 PM »

well the mds search booster is gone

registry still has those 2:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "VDMT16" 2/7/2005 3:55:47 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "WINLOW" 2/7/2005 3:57:10 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

4

Tech Clinic / hjt log

« on: February 07, 2005, 12:16:58 AM »

here are the results(nothing for drct16)
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "vdmt16" 2/6/2005 11:05:32 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16\0000]
"Service"="vdmt16"

and

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "winlow" 2/6/2005 11:09:11 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW\0000]
"Service"="winlow"

in terms of the add/remove programs, nothing obviously wrong. but there are things i could be easily fooled about, such as MDS search booster

things seem to be working fine, normal in fact.

5

Tech Clinic / hjt log

« on: February 06, 2005, 06:13:33 PM »

sorry totally missed that
here's the log

Volume in drive C has no label.
Volume Serial Number is 78E6-2519

Directory of C:\WINDOWS\SYSTEM32

02/06/2005 04:18 PM 893 vsconfig.xml
02/03/2005 05:47 PM 25,913 klo5.sys
02/03/2005 04:08 PM 95 ps.a3d
02/01/2005 11:06 PM 25,065 wmpscheme.xml
02/01/2005 11:05 PM 16,832 amcompat.tlb
02/01/2005 11:05 PM 23,392 nscompat.tlb
02/01/2005 10:53 PM 216 spdwnwxp.log
02/01/2005 10:34 PM 380,918 PERFH009.DAT
02/01/2005 10:34 PM 53,166 PERFC009.DAT
02/01/2005 10:33 PM 439,376 PerfStringBackup.INI
02/01/2005 10:27 PM 230,392 FNTCACHE.DAT
02/01/2005 05:18 PM 4,212 zllictbl.dat
02/01/2005 05:03 PM 1,170 WPA.DBL
01/23/2005 05:33 PM 5,242,934 toyhide.bmp
12/28/2004 07:31 PM 574,464 user32.dll
12/02/2004 01:14 PM 512,512 hhctrl.ocx
11/28/2004 05:23 AM 66,848 zlcommdb.dll
11/28/2004 05:23 AM 75,032 zlcomm.dll
11/28/2004 05:22 AM 99,608 vsxml.dll
11/28/2004 05:22 AM 353,560 vsutil.dll
11/28/2004 05:22 AM 70,944 vsregexp.dll
11/28/2004 05:22 AM 197,920 vspubapi.dll
11/28/2004 05:22 AM 107,808 vsmonapi.dll
11/28/2004 05:22 AM 124,184 vsinit.dll
11/28/2004 05:21 AM 279,264 vsdatant.sys
11/28/2004 05:21 AM 75,032 vsdata.dll
11/17/2004 09:18 PM 49,262 jpicpl32.cpl
11/17/2004 09:18 PM 127,075 javaws.exe
11/17/2004 09:18 PM 49,247 javaw.exe
11/17/2004 09:18 PM 49,245 java.exe
11/17/2004 11:57 AM 493,056 hypertrm.dll
11/11/2004 11:20 PM 1,332,224 shdocvw.dll
10/28/2004 09:45 AM 1,350,144 query.dll
10/28/2004 09:45 AM 64,512 ciodm.dll
10/27/2004 07:29 PM 116,736 shsvcs.dll
10/27/2004 07:29 PM 681,984 lsasrv.dll
10/27/2004 07:29 PM 92,160 cscdll.dll
10/25/2004 10:39 AM 450,048 urlmon.dll
10/25/2004 10:39 AM 2,693,120 mshtml.dll
10/22/2004 02:33 AM 2,088,448 ntoskrnl.exe
10/22/2004 01:29 AM 1,955,840 ntkrnlpa.exe
09/26/2004 06:47 PM 29,184 sstunst2.exe
08/26/2004 09:53 AM 69,632 inseng.dll
08/23/2004 07:32 PM 589,312 wininet.dll
08/22/2004 06:34 PM 1,025,536 browseui.dll
08/21/2004 01:54 AM 316,928 zipfldr.dll
08/20/2004 04:01 PM 15,872 linkinfo.dll
08/20/2004 04:01 PM 82,432 fldrclnr.dll
08/20/2004 04:01 PM 700,928 sxs.dll
08/20/2004 04:01 PM 8,442,368 shell32.dll
08/20/2004 02:01 PM 422,912 shlwapi.dll
08/05/2004 12:15 PM 1,845,888 win32k.sys
08/04/2004 01:56 AM 8,192 spdwnwxp.exe
08/03/2004 09:42 PM 20,480 sprecovr.exe
08/03/2004 09:42 PM 15,872 spupdsvc.exe
08/03/2004 01:07 PM 1,081,112 wuaueng.dll
08/03/2004 01:04 PM 185,624 iuengine.dll
08/03/2004 01:03 PM 167,704 wuaucpl.cpl
08/03/2004 01:03 PM 186,136 wuaueng1.dll
08/03/2004 01:02 PM 118,552 wucltui.dll
08/03/2004 01:02 PM 113,944 wuauclt.exe
08/03/2004 01:01 PM 167,704 wuauclt1.exe
08/03/2004 01:00 PM 71,448 cdm.dll
08/03/2004 01:00 PM 420,632 wuapi.dll
08/03/2004 12:59 PM 120,288 wuweb.dll
08/03/2004 12:59 PM 39,704 wups.dll
08/02/2004 01:20 PM 4,569 secupd.dat
08/02/2004 01:20 PM 7,208 secupd.sig
07/30/2004 03:29 PM 594,432 xpsp2res.dll
07/29/2004 04:50 PM 38,400 grpconv.exe
07/19/2004 03:19 PM 285,696 kstvtune.ax
07/09/2004 03:27 AM 181,248 dmime.dll
07/09/2004 03:27 AM 265,728 ddraw.dll
07/09/2004 03:27 AM 104,448 dmusic.dll
07/09/2004 03:27 AM 1,179,648 d3d8.dll
07/09/2004 03:27 AM 230,400 dplayx.dll
07/09/2004 03:27 AM 57,856 dpwsockx.dll
07/09/2004 03:27 AM 1,689,600 d3d9.dll
07/09/2004 03:27 AM 363,520 dsound.dll
07/09/2004 03:27 AM 974,848 dxdiag.exe
07/09/2004 03:27 AM 1,769,472 dxdiagn.dll
07/09/2004 03:27 AM 382,976 qdvd.dll
07/09/2004 03:27 AM 276,480 qdv.dll
07/09/2004 03:26 AM 47,104 wstdecod.dll
07/09/2004 03:26 AM 30,208 psisrndr.ax
07/09/2004 03:26 AM 354,816 psisdecd.dll
07/09/2004 03:26 AM 226,304 kswdmcap.ax
07/09/2004 03:26 AM 27,648 vbisurf.ax
07/09/2004 03:26 AM 52,224 msdvbnp.ax
07/09/2004 03:26 AM 39,424 ksxbar.ax
07/09/2004 03:26 AM 57,856 mpeg2data.ax
07/09/2004 03:26 AM 1,230,336 msvidctl.dll
07/09/2004 03:26 AM 16,896 bdaplgin.ax
07/09/2004 03:26 AM 16,896 msyuv.dll
07/09/2004 03:26 AM 14,848 ipsink.ax
07/01/2004 04:08 PM 7,168 bitsprx3.dll
07/01/2004 04:08 PM 17,408 qmgrprxy.dll
07/01/2004 04:08 PM 7,680 bitsprx2.dll
07/01/2004 04:08 PM 361,984 qmgr.dll
07/01/2004 04:08 PM 331,776 winhttp.dll
06/30/2004 05:59 PM 158,720 xpob2res.dll
06/28/2004 06:13 PM 508 TafqXOmo.dwc
06/22/2004 06:43 PM 123,392 itss.dll
06/17/2004 11:58 AM 13,312 ntvdmd.dll
06/17/2004 11:58 AM 930,816 kernel32.dll
06/17/2004 11:58 AM 276,992 winsrv.dll
06/17/2004 11:58 AM 47,616 basesrv.dll
06/17/2004 11:58 AM 257,536 gdi32.dll
06/17/2004 11:58 AM 23,040 vdmdbg.dll
06/16/2004 06:24 PM 16,384 nddenb32.dll
06/16/2004 12:32 PM 107,008 netdde.exe
06/15/2004 07:07 PM 3,364 d3d9caps.dat
06/15/2004 04:19 PM 257 seedfile.dat
06/15/2004 12:42 PM 398 master.dll
06/15/2004 12:42 PM 115,623 datastore.dll
06/15/2004 05:58 AM 766 wecxg32.dll
06/15/2004 05:58 AM 766 zxmsn.dll
06/15/2004 05:58 AM 766 gupd.dll
06/15/2004 05:58 AM 766 cidpoq32.dll
06/15/2004 05:58 AM 766 cidft.dll
06/15/2004 05:58 AM 766 sdfup.dll
06/15/2004 05:58 AM 766 xcwer32.dll
06/15/2004 05:58 AM 766 icqrt.dll
06/15/2004 05:58 AM 766 icvbr.dll
06/15/2004 05:58 AM 766 icnfe.dll
06/15/2004 05:58 AM 34 mtjpgb.dll
06/13/2004 04:51 PM 597 jupdate-1.4.2_04-b05.log
06/11/2004 07:14 PM 396,288 ntvdm.exe
06/08/2004 04:02 PM 172,544 schedsvc.dll
06/08/2004 04:02 PM 260,096 mstask.dll
06/08/2004 04:02 PM 306,688 netapi32.dll
06/08/2004 01:59 PM 10,752 mstinit.exe
06/07/2004 01:19 PM 596,480 inetcomm.dll
06/03/2004 06:43 PM 245,760 wow32.dll
05/26/2004 09:37 PM 1,454 qtplugin.log
05/26/2004 07:38 PM 483,328 winlogon.exe
05/17/2004 04:48 PM 92,224 krnl386.exe
05/17/2004 04:43 PM 35,424 ntio412.sys
05/17/2004 04:43 PM 34,560 ntio404.sys
05/17/2004 04:43 PM 34,560 ntio804.sys
05/17/2004 04:43 PM 35,648 ntio411.sys
05/17/2004 04:43 PM 33,840 ntio.sys
04/10/2004 11:24 AM 26,112 xpsp1hfm.exe
