Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site Check Our Facebook Page!
Notices

Register your FREE account to unlock additional features at WindowsBBS.com
 
 
LinkBack Thread Tools
Old 14th April 2005   #1
Member
THREAD STARTER
Contributing Member
 
Profile:
Join Date: Apr 2005
Posts: 7
Computer Experience:
Intermediate
rp0517 Reputation Level

Request help in scrubbing HJT log


I would like to request help and guidance in cleaning up my spyware-infected PC. Attached is my first HJT log after running pestpatrol.

Logfile of HijackThis v1.99.1
Scan saved at 9:56:24 PM, on 4/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVC95.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\LMGRD.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\NILM.EXE
C:\WINDOWS\MS\SMS\CLICOMP\APA\BIN\SMSAPM32.EXE
C:\WINDOWS\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\UFD2.0\UFD.EXE
C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\WINDOWS\SYSTEM\NSTISVTX\OAEBLTRS.EXE
C:\WINDOWS\SYSTEM\DHGNF\KUKBI.EXE
C:\WINDOWS\SYSTEM\CSPPWJD\DWNLV.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\WINDOWS\SYSTEM\FIVNKV\YFWPT.EXE
C:\WINDOWS\SYSTEM\KKAQND\VEEJJ.EXE
C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
C:\WINDOWS\SYSTEM\NZJLKS.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\CALC.EXE
C:\WINDOWS\TEMP\FUKSJ.EXE
C:\WINDOWS\OPTIONS\oemreset.exe
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\SYSTEM\UNACCONF.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HTJ\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nadep900:8080
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://webdoc"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\PLG0\CXTPLS.DLL
O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - C:\SYSFWB\4491989871\IEFWBAR.DLL
O2 - BHO: (no name) - {B801DC5E-790D-3798-A97B-9A9FC5026FD5} - C:\WINDOWS\SYSTEM\jgmcrkxu\puidesov.dll
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\RTNEG.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [PLoader] c:\ufd2.0\ufd.exe sys_auto_run C:\UFD2.0
O4 - HKLM\..\Run: [CellVision WLAN Monitor] C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\SYSTEM\pacis.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [ALFOKGSM] C:\WINDOWS\SYSTEM\JYQHAJGA\ALFOKGSM.EXE
O4 - HKLM\..\Run: [jqqugjl] C:\WINDOWS\SYSTEM\icnjjc\jqqugjl.exe
O4 - HKLM\..\Run: [lvqd] C:\WINDOWS\SYSTEM\hbiowwr\lvqd.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITEEJK32.EXE
O4 - HKLM\..\Run: [QBVWNVUC] C:\WINDOWS\SYSTEM\HFDSKE\QBVWNVUC.EXE
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [kukbi] C:\WINDOWS\SYSTEM\dhgnf\kukbi.exe
O4 - HKLM\..\Run: [dwnlv] C:\WINDOWS\SYSTEM\csppwjd\dwnlv.exe
O4 - HKLM\..\Run: [OAEBLTRS] C:\WINDOWS\SYSTEM\NSTISVTX\OAEBLTRS.EXE
O4 - HKLM\..\Run: [YFWPT] C:\WINDOWS\SYSTEM\FIVNKV\YFWPT.EXE
O4 - HKLM\..\Run: [VEEJJ] C:\WINDOWS\SYSTEM\KKAQND\VEEJJ.EXE
O4 - HKLM\..\Run: [LWTBH] C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
O4 - HKLM\..\Run: [nzjlks] c:\windows\system\nzjlks.exe
O4 - HKLM\..\Run: [skyhn] C:\WINDOWS\TEMP\EYMBUX.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [SkyH2] C:\WINDOWS\TEMP\FUKSJ.exe
O4 - HKLM\..\Run: [on4P36T] SDBI02DE.EXE
O4 - HKLM\..\Run: [OEMCLEANUP] C:\WINDOWS\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [NILM License Manager] C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe -c "C:\Program Files\National Instruments\Shared\License Manager\Licenses" -l "C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.log"
O4 - HKLM\..\RunServices: [SMS Client Service] C:\WINDOWS\MS\SMS\core\bin\clisvc95.exe
O4 - HKCU\..\Run: [ZCvFRWf7Q] UNACCONF.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe

Greatly appreciate any help.

