Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 23 Posts

· Registered
Joined
·
12 Posts
Discussion Starter · #1 ·
We have picked up the cws variant that Ad-Aware SE will not delete.
When I run Ad-Aware we get several error during scan (Symtray, Mstak, Cpqeadm).
At the end of the scan it shows 20 items of coolweb and 2-4 items of VX2
During removal, an aquarantine list is made but file deletion will will not complete.
We have an older Compaq 600Mhz running dual boot win 98se and win 2000.
Win 98 is up to date but 2000 is not.
I have tried to safe boot but the machine will only safe boot to 2000.

Here is the hjt list.

Logfile of HijackThis v1.99.0
Scan saved at 10:31:36 PM, on 1/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\QRGWQV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\HIGHJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {3A2E333B-2DC5-67B4-DCBE-B36D999B9A13} - C:\windows\system\puxxoxah.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\qrgwqv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - Startup: ftihfk.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://146.82.109.200/distribution/msiein.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/FunBuddyIconsFWBInitialSetup1.0.0.8.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab

Thanks for your help
 

· Registered
Joined
·
9,520 Posts
Welcome to TSG.

Download and install "Pocket KillBox" (http://www.greyknight17.com/spy/KillBox.exe)
=====================================================
Copy/Paste the Bold to notepad and save on the desktop as "delete.reg" (save it WITH the quotes" ")

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"= -


======================================================
Run HijackThis again and put a checkmark besides the following entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3A2E333B-2DC5-67B4-DCBE-B36D999B9A13} - C:\windows\system\puxxoxah.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\qrgwqv.exe
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://146.82.109.200/distribution/msiein.cab


Run KillBox.... Click on the 'Delete on Reboot' button. Check 'End Explorer Shell While Killing File.' Copy and paste each of the following locations (one by one) into KillBox (check 'Unregister .dll Before Deleting' if it's not greyed out) and hit the X button for each one (when it asks you if you want to reboot, click NO):
C:\windows\system\puxxoxah.dll
C:\WINDOWS\BTGRAB.DLL
C:\WINDOWS\qrgwqv.exe

=================================================
Double click on "delete.reg" and choose Yes to merge it. You can delete the file afterwards.

Re-boot Update Adaware and scan/remove all it finds.
================================================
Then
Download Spybot - Search & Destroy from http://majorgeeks.com/download2471.html

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.
Activate the "Imunize" function.
===================================================
Run an online antivirus check from at least one and preferably 2 of the following sites....
http://virusscan.jotti.dhs.org/
http://www.kaspersky.com/remoteviruschk.html
http://www.dials.ru/english/www_av/
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/

Re-boot again and post a new HijackThis log please.

;)
 

· Registered
Joined
·
12 Posts
Discussion Starter · #3 ·
Thanks for quick reply

After checking all the items in hjt and pushed fix, I ran Killbox. I could not find
C:\windows\system\puxxoxah.dll
C:\WINDOWS\BTGRAB.DLL
When I cut and paste from the e-mail the system gave an illegal operation and closed killbox.
I then ran adaware se and still have the same errors as before. In the quarantine list it shows
obj[0]=Process : C:\WINDOWS\SBNESI.DLL
obj[1]=Process : C:\WINDOWS\SBNESI.DLL
obj[2]=Process : C:\WINDOWS\SBNESI.DLL
obj[3]=Process : C:\WINDOWS\SBNESI.DLL
obj[4]=Process : C:\WINDOWS\SBNESI.DLL
obj[5]=Process : C:\WINDOWS\SBNESI.DLL
obj[6]=Process : C:\WINDOWS\SBNESI.DLL
obj[7]=Process : C:\WINDOWS\SBNESI.DLL
obj[8]=Process : C:\WINDOWS\SBNESI.DLL
obj[9]=Process : C:\WINDOWS\SBNESI.DLL
obj[10]=Process : C:\WINDOWS\SBNESI.DLL
obj[11]=Process : C:\WINDOWS\SBNESI.DLL
obj[12]=Process : C:\WINDOWS\SBNESI.DLL
obj[13]=Process : C:\WINDOWS\SBNESI.DLL
obj[14]=Process : C:\WINDOWS\SBNESI.DLL
obj[15]=Process : C:\WINDOWS\SBNESI.DLL
obj[16]=Process : C:\WINDOWS\SBNESI.DLL
obj[17]=Process : C:\WINDOWS\SBNESI.DLL
obj[18]=Process : C:\WINDOWS\SBNESI.DLL
obj[19]=Process : C:\WINDOWS\SBNESI.DLL
obj[20]=Process : C:\WINDOWS\SBNESI.DLL
obj[21]=Process : C:\WINDOWS\SBNESI.DLL
obj[22]=Process : C:\WINDOWS\SBNESI.DLL

I tried to run killbox on this dll but it remove it or it comes back.