04/08/2004 01:12 PM 70,144 QuickTimeCheck.ocx
04/08/2004 01:12 PM 2,017,280 QuickTimeMusicalInstruments.qtx
04/08/2004 01:12 PM 430,592 QuickTimeVR.qtx
04/08/2004 01:12 PM 323,072 QuickTime.cpl
04/08/2004 01:12 PM 5,524,992 QuickTime.qts
04/05/2004 04:42 PM 78,896 GEARAspi.dll
03/31/2004 07:58 PM 176,167 rmoc3260.dll
03/31/2004 07:58 PM 5,632 pndx5032.dll
03/31/2004 07:58 PM 6,656 pndx5016.dll
03/31/2004 07:58 PM 278,528 pncrt.dll
03/29/2004 07:48 PM 253,440 h323.tsp
03/29/2004 07:48 PM 36,864 mf3216.dll
03/29/2004 07:48 PM 51,712 msasn1.dll
03/29/2004 07:48 PM 439,808 ipnathlp.dll
03/29/2004 07:48 PM 593,408 h323msp.dll
03/29/2004 07:48 PM 971,264 msgina.dll
03/29/2004 07:48 PM 136,704 schannel.dll
03/29/2004 07:48 PM 548,352 rtcdll.dll
03/17/2004 01:33 PM 6,656 spmsg.dll
03/16/2004 12:44 PM 30,749 vbajet32.dll
03/16/2004 12:44 PM 1,507,356 msjet40.dll
03/16/2004 11:38 AM 614,431 mswstr10.dll
03/16/2004 11:38 AM 151,583 msjint40.dll
03/05/2004 08:16 PM 1,194,496 comsvcs.dll
03/05/2004 08:16 PM 535,552 rpcrt4.dll
03/05/2004 08:16 PM 226,816 es.dll
03/05/2004 08:16 PM 977,920 msdtctm.dll
03/05/2004 08:16 PM 499,712 clbcatq.dll
03/05/2004 08:16 PM 263,680 rpcss.dll
03/05/2004 08:16 PM 1,183,744 ole32.dll
03/05/2004 08:16 PM 82,432 mtxoci.dll
03/05/2004 08:16 PM 150,528 msdtcuiu.dll
03/05/2004 08:16 PM 64,512 colbact.dll
03/05/2004 08:16 PM 367,616 msdtcprx.dll
03/05/2004 08:16 PM 110,080 clbcatex.dll
03/05/2004 08:16 PM 594,944 catsrvut.dll
03/05/2004 08:16 PM 64,512 mtxclu.dll
03/05/2004 08:16 PM 225,280 catsrv.dll
03/05/2004 08:16 PM 499,200 comuid.dll
03/05/2004 08:16 PM 97,280 txflog.dll
03/03/2004 10:13 PM 167,936 SpoonUninstall.exe
03/01/2004 12:55 PM 348,189 msxbde40.dll
03/01/2004 12:55 PM 552,989 msrepl40.dll
03/01/2004 12:55 PM 258,077 mstext40.dll
03/01/2004 12:55 PM 348,189 mspbde40.dll
03/01/2004 12:55 PM 241,693 msjtes40.dll
03/01/2004 12:55 PM 319,517 msexcl40.dll
03/01/2004 12:55 PM 512,029 msexch40.dll
03/01/2004 12:52 PM 358,976 msjetoledb40.dll
01/31/2004 12:39 AM 115,512 iuctl.dll
01/10/2004 05:37 AM 380,957 expsrv.dll
01/10/2004 05:36 AM 831,519 mswdat10.dll
01/10/2004 05:36 AM 315,423 msrd3x40.dll
01/10/2004 05:36 AM 421,919 msrd2x40.dll
01/10/2004 05:36 AM 213,023 msltus40.dll
01/10/2004 05:36 AM 53,279 msjter40.dll
01/05/2004 01:30 AM 565,248 hpotscl.dll
01/05/2004 01:30 AM 90,112 hpovst08.dll
01/05/2004 01:30 AM 274,432 hpgwiamd.dll
01/05/2004 01:30 AM 57,344 hpzisn12.dll
01/05/2004 01:30 AM 196,608 hpzipr12.dll
01/05/2004 01:30 AM 94,208 hpzipt12.dll
01/05/2004 01:30 AM 61,699 hpzinw12.exe
01/05/2004 01:30 AM 266,296 hpzidr12.dll
01/05/2004 01:30 AM 65,795 hpzipm12.exe
01/05/2004 01:30 AM 184,386 hpzsnt09.dll
01/05/2004 01:30 AM 192,512 hpzcoi09.dll
01/05/2004 01:30 AM 258,048 hpzcon09.dll
01/05/2004 01:30 AM 262,144 HPZc3212.dll
12/18/2003 01:04 PM 49,152 hpzjrd01.dll
12/11/2003 10:15 AM 487,424 hpvcp70.dll
12/11/2003 10:15 AM 344,064 hpvcr70.dll
12/11/2003 10:15 AM 626,960 hpvaut32.dll
12/11/2003 10:15 AM 44,544 MSXML4a.dll
11/02/2003 06:33 PM 188,681 setup.inx
10/27/2003 08:13 PM 24,576 odbcbcp.dll
10/27/2003 08:13 PM 98,304 odbccp32.dll
10/27/2003 08:12 PM 385,024 sqlsrv32.dll
10/27/2003 08:12 PM 61,440 dbnetlib.dll
10/27/2003 08:09 PM 126,976 msdart.dll
10/27/2003 08:09 PM 204,800 odbc32.dll
10/21/2003 05:06 PM 119,808 wkssvc.dll
10/21/2003 05:06 PM 32,256 msgsvc.dll
09/18/2003 06:53 AM 1,302,528 wmpcore.dll
09/17/2003 11:01 AM 844,048 msdxm.ocx
09/04/2003 09:49 AM 212,992 HPODStormEncoder.dll
08/29/2003 01:55 AM 423,424 WMAVDS32.ax
08/28/2003 08:57 AM 143,872 itircl.dll
08/23/2003 06:35 PM 8,464 sporder.dll
07/24/2003 03:40 PM 477,696 cryptui.dll
06/23/2003 01:44 AM 1,415,680 wmv9vcm.dll
05/30/2003 08:00 AM 1,246,208 quartz.dll
05/30/2003 08:00 AM 1,189,888 dx8vb.dll
05/30/2003 08:00 AM 53,248 devenum.dll
05/30/2003 08:00 AM 797,184 d3dim700.dll
05/22/2003 07:58 AM 98,304 hpzjsn01.dll
05/01/2003 03:56 PM 654,336 ntdll.dll
04/18/2003 03:46 PM 1,233,920 msxml4.dll
03/25/2003 06:40 PM 53,760 cryptsvc.dll
03/24/2003 08:00 AM 68,096 dpnhupnp.dll
03/24/2003 08:00 AM 32,768 dpnhpast.dll
03/18/2003 08:20 PM 1,060,864 mfc71.dll
03/18/2003 08:12 PM 1,047,552 mfc71u.dll
03/18/2003 07:44 PM 49,152 MFC71KOR.DLL
03/18/2003 07:44 PM 57,344 MFC71ENU.DLL
03/18/2003 07:44 PM 40,960 MFC71CHS.DLL
03/18/2003 07:44 PM 61,440 MFC71ESP.DLL
03/18/2003 07:44 PM 61,440 MFC71ITA.DLL
03/18/2003 07:44 PM 45,056 MFC71CHT.DLL
03/18/2003 07:44 PM 65,536 MFC71DEU.DLL
03/18/2003 07:44 PM 49,152 MFC71JPN.DLL
03/18/2003 07:44 PM 61,440 MFC71FRA.DLL
03/18/2003 07:14 PM 499,712 msvcp71.dll
03/18/2003 06:05 PM 89,088 atl71.dll
03/09/2003 07:58 PM 20,898 SpoonUninstall-dBpowerAMP Music Converter.dat
03/09/2003 07:58 PM 27,958 SpoonUninstall-dBpowerAMP Music Converter.bmp
03/03/2003 03:57 PM 228,864 msoeacct.dll
03/03/2003 03:57 PM 44,032 msident.dll
03/03/2003 03:57 PM 91,136 msoert2.dll
02/28/2003 05:26 PM 171,792 wjview.exe
02/28/2003 05:26 PM 15,120 jdbgmgr.exe
02/28/2003 05:26 PM 172,304 jview.exe
02/28/2003 05:26 PM 947,472 msjava.dll
02/28/2003 05:26 PM 49,424 clspack.exe
02/28/2003 05:26 PM 286,992 vmhelper.dll
02/28/2003 05:26 PM 21,264 msjdbc10.dll
02/28/2003 05:26 PM 171,280 jit.dll
02/28/2003 05:26 PM 154,384 msawt.dll
02/28/2003 05:26 PM 139,536 javaee.dll
02/28/2003 05:26 PM 404,752 javart.dll
02/28/2003 05:26 PM 63,248 javaprxy.dll
02/28/2003 05:26 PM 187,152 javacypt.dll
02/28/2003 03:54 PM 7,315 javasup.vxd
02/28/2003 03:38 PM 113 zonedoff.reg
02/28/2003 03:38 PM 113 zonedon.reg
02/28/2003 03:34 PM 313,856 dx3j.dll
02/21/2003 03:42 AM 348,160 msvcr71.dll
02/20/2003 06:16 PM 32,768 netfxperf.dll
02/20/2003 06:09 PM 106,496 mscories.dll
02/20/2003 06:06 PM 155,648 mscoree.dll
02/20/2003 05:43 PM 16,896 mscorier.dll
02/03/2003 03:47 PM 145 AddPort.ini
01/31/2003 05:46 PM 238,080 newdev.dll
01/31/2003 11:59 AM 118,784 HPODXPAT.DLL
01/20/2003 11:24 PM 4,530,256 atioglxx.dll
01/20/2003 10:45 PM 268,416 ati2dvag.dll
01/20/2003 10:35 PM 77,824 atipdlxx.dll
01/20/2003 10:35 PM 73,728 Oemdspif.dll
01/20/2003 10:35 PM 151,552 ati2evxx.exe
01/20/2003 10:34 PM 49,152 ATIDDC.DLL
01/20/2003 10:30 PM 721,561 ati3duag.dll
01/20/2003 10:18 PM 1,143,963 ati3d2ag.dll
01/20/2003 10:03 PM 942,395 ati3d1ag.dll
01/20/2003 09:45 PM 32,768 atitvo32.dll
01/19/2003 10:06 PM 1,888 Lexmark 3200 Series ColorFine.AD2
01/13/2003 02:57 PM 589,881 jscript.dll
01/11/2003 11:02 AM 361 QuickTime.qtp
01/10/2003 02:43 PM 37,888 hhsetup.dll
01/10/2003 03:04 AM 270 $WINNT$.INF
01/07/2003 11:47 AM 290,816 atiiiexx.dll
01/05/2003 04:31 AM 333 $NCSP$.INF
01/05/2003 04:28 AM 45,056 cdrtc.dll
01/05/2003 04:28 AM 45,056 cdral.dll
01/05/2003 04:02 AM 1,536 TrueSoft.dat