Rey

rp0517 is offline  
Old 15th April 2005   #2
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Welcome to WindowsBBS rp0517

Please download and install both Spybot 1.3 and Ad-aware SE Personal 1.05 (both free) from the links in my signature. Allow Spybot to load SDHelper upon installation. Immediately check for updates to both programs. Run Spybot and fix everything it finds and prechecks (items in red). Run Ad-aware in the full scan mode, right click within the scan results and select all, then click next and allow removal. Reboot and do an online virus scan with RAV. If any files are infected, copy the results and post it here. Run another HijackThis scan and post the new log.

noahdfear is offline  
Old 18th April 2005   #3
Member
THREAD STARTER
Contributing Member
 
Profile:
Join Date: Apr 2005
Posts: 7
Computer Experience:
Intermediate
rp0517 Reputation Level

Thanks for the welcome, noahdfear!


Noahdfear,

Thanks for your help and reply. I have not been successful in completing the tasks that you had laid out because I have been having more problems with the PC. I am getting a "While initializing device NTKERN: Windows protection error. You need to restart your computer." every other time. In addition, I could not get a complete Spybot scan because the PC comes up with "Iexplore [Not responding]." I will try to disable the PestPatrol and see if I can run Spybot. If successful, I will continue with Ad-Aware run and the RAV scan.
Just didn't want you to think I am ignoring your advice. Will keep you posted.

Thanks again,
Rey

rp0517 is offline  
Old 18th April 2005   #4
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Try running those scans in safe mode.

Thanks for the update!

noahdfear is offline  
Old 20th April 2005   #5
Member
THREAD STARTER
Contributing Member
 
Profile:
Join Date: Apr 2005
Posts: 7
Computer Experience:
Intermediate
rp0517 Reputation Level

RAV results and new HJT log


Appreciate your patience Noahdfear. Ran Spybot and Adaware in safe mode (only way they ran without error or computer hang up). Attached are the RAV scan result and a new HJT log.

******Start of RAV Scan *****
Scan started at 4/18/05 10:47:38 PM

Scanning memory...
process://C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE - TrojanDownloader:Win32/Delmed.B -> Infected
c:\WINDOWS\FARMMEXT.EXE - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\70tovmto.exe - Sahat.A -> Infected
c:\WINDOWS\SYSTEM\installer_MARKETING18.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\wrapperouter.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\wintask.exe - TrojanDownloader:Win32/Small.ABD -> Infected
c:\WINDOWS\SYSTEM\stubinstaller4528.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\elitenmx32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\SSK_B5 Verticlick 7.EXE - TrojanDropper:Win32/Small.WD -> Infected
c:\WINDOWS\SYSTEM\saie1108.exe - TrojanDropper:Win32/Small.NO -> Infected
c:\WINDOWS\SYSTEM\exp.exe - TrojanDownloader:Win32/Small.ABD -> Infected
c:\WINDOWS\SYSTEM\eliterev32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\temperror32.dat - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\eliteoid32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\cbng.exe - TrojanDownloader:Win32/Small -> Infected
c:\WINDOWS\SYSTEM\eliteejk32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\nstisvtx\oaebltrs.exe - TrojanDownloader:Win32/Agent.CZ -> Infected
c:\WINDOWS\SYSTEM\fivnkv\yfwpt.exe - TrojanDownloader:Win32/Agent.LG -> Infected
c:\WINDOWS\SYSTEM\picsvr\picsvr.exe - TrojanDownloader:Win32/Delmed.B -> Infected
c:\WINDOWS\SYSTEM\jyqhajga\alfokgsm.exe - TrojanDownloader:Win32/Agent.CZ -> Infected
c:\WINDOWS\SYSTEM\hfdske\qbvwnvuc.exe - TrojanDownloader:Win32/Agent.LG -> Infected
c:\WINDOWS\TEMP\DrTemp\farmmext.cab->farmmext.exe - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\DrTemp\farmmext.exe - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\delayed[2].htm->(SCRIPT0000) - JS/Noclose* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\89ABCDEF\download[1].php->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\89ABCDEF\autoupgrader2[1] - TrojanDownloader:Win32/Agent.CZ -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\08SYRDE4\download[2].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\08SYRDE4\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\MLGPKNUV\HP1[1].CHM->/hp1.htm->(SCRIPT0001) - JS/Psyme.C* -> Infected
c:\WINDOWS\TEMP\THI2640.TMP\farmmext.cab->farmmext.exe - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\THI66EE.TMP\farmmext.cab->farmmext.exe - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\THI66EE.TMP\farmmext.exe - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\THI3E2D.TMP\farmmext.cab->farmmext.exe - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\THI3E2D.TMP\farmmext.exe - TrojanDownloader:Win32/Stubby.C -> Infected
c:\Program Files\FwBarTemp\searchbar.exe - TrojanDownloader:Win32/VB.EU -> Infected
c:\outlook files\Personal Folder.pst->Message.15059: "Untitled" - Joke:RussianJep -> Infected
c:\outlook files\Personal Folder old.pst->Message.12554: "Untitled" - Joke:RussianJep -> Infected