Here is my latest hjt log

Logfile of HijackThis v1.99.0
Scan saved at 2:38:52 AM, on 1/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\QRGWQV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\HIGHJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\qrgwqv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - Startup: ftihfk.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/FunBuddyIconsFWBInitialSetup1.0.0.8.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab

Thanks again for the help
 

· Registered
Joined
·
9,520 Posts
Download this attached file(find_qoologic)
Unzip the whole folder and then run qoologic.bat.
It will creat a log (C:\Log )
Post the log here.. it might take a while to scan.


;)
 

Attachments

· Registered
Joined
·
12 Posts
Discussion Starter · #5 ·
Here is the list from qoologic

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
I copied the dos window if it helps


1 file(s) copied
Path not found - C:\docume~1\alluse~1\startm~1\programs\startup
0 file(s) copied
--------------------------------------------------------------
.
Now scanning for Qoologic trojan, this may take a few minutes.
Please do not close this window yet..........
1 file(s) copied
Invalid directory
Bad command or file name
Bad command or file name
Too many parameters - menu\programs\startup
Bad command or file name
Bad command or file name
File not found
All done scanning.. Log is located at C:\log.txt
Press any key to close this window and open log..
Press any key to continue . . .

bye

Thanks again
 

· Registered
Joined
·
9,520 Posts
Ok.......lets try this.....check and fix O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\qrgwqv.exe with HijackThis.
Use KillBox and copy/paste in this line:
C:\WINDOWS\qrgwqv.exe
Click the "Delete File" button which looks like a stop sign.
Re-boot,scan again with H/T and lets see if it stays gone.

;)
 

· Registered
Joined
·
12 Posts
Discussion Starter · #7 ·
$teve

File C:\WINDOWS\qrgwqv.exe does come back after reboot
Here is the hjt list after last try.

Logfile of HijackThis v1.99.0
Scan saved at 4:06:12 AM, on 1/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\FTIHFK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIGHJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\qrgwqv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - Startup: ftihfk.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/FunBuddyIconsFWBInitialSetup1.0.0.8.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab

What do we try next?
Thanks again
Mike
 

· Registered
Joined
·
9,520 Posts
Theres a hidden file that .unless we locate and remove it....it will re-install the badfile.

Click here: http://forums.techguy.org/attachmen...achmentid=46183 to download Findit.zip.

Unzip it and double-click on Find.bat to run it. It should run for a few seconds, then open Output.txt file. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

http://www.downloads.subratam.org/VX2Finder.exe

I will be off-line in a few minutes so can you alert a moderator for continued help.

Thanx.
;)
 

· Registered
Joined
·
9,520 Posts
GRRRR!......the problem with most of the tools we use nowadays are not designed to run under 95/98.
Is your Win 2K partition NTFS or FAT32?
 

· Registered
Joined
·
12 Posts
Discussion Starter · #11 ·
After rebooting into w2k, I checked partitions. It is fat32.
While I was in w2k I ran both files.

Here is the log from findit

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findit

------- System Files in System32 Directory -------

Volume in drive D is SYSTEM_SAV
Volume Serial Number is 34AB-0AEF

Directory of D:\WINNT\System32

09/27/2002 08:03p dllcache
0 File(s) 0 bytes
1 Dir(s) 321,699,840 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D is SYSTEM_SAV
Volume Serial Number is 34AB-0AEF

Directory of D:\WINNT\System32

09/27/2002 08:31p GroupPolicy
09/27/2002 08:18p 21,692 folder.htt
09/27/2002 08:18p 271 desktop.ini
09/27/2002 08:03p dllcache
12/07/2000 08:26p 51,200 PackethSvc.exe
3 File(s) 73,163 bytes
2 Dir(s) 321,695,744 bytes free

------------ Files Named "Guard" ---------------

Volume in drive D is SYSTEM_SAV
Volume Serial Number is 34AB-0AEF

Directory of D:\WINNT\System32

------ Temp Files in System32 Directory ------

Volume in drive D is SYSTEM_SAV
Volume Serial Number is 34AB-0AEF

Directory of D:\WINNT\System32

07/26/2000 12:00p 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 321,687,552 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"CPQEASYACC"="D:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
"PrinTray"="D:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\2\\printray.exe"
"CountrySelection"="pctptt.exe"
"RealTray"="D:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Here is the log from vx2finder

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn

Guardian Key--- is called:

Guardian Key--- :