01/05/2003 03:49 AM 547 OEMINFO.INI
12/12/2002 12:14 AM 8,192 d3d8thk.dll
12/12/2002 12:14 AM 177,152 qcap.dll
12/12/2002 12:14 AM 524,800 qedit.dll
12/12/2002 12:14 AM 733,184 qedwipes.dll
12/12/2002 12:14 AM 194,560 mswebdvd.dll
12/12/2002 12:14 AM 13,312 msdmo.dll
12/12/2002 12:14 AM 64,512 amstream.dll
12/12/2002 12:14 AM 136,192 mpg2splt.ax
12/12/2002 12:14 AM 34,304 mciqtz32.dll
12/12/2002 12:14 AM 83,456 l3codecx.ax
12/12/2002 12:14 AM 4,096 ksuser.dll
12/12/2002 12:14 AM 117,248 ksproxy.ax
12/12/2002 12:14 AM 12,288 ksolay.ax
12/12/2002 12:14 AM 18,944 encapi.dll
12/12/2002 12:14 AM 602,624 dx7vb.dll
12/12/2002 12:14 AM 18,432 dswave.dll
12/12/2002 12:14 AM 1,294,336 dsound3d.dll
12/12/2002 12:14 AM 68,096 dsdmoprp.dll
12/12/2002 12:14 AM 186,880 dsdmo.dll
12/12/2002 12:14 AM 112,128 dpvvox.dll
12/12/2002 12:14 AM 80,896 dpvsetup.exe
12/12/2002 12:14 AM 203,264 dpvoice.dll
12/12/2002 12:14 AM 19,968 dpvacm.dll
12/12/2002 12:14 AM 16,896 dpnsvr.exe
12/12/2002 12:14 AM 3,072 dpnlobby.dll
12/12/2002 12:14 AM 377,856 dpnet.dll
12/12/2002 12:14 AM 3,072 dpnaddr.dll
12/12/2002 12:14 AM 22,016 dpmodemx.dll
12/12/2002 12:14 AM 28,160 dplaysvr.exe
12/12/2002 12:14 AM 100,864 dmsynth.dll
12/12/2002 12:14 AM 98,816 dmstyle.dll
12/12/2002 12:14 AM 76,800 dmscript.dll
12/12/2002 12:14 AM 33,280 dmloader.dll
12/12/2002 12:14 AM 58,368 dmcompos.dll
12/12/2002 12:14 AM 27,136 dmband.dll
12/12/2002 12:14 AM 24,064 ddrawex.dll
12/11/2002 11:14 PM 46,592 dxdllreg.exe
12/11/2002 07:09 PM 358,912 msscp.dll
12/11/2002 07:02 PM 2,058,888 wmvcore.dll
12/11/2002 06:50 PM 301,712 drmclien.dll
12/11/2002 06:12 PM 760,968 wmsdmod.dll
12/11/2002 06:12 PM 316,040 mp43dmod.dll
12/11/2002 06:11 PM 410,248 wmadmod.dll
12/11/2002 06:10 PM 816,264 wmvdmod.dll
12/11/2002 06:09 PM 678,912 drmv2clt.dll
12/11/2002 06:09 PM 253,952 msnetobj.dll
12/11/2002 06:09 PM 232,960 blackbox.dll
12/11/2002 06:07 PM 486,536 wmspdmod.dll
12/11/2002 05:34 PM 82,432 drmstor.dll
12/11/2002 05:34 PM 892,416 wmspdmoe.dll
12/11/2002 05:34 PM 670,208 wmadmoe.dll
12/11/2002 05:34 PM 1,111,040 wmsdmoe2.dll
12/11/2002 05:34 PM 241,664 qasf.dll
12/11/2002 05:34 PM 997,888 wmvdmoe2.dll
12/11/2002 05:23 PM 981,504 wmnetmgr.dll
12/11/2002 05:23 PM 218,112 wmasf.dll
12/11/2002 04:34 PM 241,664 mpg4dmod.dll
12/11/2002 03:16 PM 143,360 wmidx.dll
12/11/2002 03:16 PM 6,656 laprxy.dll
12/11/2002 03:04 PM 81,408 logagent.exe
12/11/2002 02:16 PM 384,512 mp4sdmod.dll
12/03/2002 06:50 PM 68,608 locator.exe
11/26/2002 08:03 PM 23,552 wmdmps.dll
11/26/2002 08:03 PM 245,760 mswmdm.dll
11/26/2002 08:03 PM 27,136 wmdmlog.dll
11/26/2002 07:03 PM 201,728 mspmsp.dll
11/26/2002 07:03 PM 159,232 cewmdm.dll
11/26/2002 07:03 PM 52,224 mspmsnsv.dll
11/25/2002 01:00 AM 118,784 DartWeb.dll
11/22/2002 01:00 AM 221,184 DartSock.dll
11/20/2002 11:50 AM 212,480 osk.exe
11/20/2002 11:50 AM 51,200 narrator.exe
11/20/2002 11:50 AM 67,584 magnify.exe
11/20/2002 11:50 AM 179,200 accwiz.exe
11/14/2002 02:50 PM 226,816 srrstr.dll
11/14/2002 12:58 PM 154,624 ivfsrc.ax
11/14/2002 12:58 PM 200,192 ir50_qc.dll
11/14/2002 12:58 PM 183,808 ir50_qcx.dll
11/14/2002 12:58 PM 755,200 ir50_32.dll
11/14/2002 12:58 PM 338,432 ir41_qcx.dll
11/14/2002 12:58 PM 120,320 ir41_qc.dll
11/14/2002 12:58 PM 848,384 ir41_32.ax
11/14/2002 12:58 PM 199,680 iac25_32.ax
10/24/2002 10:18 AM 180,496 opuc.dll
10/11/2002 02:08 PM 47,616 inetres.dll
10/10/2002 10:39 AM 163,840 pctspk.exe
10/10/2002 10:39 AM 31,744 mdmmoh.dll
10/10/2002 10:39 AM 151,552 ptsetup.dll
10/10/2002 10:39 AM 122,880 ptuninst.exe
10/10/2002 10:39 AM 456 pthsp.dat
09/30/2002 10:58 AM 125,440 shmedia.dll
09/23/2002 08:53 PM 53,248 DellSys.dll
09/23/2002 03:10 PM 544,256 crypt32.dll
09/11/2002 11:00 PM 290,816 mcinsctl.dll
09/02/2002 06:59 PM 2,577 CONFIG.NT
09/02/2002 06:57 PM 488 logonui.exe.manifest
09/02/2002 06:57 PM 488 WindowsLogon.manifest
09/02/2002 06:57 PM 749 ncpa.cpl.manifest
09/02/2002 06:57 PM 749 nwc.cpl.manifest
09/02/2002 06:57 PM 749 cdplayer.exe.manifest
09/02/2002 06:57 PM 749 sapi.cpl.manifest
09/02/2002 06:57 PM 749 wuaucpl.cpl.manifest
09/02/2002 06:56 PM 21,640 emptyregdb.dat
09/02/2002 06:53 PM 0 H323LOG.TXT
09/02/2002 06:31 PM 787,356 OEMBKGN1.BMP
09/02/2002 06:31 PM 5,134 OEMLOGO.BMP
09/02/2002 06:31 PM 96,310 DELLWALL.BMP
09/02/2002 06:31 PM 13,107,200 OEMBIOS.BIN
09/02/2002 06:31 PM 4,594 OEMBIOS.DAT
09/02/2002 06:31 PM 6,788 OEMBIOS.SIG
09/02/2002 06:31 PM 7,046 OEMBIOS.CAT
08/29/2002 03:41 AM 150,528 ptpusd.dll
08/29/2002 03:41 AM 207,360 joy.cpl
08/29/2002 03:41 AM 31,744 pid.dll
08/29/2002 03:40 AM 151,552 dinput.dll
08/29/2002 03:40 AM 168,960 dinput8.dll
08/28/2002 03:00 PM 66,594 C_775.NLS
08/28/2002 03:00 PM 24,576 dbmsrpcn.dll
08/28/2002 03:00 PM 62,464 DPNMODEM.DLL
08/28/2002 03:00 PM 20,480 DBMSADSN.DLL
08/28/2002 03:00 PM 61,952 DPNWSOCK.DLL
08/28/2002 03:00 PM 53,520 DPSERIAL.DLL
08/28/2002 03:00 PM 66,594 C_850.NLS
08/28/2002 03:00 PM 847,872 DBGENG.DLL
08/28/2002 03:00 PM 142,848 daxctle.ocx
08/28/2002 03:00 PM 22,016 davclnt.dll
08/28/2002 03:00 PM 42,768 DPWSOCK.DLL
08/28/2002 03:00 PM 66,594 C_737.NLS
08/28/2002 03:00 PM 9,216 DISKCOMP.COM
08/28/2002 03:00 PM 489,984 dbghelp.dll
08/28/2002 03:00 PM 24,576 dbmsvinn.dLL
08/28/2002 03:00 PM 11,776 drprov.dll
08/28/2002 03:00 PM 28,112 DRWATSON.EXE
08/28/2002 03:00 PM 45,568 DRWTSN32.EXE
08/28/2002 03:00 PM 4,656 ds16gt.dLL
08/28/2002 03:00 PM 16,384 ds32gt.dll
08/28/2002 03:00 PM 62,976 DSAUTH.DLL
08/28/2002 03:00 PM 152,064 DATIME.DLL
08/28/2002 03:00 PM 66,594 C_865.NLS
08/28/2002 03:00 PM 172,664 xenroll.dll
08/28/2002 03:00 PM 84,992 dskquota.dll
08/28/2002 03:00 PM 144,384 DSKQUOUI.DLL
08/28/2002 03:00 PM 66,082 C_500.NLS
08/28/2002 03:00 PM 81 DSOUND.VXD
08/28/2002 03:00 PM 51,712 dataclen.dll
08/28/2002 03:00 PM 135,680 dsprop.dll
08/28/2002 03:00 PM 3,584 dsprpres.dll
08/28/2002 03:00 PM 227,840 dsquery.dll
08/28/2002 03:00 PM 218,003 DSSEC.DAT
08/28/2002 03:00 PM 47,104 dssec.dll
08/28/2002 03:00 PM 124,928 dssenh.dll
08/28/2002 03:00 PM 106,496 dsuiext.dll
08/28/2002 03:00 PM 44,032 DIMAP.DLL
08/28/2002 03:00 PM 107,008 aclui.dll
08/28/2002 03:00 PM 9,216 dumprep.exe
08/28/2002 03:00 PM 263,680 duser.dll
08/28/2002 03:00 PM 55,296 DVDPLAY.EXE
08/28/2002 03:00 PM 15,872 dvdupgrd.exe
08/28/2002 03:00 PM 180,224 dwwin.exe
08/28/2002 03:00 PM 66,594 C_437.NLS
08/28/2002 03:00 PM 129,536 ACLEDIT.DLL
08/28/2002 03:00 PM 66,082 C_28605.NLS
08/28/2002 03:00 PM 66,082 C_28603.NLS
08/28/2002 03:00 PM 66,082 C_28599.NLS
08/28/2002 03:00 PM 55,296 digest.dll
08/28/2002 03:00 PM 498,205 dxmasf.dll
08/28/2002 03:00 PM 802,304 dxmrtp.dll
08/28/2002 03:00 PM 337,920 dxtmsft.dll
08/28/2002 03:00 PM 194,560 dxtrans.dll