Scanned
============================
Objects: 62853
Directories: 3600
Archives: 2447
Size(Kb): 139096
Infected files: 38

Found
============================
Viruses found: 17
Suspicious files: 0
Disinfected files: 0
Mail files: 2998
******End of RAV Scan *****

******Start of HJT Log*****
Logfile of HijackThis v1.99.1
Scan saved at 5:08:34 AM, on 4/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVC95.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\LMGRD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\NILM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\MS\SMS\CLICOMP\APA\BIN\SMSAPM32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\UFD2.0\UFD.EXE
C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\WINDOWS\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
C:\WINDOWS\SYSTEM\NSTISVTX\OAEBLTRS.EXE
C:\WINDOWS\SYSTEM\DHGNF\KUKBI.EXE
C:\WINDOWS\SYSTEM\ELITEEJK32.EXE
C:\WINDOWS\SYSTEM\CSPPWJD\DWNLV.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\WINDOWS\SYSTEM\FIVNKV\YFWPT.EXE
C:\WINDOWS\SYSTEM\KKAQND\VEEJJ.EXE
C:\WINDOWS\SYSTEM\NZJLKS.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\OPTIONS\oemreset.exe
C:\WINDOWS\CALC.EXE
C:\WINDOWS\SYSTEM\TLGSN.EXE
C:\WINDOWS\SYSTEM\GAH95ON6.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\SYSTEM\UNACCONF.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TLGSN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\TEMP\TLGSN.EXE
C:\WINDOWS\TEMP\TLGSN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TLGSN.EXE
C:\MY DOWNLOADS\SPYWARE CLEANUP TOOLS\HIJACK_THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nadep900:8080
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://webdoc"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\PLG0\CXTPLS.DLL
O2 - BHO: (no name) - {B801DC5E-790D-3798-A97B-9A9FC5026FD5} - C:\WINDOWS\SYSTEM\jgmcrkxu\puidesov.dll
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSCF003.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [PLoader] c:\ufd2.0\ufd.exe sys_auto_run C:\UFD2.0
O4 - HKLM\..\Run: [CellVision WLAN Monitor] C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\SYSTEM\pacis.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [ALFOKGSM] C:\WINDOWS\SYSTEM\JYQHAJGA\ALFOKGSM.EXE
O4 - HKLM\..\Run: [jqqugjl] C:\WINDOWS\SYSTEM\icnjjc\jqqugjl.exe
O4 - HKLM\..\Run: [lvqd] C:\WINDOWS\SYSTEM\hbiowwr\lvqd.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITEEJK32.EXE
O4 - HKLM\..\Run: [QBVWNVUC] C:\WINDOWS\SYSTEM\HFDSKE\QBVWNVUC.EXE
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [kukbi] C:\WINDOWS\SYSTEM\dhgnf\kukbi.exe
O4 - HKLM\..\Run: [dwnlv] C:\WINDOWS\SYSTEM\csppwjd\dwnlv.exe
O4 - HKLM\..\Run: [OAEBLTRS] C:\WINDOWS\SYSTEM\NSTISVTX\OAEBLTRS.EXE
O4 - HKLM\..\Run: [YFWPT] C:\WINDOWS\SYSTEM\FIVNKV\YFWPT.EXE
O4 - HKLM\..\Run: [VEEJJ] C:\WINDOWS\SYSTEM\KKAQND\VEEJJ.EXE
O4 - HKLM\..\Run: [LWTBH] C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
O4 - HKLM\..\Run: [nzjlks] c:\windows\system\nzjlks.exe
O4 - HKLM\..\Run: [skyhn] C:\WINDOWS\TEMP\EYMBUX.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [on4P36T] SDBI02DE.EXE
O4 - HKLM\..\Run: [OEMCLEANUP] C:\WINDOWS\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\SYSTEM\gah95on6.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\TLGSN.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [NILM License Manager] C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe -c "C:\Program Files\National Instruments\Shared\License Manager\Licenses" -l "C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.log"
O4 - HKLM\..\RunServices: [SMS Client Service] C:\WINDOWS\MS\SMS\core\bin\clisvc95.exe
O4 - HKCU\..\Run: [ZCvFRWf7Q] UNACCONF.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
******End of HJT Log*****

Thanks again for your help.