08/28/2002 03:00 PM 69,886 EDIT.COM
08/28/2002 03:00 PM 10,790 EDIT.HLP
08/28/2002 03:00 PM 12,642 EDLIN.EXE
08/28/2002 03:00 PM 127,213 EGA.CPI
08/28/2002 03:00 PM 28,160 xcopy.exe
08/28/2002 03:00 PM 86,016 xactsrv.dll
08/28/2002 03:00 PM 264,704 wzcsvc.dll
08/28/2002 03:00 PM 23,552 wzcsapi.dll
08/28/2002 03:00 PM 56,832 wzcdlg.dll
08/28/2002 03:00 PM 181,760 activeds.dll
08/28/2002 03:00 PM 165,376 els.dll
08/28/2002 03:00 PM 66,594 C_863.NLS
08/28/2002 03:00 PM 59,392 6to4svc.dll
08/28/2002 03:00 PM 155,648 encdec.dll
08/28/2002 03:00 PM 103,424 EqnClass.Dll
08/28/2002 03:00 PM 19,456 ersvc.dll
08/28/2002 03:00 PM 66,082 C_28598.NLS
08/28/2002 03:00 PM 1,018,368 esent.dll
08/28/2002 03:00 PM 1,114,896 ESENT97.DLL
08/28/2002 03:00 PM 17,408 ESENTPRF.DLL
08/28/2002 03:00 PM 6,708 ESENTPRF.HXX
08/28/2002 03:00 PM 1,015,477 ESENTPRF.INI
08/28/2002 03:00 PM 39,424 ESENTUTL.EXE
08/28/2002 03:00 PM 178,688 eudcedit.exe
08/28/2002 03:00 PM 37,668 EULA.TXT
08/28/2002 03:00 PM 33,280 EVENTCLS.DLL
08/28/2002 03:00 PM 49,152 eventlog.dll
08/28/2002 03:00 PM 8,704 EVENTVWR.EXE
08/28/2002 03:00 PM 56,678 EVENTVWR.MSC
08/28/2002 03:00 PM 8,424 EXE2BIN.EXE
08/28/2002 03:00 PM 15,872 EXPAND.EXE
08/28/2002 03:00 PM 66,082 C_28597.NLS
08/28/2002 03:00 PM 40,960 extrac32.exe
08/28/2002 03:00 PM 121,856 EXTS.DLL
08/28/2002 03:00 PM 111,104 ACTIVEDS.TLB
08/28/2002 03:00 PM 882 FASTOPEN.EXE
08/28/2002 03:00 PM 66,560 faultrep.dll
08/28/2002 03:00 PM 14,848 FC.EXE
08/28/2002 03:00 PM 18,432 feclient.dll
08/28/2002 03:00 PM 323,072 filemgmt.dll
08/28/2002 03:00 PM 9,216 FIND.EXE
08/28/2002 03:00 PM 25,088 findstr.exe
08/28/2002 03:00 PM 9,216 FINGER.EXE
08/28/2002 03:00 PM 3,072 FIXMAPI.EXE
08/28/2002 03:00 PM 66,082 C_28595.NLS
08/28/2002 03:00 PM 634 fltr.a3d
08/28/2002 03:00 PM 32,256 WUPDMGR.EXE
08/28/2002 03:00 PM 4,096 actmovie.exe
08/28/2002 03:00 PM 16,384 FMIFS.DLL
08/28/2002 03:00 PM 66,082 C_28594.NLS
08/28/2002 03:00 PM 361,472 fontext.dll
08/28/2002 03:00 PM 79,360 FONTSUB.DLL
08/28/2002 03:00 PM 19,456 fontview.exe
08/28/2002 03:00 PM 7,168 FORCEDOS.EXE
08/28/2002 03:00 PM 25,600 FORMAT.COM
08/28/2002 03:00 PM 8,832 framebuf.dll
08/28/2002 03:00 PM 55,296 FREECELL.EXE
08/28/2002 03:00 PM 32,760 FSMGMT.MSC
08/28/2002 03:00 PM 81,408 FSUSD.DLL
08/28/2002 03:00 PM 56,320 FSUTIL.EXE
08/28/2002 03:00 PM 40,448 ftp.exe
08/28/2002 03:00 PM 176,128 FTSRCH.DLL
08/28/2002 03:00 PM 41,472 G711CODC.AX
08/28/2002 03:00 PM 24,006 GB2312.UCE
08/28/2002 03:00 PM 76,800 GCDEF.DLL
08/28/2002 03:00 PM 24,576 GDI.EXE
08/28/2002 03:00 PM 66,082 C_28593.NLS
08/28/2002 03:00 PM 66,082 C_28592.NLS
08/28/2002 03:00 PM 24,772 GEO.NLS
08/28/2002 03:00 PM 605,696 GETUNAME.DLL
08/28/2002 03:00 PM 285,184 GLMF32.DLL
08/28/2002 03:00 PM 116,736 glu32.dll
08/28/2002 03:00 PM 101,888 GPKCSP.DLL
08/28/2002 03:00 PM 9,728 gpkrsrc.dll
08/28/2002 03:00 PM 26,112 GRAFTABL.COM
08/28/2002 03:00 PM 19,694 GRAPHICS.COM
08/28/2002 03:00 PM 21,232 GRAPHICS.PRO
08/28/2002 03:00 PM 66,082 C_28591.NLS
08/28/2002 03:00 PM 66,082 C_21866.NLS
08/28/2002 03:00 PM 66,082 C_20905.NLS
08/28/2002 03:00 PM 28,672 dbnmpntw.dll
08/28/2002 03:00 PM 66,082 C_20866.NLS
08/28/2002 03:00 PM 77,440 hal.dll
08/28/2002 03:00 PM 150,016 hdwwiz.cpl
08/28/2002 03:00 PM 14,848 HELP.EXE
08/28/2002 03:00 PM 9,216 wuauserv.dll
08/28/2002 03:00 PM 139,810 C_20261.NLS
08/28/2002 03:00 PM 66,082 C_20127.NLS
08/28/2002 03:00 PM 22,528 hid.dll
08/28/2002 03:00 PM 28,160 hidphone.tsp
08/28/2002 03:00 PM 4,768 HIMEM.SYS
08/28/2002 03:00 PM 77,850 HLINK.DLL
08/28/2002 03:00 PM 98,304 actxprxy.dll
08/28/2002 03:00 PM 240,640 hnetcfg.dll
08/28/2002 03:00 PM 14,848 HNETMON.DLL
08/28/2002 03:00 PM 315,904 hnetwiz.dll
08/28/2002 03:00 PM 929 HOMEPAGE.INF
08/28/2002 03:00 PM 7,680 HOSTNAME.EXE
08/28/2002 03:00 PM 137,216 hotplug.dll
08/28/2002 03:00 PM 57,344 admparse.dll
08/28/2002 03:00 PM 66,082 C_1258.NLS
08/28/2002 03:00 PM 66,082 C_1257.NLS
08/28/2002 03:00 PM 66,082 C_1256.NLS
08/28/2002 03:00 PM 66,082 C_1255.NLS
08/28/2002 03:00 PM 66,082 C_1254.NLS
08/28/2002 03:00 PM 139,264 dnsapi.dll
08/28/2002 03:00 PM 26,112 ADPTIF.DLL
08/28/2002 03:00 PM 162,816 adsldp.dll
08/28/2002 03:00 PM 139,776 adsldpc.dll
08/28/2002 03:00 PM 66,082 C_1253.NLS
08/28/2002 03:00 PM 66,082 C_1252.NLS
08/28/2002 03:00 PM 66,082 C_1251.NLS
08/28/2002 03:00 PM 66,082 C_1250.NLS
08/28/2002 03:00 PM 66,082 C_1026.NLS
08/28/2002 03:00 PM 66,082 C_10082.NLS
08/28/2002 03:00 PM 66,082 C_10081.NLS
08/28/2002 03:00 PM 66,082 C_10079.NLS
08/28/2002 03:00 PM 66,082 C_10029.NLS
08/28/2002 03:00 PM 66,082 C_10017.NLS
08/28/2002 03:00 PM 66,082 C_10010.NLS
08/28/2002 03:00 PM 66,082 C_10007.NLS
08/28/2002 03:00 PM 66,082 C_10006.NLS
08/28/2002 03:00 PM 66,082 C_10000.NLS
08/28/2002 03:00 PM 66,082 C_037.NLS
08/28/2002 03:00 PM 44,544 HTICONS.DLL
08/28/2002 03:00 PM 39,936 htui.dll
08/28/2002 03:00 PM 8,386 CTYPE.NLS
08/28/2002 03:00 PM 10,000 i.a3d
08/28/2002 03:00 PM 62,464 adsmsext.dll
08/28/2002 03:00 PM 17,408 wtsapi32.dll
08/28/2002 03:00 PM 61,440 DMVIEW.OCX
08/28/2002 03:00 PM 23,552 IASACCT.DLL
08/28/2002 03:00 PM 41,472 IASADS.DLL
08/28/2002 03:00 PM 32,256 IASHLPR.DLL
08/28/2002 03:00 PM 62,464 IASNAP.DLL
08/28/2002 03:00 PM 17,920 IASPOLCY.DLL
08/28/2002 03:00 PM 116,224 iasrad.dll
08/28/2002 03:00 PM 141,312 IASRECST.DLL
08/28/2002 03:00 PM 86,528 IASSAM.DLL
08/28/2002 03:00 PM 247,808 IASSDO.DLL
08/28/2002 03:00 PM 59,392 IASSVCS.DLL
08/28/2002 03:00 PM 9,216 icaapi.dll
08/28/2002 03:00 PM 110,592 iccvid.dll
08/28/2002 03:00 PM 16,384 ICFGNT5.DLL
08/28/2002 03:00 PM 236,032 icm32.dll
08/28/2002 03:00 PM 3,072 icmp.dll
08/28/2002 03:00 PM 54,784 ICMUI.DLL
08/28/2002 03:00 PM 27,200 CTL3DV2.DLL
08/28/2002 03:00 PM 27,136 CTL3D32.DLL
08/28/2002 03:00 PM 239,616 adsnt.dll
08/28/2002 03:00 PM 69,632 icwdial.dll
08/28/2002 03:00 PM 61,440 icwphbk.dll
08/28/2002 03:00 PM 60,458 IDEOGRAF.UCE
08/28/2002 03:00 PM 113,152 idq.dll
08/28/2002 03:00 PM 28,672 ie4uinit.exe
08/28/2002 03:00 PM 126,976 ieakeng.dll
08/28/2002 03:00 PM 204,288 ieaksie.dll
08/28/2002 03:00 PM 221,184 IEAKUI.DLL
08/28/2002 03:00 PM 294,912 iedkcs32.dll
08/28/2002 03:00 PM 231,424 iepeers.dll
08/28/2002 03:00 PM 23,040 iernonce.dll
08/28/2002 03:00 PM 59,392 iesetup.dll
08/28/2002 03:00 PM 19,514 ieuinit.inf
08/28/2002 03:00 PM 99,840 iexpress.exe
08/28/2002 03:00 PM 125,952 ifmon.dll
08/28/2002 03:00 PM 70,656 IFSUTIL.DLL
08/28/2002 03:00 PM 8,192 igmpagnt.dll
08/28/2002 03:00 PM 73,728 ils.dll
08/28/2002 03:00 PM 14,848 imaadp32.acm
08/28/2002 03:00 PM 126,976 imagehlp.dll
08/28/2002 03:00 PM 123,904 imapi.exe
08/28/2002 03:00 PM 36,922 imeshare.dll
08/28/2002 03:00 PM 30,208 imgutil.dll
08/28/2002 03:00 PM 103,936 imm32.dll
08/28/2002 03:00 PM 21,504 wsock32.dll
08/28/2002 03:00 PM 38,912 wsnmp32.dll
08/28/2002 03:00 PM 266,240 inetcfg.dll
08/28/2002 03:00 PM 13,312 ctfmon.exe
08/28/2002 03:00 PM 292,352 inetcpl.cpl
08/28/2002 03:00 PM 110,592 INETCPLC.DLL
08/28/2002 03:00 PM 31,232 inetmib1.dll
08/28/2002 03:00 PM 68,096 inetpp.dll
08/28/2002 03:00 PM 14,336 inetppui.dll
08/28/2002 03:00 PM 50,688 dmutil.dll
08/28/2002 03:00 PM 17,408 wshtcpip.dll
08/28/2002 03:00 PM 450,560 INFOSOFT.DLL
08/28/2002 03:00 PM 144,896 initpki.dll
08/28/2002 03:00 PM 114,176 input.dll
08/28/2002 03:00 PM 10,240 wshrm.dll
08/28/2002 03:00 PM 766,934 instcat.sql
08/28/2002 03:00 PM 121,856 intl.cpl
08/28/2002 03:00 PM 30,720 IOLOGMSG.DLL
08/28/2002 03:00 PM 16,384 ipconf.tsp
08/28/2002 03:00 PM 51,712 ipconfig.exe
08/28/2002 03:00 PM 82,944 iphlpapi.dll
08/28/2002 03:00 PM 154,112 IPMONTR.DLL
08/28/2002 03:00 PM 102,448 wshom.ocx
08/28/2002 03:00 PM 318,464 ippromon.dll
08/28/2002 03:00 PM 3,584 IPROP.DLL
08/28/2002 03:00 PM 4,096 IPRTPRIO.DLL
08/28/2002 03:00 PM 169,984 IPRTRMGR.DLL
08/28/2002 03:00 PM 44,032 IPSEC6.EXE
08/28/2002 03:00 PM 332,800 ipsecsnp.dll
08/28/2002 03:00 PM 155,648 ipsecsvc.dll
08/28/2002 03:00 PM 7,168 WSHNETBS.DLL
08/28/2002 03:00 PM 364,032 ipsmsnap.dll
08/28/2002 03:00 PM 60,928 ipv6.exe
08/28/2002 03:00 PM 134,144 ipv6mon.dll
08/28/2002 03:00 PM 83,968 IPXMONTR.DLL
08/28/2002 03:00 PM 69,120 IPXPROMN.DLL
08/28/2002 03:00 PM 21,504 IPXRIP.DLL
08/28/2002 03:00 PM 22,016 ipxroute.exe
08/28/2002 03:00 PM 39,936 IPXRTMGR.DLL
08/28/2002 03:00 PM 66,560 IPXSAP.DLL
08/28/2002 03:00 PM 20,992 IPXWAN.DLL
08/28/2002 03:00 PM 199,168 IR32_32.DLL
08/28/2002 03:00 PM 66,594 C_855.NLS
08/28/2002 03:00 PM 66,048 access.cpl
08/28/2002 03:00 PM 64,512 ACCTRES.DLL
08/28/2002 03:00 PM 21,504 dmserver.dll
08/28/2002 03:00 PM 7,168 DISKCOPY.COM
08/28/2002 03:00 PM 14,336 dmremote.exe
08/28/2002 03:00 PM 13,312 IRCLASS.DLL
08/28/2002 03:00 PM 77,824 isign32.dll
08/28/2002 03:00 PM 28,672 isrdbg32.dll
08/28/2002 03:00 PM 11,776 WSHISN.DLL
08/28/2002 03:00 PM 73,728 CSSEQCHK.DLL
08/28/2002 03:00 PM 4,096 csrss.exe
08/28/2002 03:00 PM 29,184 csrsrv.dll
08/28/2002 03:00 PM 19,456 DMOCX.DLL
08/28/2002 03:00 PM 13,312 wship6.dll
08/28/2002 03:00 PM 49,664 ixsso.dll
08/28/2002 03:00 PM 45,568 iyuv_32.dll
08/28/2002 03:00 PM 65,585 wshext.dll
08/28/2002 03:00 PM 307,712 cscui.dll
08/28/2002 03:00 PM 102,450 cscript.exe
08/28/2002 03:00 PM 53,248 cryptnet.dll
08/28/2002 03:00 PM 48,640 cryptext.dll
08/28/2002 03:00 PM 29,184 cryptdll.dll
08/28/2002 03:00 PM 70,144 cryptdlg.dll
08/28/2002 03:00 PM 1,740 dcache.bin
08/28/2002 03:00 PM 149,019 CRTDLL.DLL
08/28/2002 03:00 PM 362,496 JET500.DLL
08/28/2002 03:00 PM 28,721 wshcon.dll
08/28/2002 03:00 PM 44,544 JGAW400.DLL
08/28/2002 03:00 PM 144,896 JGDW400.DLL
08/28/2002 03:00 PM 9,216 WSHATM.DLL
08/28/2002 03:00 PM 35,840 JGMD400.DLL
08/28/2002 03:00 PM 42,496 JGPL400.DLL
08/28/2002 03:00 PM 45,568 JGSD400.DLL
08/28/2002 03:00 PM 65,536 JGSH400.DLL
08/28/2002 03:00 PM 158,720 credui.dll
08/28/2002 03:00 PM 47,952 JOBEXEC.DLL
08/28/2002 03:00 PM 66,594 C_852.NLS
08/28/2002 03:00 PM 118,834 wscript.exe
08/28/2002 03:00 PM 27,097 COUNTRY.SYS
08/28/2002 03:00 PM 12,288 jsproxy.dll
08/28/2002 03:00 PM 14,877 corpol.dll
08/28/2002 03:00 PM 13,824 CONVERT.EXE
08/28/2002 03:00 PM 6,948 KANJI_1.UCE
08/28/2002 03:00 PM 8,484 KANJI_2.UCE
08/28/2002 03:00 PM 14,710 KB16.COM
08/28/2002 03:00 PM 6,656 KBDAL.DLL
08/28/2002 03:00 PM 5,632 KBDAZE.DLL
08/28/2002 03:00 PM 5,632 KBDAZEL.DLL
08/28/2002 03:00 PM 6,144 KBDBE.DLL
08/28/2002 03:00 PM 6,144 KBDBENE.DLL
08/28/2002 03:00 PM 5,632 KBDBLR.DLL
08/28/2002 03:00 PM 6,144 KBDBR.DLL
08/28/2002 03:00 PM 5,632 KBDBU.DLL
08/28/2002 03:00 PM 6,144 KBDCA.DLL
08/28/2002 03:00 PM 7,680 KBDCAN.DLL
08/28/2002 03:00 PM 6,656 KBDCR.DLL
08/28/2002 03:00 PM 7,168 KBDCZ.DLL
08/28/2002 03:00 PM 6,656 KBDCZ1.DLL
08/28/2002 03:00 PM 6,656 KBDCZ2.DLL
08/28/2002 03:00 PM 6,144 KBDDA.DLL
08/28/2002 03:00 PM 5,120 KBDDV.DLL
08/28/2002 03:00 PM 6,144 KBDES.DLL
08/28/2002 03:00 PM 6,144 KBDEST.DLL
08/28/2002 03:00 PM 6,144 KBDFC.DLL
08/28/2002 03:00 PM 6,144 KBDFI.DLL
08/28/2002 03:00 PM 6,144 KBDFO.DLL
08/28/2002 03:00 PM 6,144 KBDFR.DLL
08/28/2002 03:00 PM 5,632 KBDGAE.DLL
08/28/2002 03:00 PM 6,144 KBDGKL.DLL
08/28/2002 03:00 PM 6,144 KBDGR.DLL
08/28/2002 03:00 PM 6,144 KBDGR1.DLL
08/28/2002 03:00 PM 5,632 KBDHE.DLL
08/28/2002 03:00 PM 5,632 KBDHE220.DLL
08/28/2002 03:00 PM 5,632 KBDHE319.DLL
08/28/2002 03:00 PM 6,144 KBDHELA2.DLL
08/28/2002 03:00 PM 6,656 KBDHELA3.DLL
08/28/2002 03:00 PM 8,192 KBDHEPT.DLL
08/28/2002 03:00 PM 6,656 KBDHU.DLL
08/28/2002 03:00 PM 5,632 KBDHU1.DLL
08/28/2002 03:00 PM 6,144 KBDIC.DLL
08/28/2002 03:00 PM 5,632 KBDIR.DLL
08/28/2002 03:00 PM 5,632 KBDIT.DLL
08/28/2002 03:00 PM 5,632 KBDIT142.DLL
08/28/2002 03:00 PM 5,632 KBDKAZ.DLL
08/28/2002 03:00 PM 5,632 KBDKYR.DLL
08/28/2002 03:00 PM 6,656 KBDLA.DLL
08/28/2002 03:00 PM 5,632 KBDLT.DLL
08/28/2002 03:00 PM 5,632 KBDLT1.DLL
08/28/2002 03:00 PM 6,144 KBDLV.DLL
08/28/2002 03:00 PM 6,144 KBDLV1.DLL
08/28/2002 03:00 PM 6,144 KBDMAC.DLL
08/28/2002 03:00 PM 5,632 KBDMON.DLL
08/28/2002 03:00 PM 6,144 KBDNE.DLL
08/28/2002 03:00 PM 7,168 KBDNEC.DLL
08/28/2002 03:00 PM 6,144 KBDNO.DLL
08/28/2002 03:00 PM 6,656 KBDPL.DLL
08/28/2002 03:00 PM 5,632 KBDPL1.DLL
08/28/2002 03:00 PM 6,144 KBDPO.DLL
08/28/2002 03:00 PM 5,632 KBDRO.DLL
08/28/2002 03:00 PM 5,632 KBDRU.DLL
08/28/2002 03:00 PM 5,632 KBDRU1.DLL
08/28/2002 03:00 PM 6,144 KBDSF.DLL
08/28/2002 03:00 PM 6,656 KBDSG.DLL
08/28/2002 03:00 PM 6,656 KBDSL.DLL
08/28/2002 03:00 PM 6,656 KBDSL1.DLL
08/28/2002 03:00 PM 6,144 KBDSP.DLL
08/28/2002 03:00 PM 6,144 KBDSW.DLL
08/28/2002 03:00 PM 5,632 KBDTAT.DLL
08/28/2002 03:00 PM 6,144 KBDTUF.DLL
08/28/2002 03:00 PM 6,144 KBDTUQ.DLL
08/28/2002 03:00 PM 5,632 KBDUK.DLL
08/28/2002 03:00 PM 5,632 KBDUR.DLL
08/28/2002 03:00 PM 5,632 KBDUS.DLL
08/28/2002 03:00 PM 6,144 KBDUSL.DLL
08/28/2002 03:00 PM 6,144 KBDUSR.DLL
08/28/2002 03:00 PM 6,144 KBDUSX.DLL
08/28/2002 03:00 PM 5,632 KBDUZB.DLL
08/28/2002 03:00 PM 5,632 KBDYCC.DLL
08/28/2002 03:00 PM 6,656 KBDYCL.DLL
08/28/2002 03:00 PM 75,264 ws2_32.dll
08/28/2002 03:00 PM 7,040 kd1394.dll
08/28/2002 03:00 PM 7,040 KDCOM.DLL
08/28/2002 03:00 PM 272,896 kerberos.dll
08/28/2002 03:00 PM 8,192 CONTROL.EXE
08/28/2002 03:00 PM 42,809 KEY01.SYS
08/28/2002 03:00 PM 2,000 KEYBOARD.DRV
08/28/2002 03:00 PM 42,537 KEYBOARD.SYS
08/28/2002 03:00 PM 146,432 keymgr.dll
08/28/2002 03:00 PM 66,560 CONSOLE.DLL
08/28/2002 03:00 PM 32,256 kmddsp.tsp
08/28/2002 03:00 PM 18,944 ws2help.dll
08/28/2002 03:00 PM 12,876 KOREAN.UCE
08/28/2002 03:00 PM 5,632 WRITE.EXE