Rey

rp0517 is offline  
Old 20th April 2005   #6
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Download and install the trial version of Trojan Hunter. Allow update upon installation. Run a full system scan, removing whatever if finds. Reboot, scan again with RAV and post both the RAV log and a new HJT log.

noahdfear is offline  
Old 23rd April 2005   #7
Member
THREAD STARTER
Contributing Member
 
Profile:
Join Date: Apr 2005
Posts: 7
Computer Experience:
Intermediate
rp0517 Reputation Level

New RAV and HJT Logs


Noahdfear,

Attached are the two files you requested.

*******Start of RAV Log *******
Scan started at 4/21/05 10:25:32 PM

Scanning memory...
c:\WINDOWS\FARMMEXT.EXE.tcf - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\SYSTEM\installer_MARKETING18.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\wrapperouter.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\stubinstaller4528.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\elitenmx32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\SSK_B5 Verticlick 7.EXE - TrojanDropper:Win32/Small.WD -> Infected
c:\WINDOWS\SYSTEM\cbng.exe.tcf - TrojanDownloader:Win32/Small -> Infected
c:\WINDOWS\SYSTEM\eliterev32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\temperror32.dat - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\eliteoid32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\exp.exe.tcf - TrojanDownloader:Win32/Small.ABD -> Infected
c:\WINDOWS\SYSTEM\eliteejk32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\saie1108.exe.tcf - TrojanDropper:Win32/Small.NO -> Infected
c:\WINDOWS\SYSTEM\wintask.exe.tcf - TrojanDownloader:Win32/Small.ABD -> Infected
c:\WINDOWS\SYSTEM\nstisvtx\OAEBLTRS.EXE.tcf - TrojanDownloader:Win32/Agent.CZ -> Infected
c:\WINDOWS\SYSTEM\fivnkv\YFWPT.EXE.tcf - TrojanDownloader:Win32/Agent.LG -> Infected
c:\WINDOWS\SYSTEM\picsvr\PICSVR.EXE.tcf - TrojanDownloader:Win32/Delmed.B -> Infected
c:\WINDOWS\SYSTEM\jyqhajga\alfokgsm.exe.tcf - TrojanDownloader:Win32/Agent.CZ -> Infected
c:\WINDOWS\SYSTEM\hfdske\qbvwnvuc.exe.tcf - TrojanDownloader:Win32/Agent.LG -> Infected
c:\WINDOWS\TEMP\DrTemp\farmmext.exe.tcf - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\delayed[2].htm->(SCRIPT0000) - JS/Noclose* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\classload[1].jar->GetAccess.class - Trojan:Java/ClassLoader -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\classload[1].jar->InsecureClassLoader.class - Java/Bytverify -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\classload[1].jar->Installer.class - TrojanDownloader:Java/OpenConnection.F -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\89ABCDEF\download[1].php->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\89ABCDEF\autoupgrader2[1] - TrojanDownloader:Win32/Agent.CZ -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\08SYRDE4\download[2].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\08SYRDE4\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\MLGPKNUV\HP1[1].CHM->/hp1.htm->(SCRIPT0001) - JS/Psyme.C* -> Infected
c:\WINDOWS\TEMP\THI66EE.TMP\farmmext.exe.tcf - TrojanDownloader:Win32/Stubby.C -> Infected
c:\WINDOWS\TEMP\THI3E2D.TMP\farmmext.exe.tcf - TrojanDownloader:Win32/Stubby.C -> Infected
c:\Program Files\FwBarTemp\searchbar.exe - TrojanDownloader:Win32/VB.EU -> Infected
c:\outlook files\Personal Folder.pst->Message.15059: "Untitled" - Joke:RussianJep -> Infected
c:\outlook files\Personal Folder old.pst->Message.12554: "Untitled" - Joke:RussianJep -> Infected

Scanned
============================
Objects: 61920
Directories: 3340
Archives: 2349
Size(Kb): -310262
Infected files: 35

Found
============================
Viruses found: 18
Suspicious files: 0
Disinfected files: 0
Mail files: 2987
*******End of RAV Log********