08/28/2002 03:00 PM 29,184 wpnpinst.exe
08/28/2002 03:00 PM 24,576 conime.exe
08/28/2002 03:00 PM 2,233 12520850.CPX
08/28/2002 03:00 PM 2,151 12520437.CPX
08/28/2002 03:00 PM 345,600 CONFMSP.DLL
08/28/2002 03:00 PM 986,112 danim.dll
08/28/2002 03:00 PM 18,432 DMINTF.DLL
08/28/2002 03:00 PM 147,456 COMSNAP.DLL
08/28/2002 03:00 PM 290,816 l3codeca.acm
08/28/2002 03:00 PM 31,232 wpabaln.exe
08/28/2002 03:00 PM 47,616 D3DXOF.DLL
08/28/2002 03:00 PM 9,728 LABEL.EXE
08/28/2002 03:00 PM 89,600 LANGWRBK.DLL
08/28/2002 03:00 PM 221,600 LANMAN.DRV
08/28/2002 03:00 PM 79,360 diantz.exe
08/28/2002 03:00 PM 558,080 advapi32.dll
08/28/2002 03:00 PM 13,824 WOWFAXUI.DLL
08/28/2002 03:00 PM 792,064 comres.dll
08/28/2002 03:00 PM 3,200 WOWFAX.DLL
08/28/2002 03:00 PM 10,368 WOWEXEC.EXE
08/28/2002 03:00 PM 2,736 WOWDEB.EXE
08/28/2002 03:00 PM 91,136 advpack.dll
08/28/2002 03:00 PM 258,048 wmvds32.ax
08/28/2002 03:00 PM 394,240 DIACTFRM.DLL
08/28/2002 03:00 PM 446,464 WMVDMOE.DLL
08/28/2002 03:00 PM 74,240 DHCPSAPI.DLL
08/28/2002 03:00 PM 1,677,312 WMVCORE2.DLL
08/28/2002 03:00 PM 370,176 DHCPMON.DLL
08/28/2002 03:00 PM 91,648 ahui.exe
08/28/2002 03:00 PM 278,559 wmv8ds32.ax
08/28/2002 03:00 PM 311,327 WMV8DMOD.DLL
08/28/2002 03:00 PM 367,616 licdll.dll
08/28/2002 03:00 PM 19,456 licmgr10.dll
08/28/2002 03:00 PM 57,856 licwmi.dll
08/28/2002 03:00 PM 29,696 LIGHTS.EXE
08/28/2002 03:00 PM 82,432 COMREPL.DLL
08/28/2002 03:00 PM 12,288 lmhsvc.dll
08/28/2002 03:00 PM 381,440 lmrt.dll
08/28/2002 03:00 PM 25,088 LNKSTUB.EXE
08/28/2002 03:00 PM 1,131 LOADFIX.COM
08/28/2002 03:00 PM 91,648 loadperf.dll
08/28/2002 03:00 PM 296,448 wmstream.dll
08/28/2002 03:00 PM 209,010 locale.nls
08/28/2002 03:00 PM 202,752 localsec.dll
08/28/2002 03:00 PM 295,936 localspl.dll
08/28/2002 03:00 PM 10,240 localui.dll
08/28/2002 03:00 PM 99,840 dhcpcsvc.dll
08/28/2002 03:00 PM 5,120 LODCTR.EXE
08/28/2002 03:00 PM 85,020 DGSETUP.DLL
08/28/2002 03:00 PM 50,176 LOGHOURS.DLL
08/28/2002 03:00 PM 15,360 LOGOFF.EXE
08/28/2002 03:00 PM 219,648 logon.scr
08/28/2002 03:00 PM 504,320 logonui.exe
08/28/2002 03:00 PM 66,594 C_857.NLS
08/28/2002 03:00 PM 18,944 lpk.dll
08/28/2002 03:00 PM 6,144 LPQ.EXE
08/28/2002 03:00 PM 8,192 LPR.EXE
08/28/2002 03:00 PM 8,704 lprhelp.dll
08/28/2002 03:00 PM 9,216 LPRMONUI.DLL
08/28/2002 03:00 PM 176,157 DGRPSETU.DLL
08/28/2002 03:00 PM 222,208 compstui.dll
08/28/2002 03:00 PM 11,776 lsass.exe
08/28/2002 03:00 PM 103,424 dgnet.dll
08/28/2002 03:00 PM 25,600 dfsshlex.dll
08/28/2002 03:00 PM 118,784 wmsdmoe.dll
08/28/2002 03:00 PM 113,152 dfrgui.dll
08/28/2002 03:00 PM 1,404,928 wmpui.dll
08/28/2002 03:00 PM 77,824 WMPSTUB.EXE
08/28/2002 03:00 PM 77,824 wmpshell.dll
08/28/2002 03:00 PM 41,984 alg.exe
08/28/2002 03:00 PM 1,998,848 wmploc.dll
08/28/2002 03:00 PM 15,872 alrsvc.dll
08/28/2002 03:00 PM 253,952 wmpcd.dll
08/28/2002 03:00 PM 42,166 LUSRMGR.MSC
08/28/2002 03:00 PM 25,600 AAAAMON.DLL
08/28/2002 03:00 PM 2,560 LZ32.DLL
08/28/2002 03:00 PM 9,936 LZEXPAND.DLL
08/28/2002 03:00 PM 168 L_EXCEPT.NLS
08/28/2002 03:00 PM 7,046 L_INTL.NLS
08/28/2002 03:00 PM 35,328 dfrgsnap.dll
08/28/2002 03:00 PM 8,192 MAG_HOOK.DLL
08/28/2002 03:00 PM 187,904 MAIN.CPL
08/28/2002 03:00 PM 79,360 makecab.exe
08/28/2002 03:00 PM 51,200 DFRGRES.DLL
08/28/2002 03:00 PM 112,128 MAPI32.DLL
08/28/2002 03:00 PM 18,944 WMIPROP.DLL
08/28/2002 03:00 PM 112,128 MAPISTUB.DLL
08/28/2002 03:00 PM 30,160 COMPOBJ.DLL
08/28/2002 03:00 PM 12,800 mcastmib.dll
08/28/2002 03:00 PM 10,240 MCD32.DLL
08/28/2002 03:00 PM 10,496 MCDSRV32.DLL
08/28/2002 03:00 PM 4,608 MCHGRCOI.DLL
08/28/2002 03:00 PM 73,376 MCIAVI.DRV
08/28/2002 03:00 PM 80,384 mciavi32.dll
08/28/2002 03:00 PM 17,408 MCICDA.DLL
08/28/2002 03:00 PM 118,784 DMDSKRES.DLL
08/28/2002 03:00 PM 8,192 MCIOLE16.DLL
08/28/2002 03:00 PM 7,680 MCIOLE32.DLL
08/28/2002 03:00 PM 350,208 D3DRM.DLL
08/28/2002 03:00 PM 20,992 mciseq.dll
08/28/2002 03:00 PM 25,264 MCISEQ.DRV
08/28/2002 03:00 PM 22,016 mciwave.dll
08/28/2002 03:00 PM 28,160 MCIWAVE.DRV
08/28/2002 03:00 PM 50,176 MDHCP.DLL
08/28/2002 03:00 PM 108,544 mdminst.dll
08/28/2002 03:00 PM 184,320 dmdskmgr.dll
08/28/2002 03:00 PM 147,968 MDWMDMSP.DLL
08/28/2002 03:00 PM 39,274 MEM.EXE
08/28/2002 03:00 PM 38,302 COMPMGMT.MSC
08/28/2002 03:00 PM 924,432 MFC40.DLL
08/28/2002 03:00 PM 924,432 MFC40U.DLL
08/28/2002 03:00 PM 995,383 mfc42.dll
08/28/2002 03:00 PM 63,488 WMIMGMT.MSC
08/28/2002 03:00 PM 995,384 mfc42u.dll
08/28/2002 03:00 PM 89,600 WMIDX.OCX
08/28/2002 03:00 PM 99,328 dfrgntfs.exe
08/28/2002 03:00 PM 238,592 compatui.dll
08/28/2002 03:00 PM 17,408 COMPACT.EXE
08/28/2002 03:00 PM 15,872 COMP.EXE
08/28/2002 03:00 PM 32,816 COMMDLG.DLL
08/28/2002 03:00 PM 50,620 COMMAND.COM
08/28/2002 03:00 PM 10,544 COMM.DRV
08/28/2002 03:00 PM 5,632 wmi.dll
08/28/2002 03:00 PM 51,200 WMERRENU.DLL
08/28/2002 03:00 PM 258,048 comdlg32.dll
08/28/2002 03:00 PM 76,288 dfrgfat.exe
08/28/2002 03:00 PM 557,056 comctl32.dll
08/28/2002 03:00 PM 41,397 DFRG.MSC
08/28/2002 03:00 PM 263,168 devmgr.dll
08/28/2002 03:00 PM 20,992 mfcsubs.dll
08/28/2002 03:00 PM 33,079 DEVMGMT.MSC
08/28/2002 03:00 PM 12,800 mgmtapi.dll
08/28/2002 03:00 PM 46,258 MIB.BIN
08/28/2002 03:00 PM 17,920 midimap.dll
08/28/2002 03:00 PM 56,320 miglibnt.dll
08/28/2002 03:00 PM 51,712 MIGPWD.EXE
08/28/2002 03:00 PM 18,944 MIMEFILT.DLL
08/28/2002 03:00 PM 163,840 MINDEX.DLL
08/28/2002 03:00 PM 673,088 MLANG.DAT
08/28/2002 03:00 PM 577,024 mlang.dll
08/28/2002 03:00 PM 3,584 MLL_HP.DLL
08/28/2002 03:00 PM 273,920 DMDLGS.DLL
08/28/2002 03:00 PM 5,632 MLL_QIC.DLL
08/28/2002 03:00 PM 774,144 mmc.exe
08/28/2002 03:00 PM 66,560 mmcbase.dll
08/28/2002 03:00 PM 1,128,960 mmcndmgr.dll
08/28/2002 03:00 PM 46,592 mmcshext.dll
08/28/2002 03:00 PM 1,490 MMDRIVER.INF
08/28/2002 03:00 PM 12,288 MMDRV.DLL
08/28/2002 03:00 PM 16,384 mmfutil.dll
08/28/2002 03:00 PM 559,616 mmsys.cpl
08/28/2002 03:00 PM 68,928 mmsystem.dll
08/28/2002 03:00 PM 1,152 MMTASK.TSK
08/28/2002 03:00 PM 119,808 MMUTILSE.DLL
08/28/2002 03:00 PM 32,256 mnmdd.dll
08/28/2002 03:00 PM 32,768 mnmsrvc.exe
08/28/2002 03:00 PM 196,096 mobsync.dll
08/28/2002 03:00 PM 135,680 mobsync.exe
08/28/2002 03:00 PM 19,456 MODE.COM
08/28/2002 03:00 PM 145,408 modemui.dll
08/28/2002 03:00 PM 10,112 MODEX.DLL
08/28/2002 03:00 PM 15,872 MORE.COM
08/28/2002 03:00 PM 210,944 moricons.dll
08/28/2002 03:00 PM 8,192 MOUNTVOL.EXE
08/28/2002 03:00 PM 2,032 MOUSE.DRV
08/28/2002 03:00 PM 66,594 C_860.NLS
08/28/2002 03:00 PM 2 DESKTOP.INI
08/28/2002 03:00 PM 18,432 DESKPERF.DLL
08/28/2002 03:00 PM 590,336 D3DRAMP.DLL
08/28/2002 03:00 PM 16,896 DESKMON.DLL
08/28/2002 03:00 PM 262,144 mpg4ds32.ax
08/28/2002 03:00 PM 116,736 mplay32.exe
08/28/2002 03:00 PM 22,016 MPNOTIFY.EXE
08/28/2002 03:00 PM 55,808 mpr.dll
08/28/2002 03:00 PM 79,360 mprapi.dll
08/28/2002 03:00 PM 69,120 MPRDDM.DLL
08/28/2002 03:00 PM 49,152 MPRDIM.DLL
08/28/2002 03:00 PM 99,840 MPRMSG.DLL
08/28/2002 03:00 PM 47,104 MPRUI.DLL
08/28/2002 03:00 PM 12,800 MRINFO.EXE
08/28/2002 03:00 PM 86,528 wlnotify.dll
08/28/2002 03:00 PM 102,912 MSAATEXT.DLL
08/28/2002 03:00 PM 16,384 DESKADP.DLL
08/28/2002 03:00 PM 67,072 msacm32.dll
08/28/2002 03:00 PM 20,480 MSACM32.DRV
08/28/2002 03:00 PM 221,184 msadds32.ax
08/28/2002 03:00 PM 13,312 msadp32.acm
08/28/2002 03:00 PM 3,584 msafd.dll
08/28/2002 03:00 PM 80,128 msapsspc.dll
08/28/2002 03:00 PM 168,448 wldap32.dll
08/28/2002 03:00 PM 294,912 msaud32.acm
08/28/2002 03:00 PM 65,024 MSAUDITE.DLL
08/28/2002 03:00 PM 3,584 COMCAT.DLL
08/28/2002 03:00 PM 7,168 MSCAT32.DLL
08/28/2002 03:00 PM 817 MSCDEXNT.EXE
08/28/2002 03:00 PM 25,600 COMADDIN.DLL
08/28/2002 03:00 PM 34,816 D3DPMESH.DLL
08/28/2002 03:00 PM 9,029 ANSI.SYS
08/28/2002 03:00 PM 65,536 msconf.dll
08/28/2002 03:00 PM 26,624 CNVFAT.DLL
08/28/2002 03:00 PM 32,768 CNETCFG.DLL
08/28/2002 03:00 PM 45,568 cnbjmon.dll
08/28/2002 03:00 PM 12,288 mscpx32r.dll
08/28/2002 03:00 PM 36,864 mscpxl32.dll
08/28/2002 03:00 PM 266,752 msctf.dll
08/28/2002 03:00 PM 162,304 msctfime.ime
08/28/2002 03:00 PM 67,584 msctfp.dll
08/28/2002 03:00 PM 36,352 cmutil.dll
08/28/2002 03:00 PM 12,288 msdatsrc.tlb
08/28/2002 03:00 PM 66,594 C_866.NLS
08/28/2002 03:00 PM 6,144 msdtc.exe
08/28/2002 03:00 PM 54,784 msdtclog.dll
08/28/2002 03:00 PM 768 MSDTCPRF.H
08/28/2002 03:00 PM 1,931 MSDTCPRF.INI
08/28/2002 03:00 PM 54,784 cmstp.exe
08/28/2002 03:00 PM 174,592 cmprops.dll
08/28/2002 03:00 PM 14,336 CMPBK32.DLL
08/28/2002 03:00 PM 64 CMOS.RAM
08/28/2002 03:00 PM 35,840 cmmon32.exe
08/28/2002 03:00 PM 4,126 msdxmlc.dll
08/28/2002 03:00 PM 94,282 MSENCODE.DLL
08/28/2002 03:00 PM 4,096 winver.exe
08/28/2002 03:00 PM 61,172 CMMGR32.HLP
08/28/2002 03:00 PM 166,912 wintrust.dll
08/28/2002 03:00 PM 41,472 cmdl32.exe
08/28/2002 03:00 PM 18,944 WINSTRM.DLL
08/28/2002 03:00 PM 504,832 msftedit.dll
08/28/2002 03:00 PM 20,992 MSG.EXE
08/28/2002 03:00 PM 9,216 MSG711.ACM
08/28/2002 03:00 PM 118,784 MSG723.ACM
08/28/2002 03:00 PM 324,608 cmdial32.dll
08/28/2002 03:00 PM 19,968 MSGSM32.ACM
08/28/2002 03:00 PM 375,808 cmd.exe
08/28/2002 03:00 PM 48,128 winsta.dll
08/28/2002 03:00 PM 2,112 WINSPOOL.EXE
08/28/2002 03:00 PM 184,320 msh261.drv
08/28/2002 03:00 PM 286,720 msh263.drv
08/28/2002 03:00 PM 126,976 MSHEARTS.EXE
08/28/2002 03:00 PM 24,064 mshta.exe
08/28/2002 03:00 PM 12,288 cmcfg32.dll
08/28/2002 03:00 PM 1,350,656 mshtml.tlb
08/28/2002 03:00 PM 440,320 mshtmled.dll
08/28/2002 03:00 PM 56,320 mshtmler.dll
08/28/2002 03:00 PM 2,086,400 msi.dll
08/28/2002 03:00 PM 132,096 winspool.drv
08/28/2002 03:00 PM 5,120 msidle.dll
08/28/2002 03:00 PM 14,848 MSIDNTLD.DLL
08/28/2002 03:00 PM 229,888 msieftp.dll
08/28/2002 03:00 PM 64,512 msiexec.exe
08/28/2002 03:00 PM 305,664 msihnd.dll
08/28/2002 03:00 PM 4,608 msimg32.dll
08/28/2002 03:00 PM 847,872 msimsg.dll
08/28/2002 03:00 PM 143,872 msimtf.dll
08/28/2002 03:00 PM 2,864 WINSOCK.DLL
08/28/2002 03:00 PM 368,710 MSISAM11.DLL
08/28/2002 03:00 PM 39,936 msisip.dll
08/28/2002 03:00 PM 54,272 clusapi.dll
08/28/2002 03:00 PM 30,720 clipsrv.exe
08/28/2002 03:00 PM 93,184 winscard.dll
08/28/2002 03:00 PM 98,816 clipbrd.exe
08/28/2002 03:00 PM 24,576 cliconfg.rll
08/28/2002 03:00 PM 14,848 winrnr.dll
08/28/2002 03:00 PM 45,632 cliconfg.exe
08/28/2002 03:00 PM 2,080 WINOLDAP.MOD
08/28/2002 03:00 PM 762,368 winntbbu.dll
08/28/2002 03:00 PM 127,552 cliconfg.dll
08/28/2002 03:00 PM 71,859 CLICONF.CHM
08/28/2002 03:00 PM 22,528 mslbui.dll
08/28/2002 03:00 PM 5,120 WINNLS.DLL
08/28/2002 03:00 PM 146,432 MSLS31.DLL
08/28/2002 03:00 PM 11,776 WINMSD.EXE
08/28/2002 03:00 PM 61,440 cleanmgr.exe
08/28/2002 03:00 PM 171,520 winmm.dll
08/28/2002 03:00 PM 119,808 WINMINE.EXE
08/28/2002 03:00 PM 129,024 desk.cpl
08/28/2002 03:00 PM 319,760 msnsspc.dll
08/28/2002 03:00 PM 33,280 MSOBJS.DLL
08/28/2002 03:00 PM 10,752 CLB.DLL
08/28/2002 03:00 PM 7,680 CKCNV.EXE
08/28/2002 03:00 PM 20,480 msorc32r.dll
08/28/2002 03:00 PM 131,072 msorcl32.dll
08/28/2002 03:00 PM 339,968 mspaint.exe
08/28/2002 03:00 PM 27,136 mspatcha.dll
08/28/2002 03:00 PM 5,120 cisvc.exe
08/28/2002 03:00 PM 102,912 APCUPS.DLL
08/28/2002 03:00 PM 33,040 DPLAY.DLL
08/28/2002 03:00 PM 330,752 DMCONFIG.DLL
08/28/2002 03:00 PM 47,104 mspmspsv.dll
08/28/2002 03:00 PM 41,984 MSPORTS.DLL
08/28/2002 03:00 PM 45,056 msprivs.dll
08/28/2002 03:00 PM 69,632 MSR2C.DLL
08/28/2002 03:00 PM 7,168 MSR2CENU.DLL
08/28/2002 03:00 PM 60,416 MSRATELC.DLL
08/28/2002 03:00 PM 132,096 msrating.dll
08/28/2002 03:00 PM 73,802 MSRCLR40.DLL
08/28/2002 03:00 PM 25,600 winipsec.dll
08/28/2002 03:00 PM 8,192 CIDAEMON.EXE
08/28/2002 03:00 PM 109,568 CIC.DLL
08/28/2002 03:00 PM 12,498 APPEND.EXE
08/28/2002 03:00 PM 28,746 MSRECR40.DLL
08/28/2002 03:00 PM 115,712 apphelp.dll
08/28/2002 03:00 PM 41,762 CIADV.MSC
08/28/2002 03:00 PM 10,240 msrle32.dll
08/28/2002 03:00 PM 8,192 WINHLP32.EXE
08/28/2002 03:00 PM 172,032 mssap.dll
08/28/2002 03:00 PM 69,632 msscds32.ax
08/28/2002 03:00 PM 61,952 ACELPDEC.AX
08/28/2002 03:00 PM 106,547 msscript.ocx
08/28/2002 03:00 PM 35,840 MSSIGN32.DLL
08/28/2002 03:00 PM 4,608 MSSIP32.DLL
08/28/2002 03:00 PM 32,674 WINHELP.HLP
08/28/2002 03:00 PM 9,216 WINFAX.DLL
08/28/2002 03:00 PM 13,312 MSSWCH.DLL
08/28/2002 03:00 PM 6,656 MSSWCHX.EXE
08/28/2002 03:00 PM 163,328 CIADMIN.DLL
08/28/2002 03:00 PM 7,680 dciman32.dll
08/28/2002 03:00 PM 11,264 CHKNTFS.EXE
08/28/2002 03:00 PM 496,128 mstime.dll
08/28/2002 03:00 PM 11,776 CHKDSK.EXE
08/28/2002 03:00 PM 103,936 mstlsapi.dll
08/28/2002 03:00 PM 388,608 mstsc.exe
08/28/2002 03:00 PM 598,016 mstscax.dll
08/28/2002 03:00 PM 241,725 MSUNI11.DLL
08/28/2002 03:00 PM 182,784 msutb.dll
08/28/2002 03:00 PM 108,544 msv1_0.dll
08/28/2002 03:00 PM 1,355,776 MSVBVM50.DLL
08/28/2002 03:00 PM 1,388,544 msvbvm60.dll
08/28/2002 03:00 PM 35,328 WINCHAT.EXE
08/28/2002 03:00 PM 50,688 msvcirt.dll
08/28/2002 03:00 PM 565,760 MSVCP50.DLL
08/28/2002 03:00 PM 401,462 msvcp60.dll
08/28/2002 03:00 PM 403,456 winbrand.dll
08/28/2002 03:00 PM 7,680 CHCP.COM
08/28/2002 03:00 PM 13,312 WIN87EM.DLL
08/28/2002 03:00 PM 80,384 CHARMAP.EXE
08/28/2002 03:00 PM 323,072 msvcrt.dll
08/28/2002 03:00 PM 253,952 MSVCRT20.DLL
08/28/2002 03:00 PM 65,024 msvcrt40.dll
08/28/2002 03:00 PM 113,664 msvfw32.dll
08/28/2002 03:00 PM 25,600 MSVIDC32.DLL
08/28/2002 03:00 PM 16,896 cfgmgr32.dll
08/28/2002 03:00 PM 126,912 MSVIDEO.DLL
08/28/2002 03:00 PM 66,048 msw3prt.dll
08/28/2002 03:00 PM 32,768