*******Start of HJT Log********
Logfile of HijackThis v1.99.1
Scan saved at 12:50:56 AM, on 4/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVC95.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\LMGRD.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\NILM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\MS\SMS\CLICOMP\APA\BIN\SMSAPM32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\UFD2.0\UFD.EXE
C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\WINDOWS\SYSTEM\DHGNF\KUKBI.EXE
C:\WINDOWS\SYSTEM\CSPPWJD\DWNLV.EXE
C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\OPTIONS\oemreset.exe
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\WINDOWS\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HTJ\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nadep900:8080
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://webdoc"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {B801DC5E-790D-3798-A97B-9A9FC5026FD5} - C:\WINDOWS\SYSTEM\jgmcrkxu\puidesov.dll (file missing)
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSCF003.DLL (file missing)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [PLoader] c:\ufd2.0\ufd.exe sys_auto_run C:\UFD2.0
O4 - HKLM\..\Run: [CellVision WLAN Monitor] C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\SYSTEM\pacis.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [ALFOKGSM] C:\WINDOWS\SYSTEM\JYQHAJGA\ALFOKGSM.EXE
O4 - HKLM\..\Run: [jqqugjl] C:\WINDOWS\SYSTEM\icnjjc\jqqugjl.exe
O4 - HKLM\..\Run: [lvqd] C:\WINDOWS\SYSTEM\hbiowwr\lvqd.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITEEJK32.EXE
O4 - HKLM\..\Run: [QBVWNVUC] C:\WINDOWS\SYSTEM\HFDSKE\QBVWNVUC.EXE
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [kukbi] C:\WINDOWS\SYSTEM\dhgnf\kukbi.exe
O4 - HKLM\..\Run: [dwnlv] C:\WINDOWS\SYSTEM\csppwjd\dwnlv.exe
O4 - HKLM\..\Run: [OAEBLTRS] C:\WINDOWS\SYSTEM\NSTISVTX\OAEBLTRS.EXE
O4 - HKLM\..\Run: [YFWPT] C:\WINDOWS\SYSTEM\FIVNKV\YFWPT.EXE
O4 - HKLM\..\Run: [VEEJJ] C:\WINDOWS\SYSTEM\KKAQND\VEEJJ.EXE
O4 - HKLM\..\Run: [LWTBH] C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
O4 - HKLM\..\Run: [skyhn] C:\WINDOWS\TEMP\EYMBUX.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [on4P36T] SDBI02DE.EXE
O4 - HKLM\..\Run: [OEMCLEANUP] C:\WINDOWS\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\SYSTEM\gah95on6.exe
O4 - HKLM\..\Run: [nzjlks] c:\windows\system\nzjlks.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [NILM License Manager] C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe -c "C:\Program Files\National Instruments\Shared\License Manager\Licenses" -l "C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.log"
O4 - HKLM\..\RunServices: [SMS Client Service] C:\WINDOWS\MS\SMS\core\bin\clisvc95.exe
O4 - HKCU\..\Run: [ZCvFRWf7Q] UNACCONF.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
********End of HJT Log*******

Thanks again Dave.

Rey

rp0517 is offline  
Old 23rd April 2005   #8
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Well, Trojan Hunter didn't help much. Please run an eTrust Online scan and allow it to clean what it can. Link is in my signature. Then run Trend Micro and see what it can clean. Post back with a new RAV and HJT log and we'll do the rest from there.

noahdfear is offline  
Old 24th April 2005   #9
Member
THREAD STARTER
Contributing Member
 
Profile:
Join Date: Apr 2005
Posts: 7
Computer Experience:
Intermediate
rp0517 Reputation Level

New RAV and HJT Log after Housecall scan


Noahdfear,

I ran eTrust Online scan and it found no virus. Ran Trend Micro Housecall and it found several "Cannot Clean" infected files. I deleted these files. Performed a new RAV and HJT scans. Results are attached.

Thanks for your help and time, Dave.

Rey

*** Start of RAV Log ***
Scan started at 4/23/05 10:55:17 PM

Scanning memory...
c:\WINDOWS\SYSTEM\installer_MARKETING18.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\wrapperouter.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\stubinstaller4528.exe - TrojanDropper:Win32/Agent.HL -> Infected
c:\WINDOWS\SYSTEM\elitenmx32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\SSK_B5 Verticlick 7.EXE - TrojanDropper:Win32/Small.WD -> Infected
c:\WINDOWS\SYSTEM\eliterev32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\eliteoid32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\eliteejk32.exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\SYSTEM\saie1108.exe.tcf - TrojanDropper:Win32/Small.NO -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\delayed[2].htm->(SCRIPT0000) - JS/Noclose* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\0VWLANU7\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\89ABCDEF\download[1].php->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\08SYRDE4\download[2].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\08SYRDE4\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\Program Files\FwBarTemp\searchbar.exe - TrojanDownloader:Win32/VB.EU -> Infected
c:\outlook files\Personal Folder.pst->Message.15059: "Untitled" - Joke:RussianJep -> Infected
c:\outlook files\Personal Folder old.pst->Message.12554: "Untitled" - Joke:RussianJep -> Infected

Scanned
============================
Objects: 61508
Directories: 3357
Archives: 2353
Size(Kb): -272147
Infected files: 17