6

Tech Clinic / hjt log

« on: February 06, 2005, 05:24:24 PM »

here it is.

Logfile of HijackThis v1.99.0
Scan saved at 4:23:12 PM, on 2/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://icare.cdh.org/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

L2Mfix 1.02a

Running From:
C:\Documents and Settings\KenW\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    Everyone
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\KenW\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\KenW\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1244 'explorer.exe'
Killing PID 1244 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 70%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 63%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

7

Tech Clinic / hjt log

« on: February 06, 2005, 02:50:35 PM »

so i restored the original hosts file from toadbee

these are the files since 2/2/05
T.COM 2/2
TSKMGR.COM 2/2

these on 2/6
locate.com
NTrights.exe
Process.exe
Reboot.exe
RegDACL.exe
strings.exe
zip.exe

there are a LOT of files created on 2/1/05

8

Tech Clinic / hjt log

« on: February 06, 2005, 10:02:07 AM »

the only file left was vdnt32.sys
i deleted it manually

saw this on the sophos website for Troj/Haxdoor-O
HKLM\SYSTEM\CurrentControlSet\Services\vdnt32\
Type
Start
ErrorControl
ImagePath
DisplayName
Security\
Security\Security

so i checked the registry and didnt find vdnt32 folder listed

only those 4 entries (and default) in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

hjt notepad was actually a blank box with no writing at all

9

Tech Clinic / hjt log

« on: February 05, 2005, 06:36:51 PM »

i just did a search of c:\ for exe files less than 100kb

those same 5 files came up as created on 2/5 at 4:54pm (40min ago)in a folder called

C:\!Submit

they are listed as modified on 2/3

there are also 6 files (5 are 23kb, 1 is 9kb) created on 2/3
they are in c:\system volume information\_restore ...etc and are called A0017964.exe etc

hope this makes sense/helps

10

Tech Clinic / hjt log

« on: February 05, 2005, 06:15:07 PM »

ok.

there weren't any files of the same date and size
the 5 files were deleted normally without reboot
they were gone when rechecked

mszx23.exe was not found in registry

when i looked back for new files created. there were none from today but i noticed tmpf00.exe created one 2/3/05 within the timeframe of the other killed files (all 23kb and created over 2-3hours)
left it alone for now

here are the export lists (no standard profile seen)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:enabled:explorer"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/axofupld.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/easyupld.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/liborca.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/liborca_comm.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/NeoterisSetup.ocx]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/NeoterisSetupDll.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ofutils.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ofxml.dll]
".Owner"="{6F750200-1362-4815-A476-88533DE61D0C}"
"{6F750200-1362-4815-A476-88533DE61D0C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll]
".Owner"="{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}"
"{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_de.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_en.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_es.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_fr.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_ja.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_ko.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_zh.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/setupResource_zh_cn.dll]
".Owner"="{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"
"{4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll]
".Owner"="{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}"
"{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}"=""

Logfile of HijackThis v1.99.0
Scan saved at 5:10:13 PM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://icare.cdh.org/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

well that's all i got for now.

11

Tech Clinic / hjt log

« on: February 03, 2005, 11:39:37 PM »

W32TM.EXE was related to windows time service diagnostic tool

java: there was no folder v1.0. there was nothing in javapi (and hidden folders/files/etc still are showing)

added the ie-spyad (actually usually use firefox but some things just need IE) to my spywareblaster

did you want another hjt log? here it is in case

Logfile of HijackThis v1.99.0
Scan saved at 10:33:58 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

everythings working great now!

last question, previously i had used zone alarm as my firewall and had been worried about service Pack 2. Would you suggest getting rid of zone alarm and using SP2 as my firewall?

once again, thanks for your tireless efforts.

12

Tech Clinic / hjt log

« on: February 03, 2005, 09:59:21 PM »

oh, didn't log in. well, who else would write all that?

13

Tech Clinic / hjt log

« on: February 03, 2005, 05:12:04 PM »

well this is getting mroe and more fun!
zone alarm seems to be working now

minor issues with above:
the cache tab in java was the temp internet files, right? deleted...

the mszx23.exe !! wasn't there the first hjt scan. however it was there at the final hjt sac so i fixed it then and rescanned and this is the new log

ogfile of HijackThis v1.99.0
Scan saved at 4:07:52 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

here is the rkfiles log

C:\Documents and Settings\KenW\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\blfqaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\cxkcqdre.exe: UPX!
C:\WINDOWS\SYSTEM32\hdnlppom.exe: UPX!
C:\WINDOWS\SYSTEM32\huraaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\ripaaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\UC3D.scr: UPX!
C:\WINDOWS\SYSTEM32\ydufaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

14

Tech Clinic / hjt log

« on: February 03, 2005, 02:18:30 PM »

ok here it is

all in keep side
mswsock.dll Tcpip
winrnr.dll NTDS
rsvpsp.dll (Protocol Handler)

nothing on remove side

15

Tech Clinic / hjt log

« on: February 03, 2005, 12:15:24 PM »

ok guestolo. here are the logs

Scanned at: 11:09:09 AM on: 2/3/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.99.0
Scan saved at 11:13:44 AM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

16

Tech Clinic / hjt log

« on: February 03, 2005, 10:12:02 AM »

ok done.
but aboutbuster wouldn't update. said error, etc.

here are the logs

Scanned at: 8:59:02 AM on: 2/3/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed! : C:\WINDOWS\System32\nthst32.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 9:05:59 AM on: 2/3/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

now IE is randomly hijacked and taken to a search page as well.

17

Tech Clinic / hjt log

« on: February 02, 2005, 10:49:43 PM »

wow that took a while but all's done as you said. there's a lot to read

escan:
File C:\WINDOWS\SYSTEM32\VDMT16.SYS infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_20.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_64.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_10.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\polall1t.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bilfqaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\boqwsbyd.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dnbjtaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gtvlmooj.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lsgnaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msbar.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nvwixhxn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\oxdqyaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\pmbaneyn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tibs3.exe infected by "Trojan-Downloader.Win32.Tibser.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbejaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\whxsyqih.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\xpxicmld.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\yldaaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0000.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00DC0001.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00000.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00001.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B00002.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07900000.VBN infected by "TrojanDownloader.Win32.Small.vq" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0000.VBN infected by "Backdoor.Win32.Haxdoor.be" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\KenW\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5f5d0f17-147abb63.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\UselessCreations\Matrix3DSetup.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Windows Media Player\wmplayer.exe.tmp infected by "TrojanDropper.Win32.Small.ge" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008510.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008521.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008526.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008631.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP80\A0008652.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0008683.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008817.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008844.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008854.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008873.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0008884.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0009434.exe infected by "not-a-virus:AdWare.BiSpy.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0009891.dll infected by "not-a-virus:AdWare.BiSpy.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0015410.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017279.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017294.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017302.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017309.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017322.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017330.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017340.exe infected by "Trojan.Win32.StartPage.ag" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017341.exe infected by "TrojanDownloader.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017342.exe infected by "TrojanDownloader.Win32.Small.kl" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017352.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017367.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017369.sys infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017371.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017375.sys infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0017534.exe infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_20.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_40.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_64.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_10.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\polall1t.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\bilfqaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\boqwsbyd.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\cz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dnbjtaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\gtvlmooj.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\hz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\lsgnaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msbar.exe infected by "not-a-virus:AdWare.WinFetcher.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\nvwixhxn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\oxdqyaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\pmbaneyn.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\tibs3.exe infected by "Trojan-Downloader.Win32.Tibser.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\vbejaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\whxsyqih.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\xpxicmld.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\yldaaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.

and new HJT:
Logfile of HijackThis v1.99.0
Scan saved at 9:46:23 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\KenW\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\KenW\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\HijackThis\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

18

Tech Clinic / hjt log

« on: February 02, 2005, 03:02:46 PM »

sorry i forgot the symptoms...

things going wrong:
system running very slowly
IE often says it needs to shut down (and doesn't always do so)
searches with google and yahoo(haven't tried others) are all directed to a first page of obviously wrong websites
zone alarm won't start
norton keeps finding viruses:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\WINDOWS\System32\tmpf02.exe
Location: Quarantine
Computer: KEN
User: KenW
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Feb 02 13:49:06 2005

here's latest hjt (first 4 look suspicious to me)

Logfile of HijackThis v1.99.0
Scan saved at 1:55:56 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\hijackthis.exe
C:\WINDOWS\System32\tmpf00.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\tmpf01.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

19

Tech Clinic / hjt log

« on: February 02, 2005, 11:33:36 AM »

i've already run norton, adaware, and spybot...

here's the log. thanks for the help in advance.

Logfile of HijackThis v1.97.7
Scan saved at 11:38:33 PM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.northwestern.edu"); (C:\Program Files\nunet\netscape\Users\kmweinbe\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mid: C:\Program Files\nunet\netscape\program\PLUGINS\npaudio.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB
O16 - DPF: {054C66AC-6726-11D4-BEED-00105AC72F98} (LogoffControl.ucLogoffControl) - https://dr.edward.org/securex/LogoffControl.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://dr.edward.org/securex/wfica.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...7646.8117592593
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangels...eDownloader.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/telepo...ty4LotTeleX.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/Maxis...yScapeTeleX.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by8fd.bay8.Email Removed.msn.com/activex/HMAtchmt.ocx

TheTechGuide Forum

News:

Messages - kit23

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log

Tech Clinic / hjt log