Found
============================
Viruses found: 8
Suspicious files: 0
Disinfected files: 0
Mail files: 2990
*** End of RAV Log ***

*** Start of HJT Log ***
Logfile of HijackThis v1.99.1
Scan saved at 11:28:20 AM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVC95.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\LMGRD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NATIONAL INSTRUMENTS\SHARED\LICENSE MANAGER\BIN\NILM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\MS\SMS\CLICOMP\APA\BIN\SMSAPM32.EXE
C:\WINDOWS\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\UFD2.0\UFD.EXE
C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\WINDOWS\SYSTEM\ELITEAVC32.EXE
C:\WINDOWS\SYSTEM\DHGNF\KUKBI.EXE
C:\WINDOWS\SYSTEM\CSPPWJD\DWNLV.EXE
C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\OPTIONS\oemreset.exe
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\HTJ\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nadep900:8080
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://webdoc"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {B801DC5E-790D-3798-A97B-9A9FC5026FD5} - C:\WINDOWS\SYSTEM\jgmcrkxu\puidesov.dll (file missing)
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSCF003.DLL (file missing)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [SMS Win9x Message Agent] C:\WINDOWS\MS\SMS\core\bin\SMSMsg.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [PLoader] c:\ufd2.0\ufd.exe sys_auto_run C:\UFD2.0
O4 - HKLM\..\Run: [CellVision WLAN Monitor] C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\SYSTEM\pacis.exe
O4 - HKLM\..\Run: [ALFOKGSM] C:\WINDOWS\SYSTEM\JYQHAJGA\ALFOKGSM.EXE
O4 - HKLM\..\Run: [jqqugjl] C:\WINDOWS\SYSTEM\icnjjc\jqqugjl.exe
O4 - HKLM\..\Run: [lvqd] C:\WINDOWS\SYSTEM\hbiowwr\lvqd.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITEAVC32.EXE
O4 - HKLM\..\Run: [QBVWNVUC] C:\WINDOWS\SYSTEM\HFDSKE\QBVWNVUC.EXE
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [kukbi] C:\WINDOWS\SYSTEM\dhgnf\kukbi.exe
O4 - HKLM\..\Run: [dwnlv] C:\WINDOWS\SYSTEM\csppwjd\dwnlv.exe
O4 - HKLM\..\Run: [OAEBLTRS] C:\WINDOWS\SYSTEM\NSTISVTX\OAEBLTRS.EXE
O4 - HKLM\..\Run: [YFWPT] C:\WINDOWS\SYSTEM\FIVNKV\YFWPT.EXE
O4 - HKLM\..\Run: [VEEJJ] C:\WINDOWS\SYSTEM\KKAQND\VEEJJ.EXE
O4 - HKLM\..\Run: [LWTBH] C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
O4 - HKLM\..\Run: [skyhn] C:\WINDOWS\TEMP\EYMBUX.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [on4P36T] SDBI02DE.EXE
O4 - HKLM\..\Run: [OEMCLEANUP] C:\WINDOWS\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\SYSTEM\gah95on6.exe
O4 - HKLM\..\Run: [nzjlks] c:\windows\system\nzjlks.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [NILM License Manager] C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe -c "C:\Program Files\National Instruments\Shared\License Manager\Licenses" -l "C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.log"
O4 - HKLM\..\RunServices: [SMS Client Service] C:\WINDOWS\MS\SMS\core\bin\clisvc95.exe
O4 - HKCU\..\Run: [ZCvFRWf7Q] UNACCONF.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

rp0517 is offline  
Old 25th April 2005   #10
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Are these backup folders? Can you locate the two infected messages and delete?

c:\outlook files\Personal Folder.pst
c:\outlook files\Personal Folder old.pst

Message.15059 Message.12554

You should print this out and/or save it to text where you can access it in safe mode.

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Extract the file to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\SYSTEM\installer_MARKETING18.exe

Check the box to delete on reboot and click the red X to the right. Click Yes, then NO to the reboot now prompt. Copy the next filepath, paste it in the box, and repeat the above steps. When all of the below filepaths are done, close the Killbox.

C:\WINDOWS\SYSTEM\wrapperouter.exe
C:\WINDOWS\SYSTEM\stubinstaller4528.exe
C:\WINDOWS\SYSTEM\elitenmx32.exe
C:\WINDOWS\SYSTEM\SSK_B5 Verticlick 7.EXE
C:\WINDOWS\SYSTEM\eliterev32.exe
C:\WINDOWS\SYSTEM\eliteoid32.exe
C:\WINDOWS\SYSTEM\eliteejk32.exe
C:\WINDOWS\SYSTEM\saie1108.exe.tcf
C:\WINDOWS\FARMMEXT.exe
C:\WINDOWS\SYSTEM\exp.exe
C:\WINDOWS\CFGMGR51.DLL
C:\WINDOWS\SYSTEM\gah95on6.exe
c:\windows\system\nzjlks.exe


Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = nadep900:8080
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {B801DC5E-790D-3798-A97B-9A9FC5026FD5} - C:\WINDOWS\SYSTEM\jgmcrkxu\puidesov.dll (file missing)
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSCF003.DLL (file missing)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [ALFOKGSM] C:\WINDOWS\SYSTEM\JYQHAJGA\ALFOKGSM.EXE
O4 - HKLM\..\Run: [jqqugjl] C:\WINDOWS\SYSTEM\icnjjc\jqqugjl.exe
O4 - HKLM\..\Run: [lvqd] C:\WINDOWS\SYSTEM\hbiowwr\lvqd.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITEAVC32.EXE
O4 - HKLM\..\Run: [QBVWNVUC] C:\WINDOWS\SYSTEM\HFDSKE\QBVWNVUC.EXE
O4 - HKLM\..\Run: [kukbi] C:\WINDOWS\SYSTEM\dhgnf\kukbi.exe
O4 - HKLM\..\Run: [dwnlv] C:\WINDOWS\SYSTEM\csppwjd\dwnlv.exe
O4 - HKLM\..\Run: [OAEBLTRS] C:\WINDOWS\SYSTEM\NSTISVTX\OAEBLTRS.EXE
O4 - HKLM\..\Run: [YFWPT] C:\WINDOWS\SYSTEM\FIVNKV\YFWPT.EXE
O4 - HKLM\..\Run: [VEEJJ] C:\WINDOWS\SYSTEM\KKAQND\VEEJJ.EXE
O4 - HKLM\..\Run: [LWTBH] C:\WINDOWS\SYSTEM\SRKITNPC\LWTBH.EXE
O4 - HKLM\..\Run: [skyhn] C:\WINDOWS\TEMP\EYMBUX.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [on4P36T] SDBI02DE.EXE
O4 - HKLM\..\Run: [OEMCLEANUP] C:\WINDOWS\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\SYSTEM\gah95on6.exe
O4 - HKLM\..\Run: [nzjlks] c:\windows\system\nzjlks.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [ZCvFRWf7Q] UNACCONF.EXE
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe


Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode. Logon to your user account.

You will need to show hidden files and folders.

Open C:\Program Files and delete the folders FwBarTemp, NaviSearch, MYWAY and CashBack.
Open C:\Windows\system and delete the following folders if present.

jgmcrkxu
JYQHAJGA
icnjjc
hbiowwr
HFDSKE
dhgnf
csppwjd
NSTISVTX
FIVNKV
KKAQND
SRKITNPC
nsvsvc
PICSVR


Do a file search for the following files and delete if found.

SDBI02DE.EXE
UNACCONF.EXE


Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Applog, select all and delete.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all boxes and click OK.

If you used msconfig, uncheck the box to 'enable start menu' and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

Post new RAV and HJT logs.

noahdfear is offline  
Old 26th April 2005   #11
Member
THREAD STARTER
Contributing Member
 
Profile:
Join Date: Apr 2005
Posts: 7
Computer Experience:
Intermediate
rp0517 Reputation Level

RAV and HJT Log after KillBox and HJT Fix routine


Thanks for a very thorough procedure, Noahdfear! I had tried opening up my old Outlook files but was not successful due to unavailability of a Microsoft Exchange Server. I no longer used this machine to access my work email and those files were my backup files. I will remove these files if I am unsuccessful in accessing the server through dial up.

Any way, I went through the procedure you had laid out and I have attached the new RAV and HJT logs.

*** Start of RAV Log ***
Scan started at 4/25/05 6:43:18 PM

Scanning memory...
c:\RECYCLED\DC69\Content.IE5\0VWLANU7\delayed[2].htm->(SCRIPT0000) - JS/Noclose* -> Infected
c:\RECYCLED\DC69\Content.IE5\0VWLANU7\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\RECYCLED\DC69\Content.IE5\89ABCDEF\download[1].php->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\RECYCLED\DC69\Content.IE5\08SYRDE4\download[2].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
c:\RECYCLED\DC69\Content.IE5\08SYRDE4\protector[1].exe - Trojan:Win32/StartPage.NK -> Infected
c:\outlook files\Personal Folder.pst->Message.15059: "Untitled" - Joke:RussianJep -> Infected
c:\outlook files\Personal Folder old.pst->Message.12554: "Untitled" - Joke:RussianJep -> Infected

Scanned
============================
Objects: 60244
Directories: 3218
Archives: 2338
Size(Kb): -390456
Infected files: 7

Found
============================
Viruses found: 4
Suspicious files: 0
Disinfected files: 0
Mail files: 2974
*** End of RAV Log ***

*** Start of HJT Log ***
Logfile of HijackThis v1.99.1
Scan saved at 9:02:45 PM, on 4/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\USBTOOLBOX\RES.EXE
C:\UFD2.0\UFD.EXE
C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
C:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HTJ\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://webdoc"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
O4 - HKLM\..\Run: [IMAQBoot] C:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [PLoader] c:\ufd2.0\ufd.exe sys_auto_run C:\UFD2.0
O4 - HKLM\..\Run: [CellVision WLAN Monitor] C:\PROGRAM FILES\AIRLINK101\WLAN MONITOR\WLANMON.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\SYSTEM\pacis.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\PROGRAM FILES\CA\ETRUST PESTPATROL\PPACTIVEDETECTION.EXE"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [NILM License Manager] C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe -c "C:\Program Files\National Instruments\Shared\License Manager\Licenses" -l "C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.log"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
*** End of HJT Log ***

Thanks again for your help, Dave.

Rey

rp0517 is offline  
Old 26th April 2005   #12
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Unless I've overlooked something, that log is clean. Empty the recycle bin and get those Outlook files taken care of. Do whatever you like with Trojan Hunter (I'd uninstall it myself). Also recommend you download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Check for updates regularly. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry. That will give you some added layers of protection against unwanted parasites.

noahdfear is offline  
Old 27th April 2005   #13
Member
THREAD STARTER
Contributing Member
 
Profile:
Join Date: Apr 2005
Posts: 7
Computer Experience:
Intermediate
rp0517 Reputation Level

Thanks for your great assistance.


Appreciate your patience and time, Noahdfear. My computer has been working fine lately. Did not get any more pop-ups even when left on for hours.

I would also like to extend my appreciation to the moderators and admin of this very help support BBS.

I had avoided joining any support group but this one is well worth joining specially due to helpful folks like Dave.

Thanks again,
Rey

rp0517 is offline  
Old 27th April 2005   #14
Inactive
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,183
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System
Send a message via MSN to noahdfear
Glad to help, Rey, and good to hear all is well again.

noahdfear is offline  


 

THIS THREAD HAS EXPIRED.

Are you having the same problem? Please post a new thread, but first you'll have to join us by Registering (FREE).



Discussion Forums
Operating Systems
Windows 10 Windows 10
Windows 8 Windows 8
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Legacy Windows OS Legacy Windows OS
Internet & Networking
Networking (Hardware & Software) Networking
Internet Explorer Internet Explorer
Microsoft Mail Microsoft Mail
Firefox, Thunderbird & SeaMonkey Firefox, Thunderbird
      & SeaMonkey

Web Applications & Cloud Web Applications & Cloud
General Internet
Security
Malware and Virus Removal Malware and Virus
     Removal

Security and Privacy Security and Privacy

Other
Other PC Software Other PC Software
Test Posts Test Posts
Hardware
PC Hardware PC Hardware
Mobile Devices Mobile Devices
Community
Introductions Introductions
General Discussions General Discussions
Site Comments & Suggestions Site Comments
      & Suggestions

News News @ WindowsBBS

Thread Tools


Find us on Facebook   Web Of Trust Rating

All times are GMT. The time now is 00:50.


Recent Discussions
Samsung RC512 laptop won't boot up (2)
Information regarding WD My Cloud 3.. (4)
Pin to taskbar question (6)
[DUMP DATA] New computer randomly b.. (1)
Can' Print from IE11 (11)
[Activation issues] (18)
What event will be logged when the .. (17)
Long Running Scripts (6)
Strange character in emails (7)
Need help configuring an Audigy Fx .. (4)
Slow running Machine (33)
Strike the F1 key to continue (14)
MS Fax and Scan Replacement (11)
Lock screen (10)
CD formatting question (11)
Audio Freezing Sounding Like A Robo.. (14)
Need TV Buying Advice (16)
Loosing connection with giganews? (7)
IE9 crashing (11)


Donate!
Support Windows BBS!



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO
Copyright 2002 - 2014 WindowsBBS.com. All rights reserved.
FDMA Media LLC
Terms of Use, Legal Information & Privacy Policy
Page generated in 0.54095 seconds with 7 queries