User Agent String---

Remember this was run in w2k my dsl is set up on 98

I hope this helps
Thanks for your help
Mike
 

· Registered
Joined
·
12 Posts
Discussion Starter · #12 ·
I have tried running 3 of the online scaners

http://www.pandasoftware.com/activescan/
Panda showed no problems

http://www.ravantivirus.com/scan/
Here is a log from ravanti

Scan started at 1/13/05 7:33:35 PM

Scanning memory...
c:\WINDOWS\SYSTEM\Lwhv0Ua.exe - Backdoor:Win32/VB.UV -> Infected
c:\WINDOWS\SYSTEM\TafqXPmo.exe - Backdoor:Win32/VB.UV -> Infected
c:\WINDOWS\SYSTEM\Uhbg.exe - Backdoor:Win32/VB.UV -> Infected
c:\WINDOWS\SYSTEM\EqbHV5.exe - Trojan:Win32/Sandbox.A -> Infected
c:\WINDOWS\SYSTEM\NkzAH.exe - Trojan:Win32/Sandbox.A -> Infected
c:\WINDOWS\SYSTEM\FvzbqjPz.exe - Trojan:Win32/Sandbox.A -> Infected
c:\WINDOWS\SYSTEM\Plx7L.exe - Trojan:Win32/Sandbox.A -> Infected
c:\WINDOWS\SYSTEM\KybX9.exe - Trojan:Win32/Sandbox.A -> Infected
c:\WINDOWS\SYSTEM\ZmxCD746.exe - Trojan:Win32/Sandbox.A -> Infected
e:\My Documents\MIKE\backup\spyware->1->(UPXW) - TrojanDownloader:Win32/Lalus -> Infected

Scanned
============================
Objects: 77911
Directories: 6484
Archives: 1399
Size(Kb): -117198
Infected files: 10

Found
============================
Viruses found: 3
Suspicious files: 0
Disinfected files: 0
Mail files: 126

http://housecall.trendmicro.com/
Housecall found 2 more files
Trojan Narrator.A C:\windows xwahxl.exe
Trojan Narrator.A C:\windows ioqcil.dll

None of the scaners would remove e:\My Documents\MIKE\backup\spyware->1->(UPXW) -
I manually deleted it.
I then dumped all trash.
Run Highjacjthis and marked O4-HKLM\..\Run: [Narrator] C;\WINDOWS\qrgwqv.exe
Ran killbox on C:\windows xwahxl.exe and C:\windows ioqcil.dll
Reboot the machine and it still comes back.
I do not know what else to try. :confused:
 

· Registered
Joined
·
46,465 Posts
Here is the findit file for 9x machines:

Click here to download FindIt9xME.zip. Unzip it to your desktop.

Doubleclick on the find.bat file and let it run. It may take as long as ten minutes to run. When it is finished it will produce an output.txt file. Copy and paste the contents of output.txt here please.
 

· Registered
Joined
·
12 Posts
Discussion Starter · #14 ·
Here is the log file

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 390D-9DB3
Directory of C:\WINDOWS\SYSTEM

YFK8 CT6 1,020 11-14-04 9:29a Yfk8.ct6
NTO9G Y89 1,104 07-10-04 5:59p Nto9g.y89
AGM8 DV7 434 06-28-04 6:01a Agm8.dv7
3 file(s) 2,558 bytes
0 dir(s) 5,277.80 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 390D-9DB3
Directory of C:\WINDOWS\SYSTEM

VX0 NLS 8,192 12-23-04 8:19p VX0.NLS
VX3 NLS 8,192 12-23-04 8:19p VX3.NLS
VX3X NLS 8,192 12-23-04 8:19p VX3X.NLS
VX2 NLS 8,192 12-23-04 8:19p VX2.NLS
VX2X NLS 8,192 12-23-04 8:19p VX2X.NLS
VX1X NLS 8,192 12-23-04 8:19p VX1X.NLS
VX1 NLS 8,192 12-23-04 8:19p VX1.NLS
YFK8 CT6 1,020 11-14-04 9:29a Yfk8.ct6
NTO9G Y89 1,104 07-10-04 5:59p Nto9g.y89
ZLLICTBL DAT 4,212 07-07-04 9:59p zllictbl.dat
AGM8 DV7 434 06-28-04 6:01a Agm8.dv7
CQ609XDH GID 32,425 09-26-02 9:42p cq609xdh.GID
FOLDER HTT 13,122 07-22-99 12:25a folder.htt
DESKTOP INI 266 07-22-99 12:25a desktop.ini
14 file(s) 109,927 bytes
0 dir(s) 5,277.80 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"yie6_SBC"="IEAK"
"YPC 3.0.3"="Yahoo! Parental Controls"
"FunWebProducts"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
yfk8.ct6 Sun Nov 14 2004 9:29:06a ..SH. 1,020 0.99 K
vx1.nls Thu Dec 23 2004 8:19:32p ...HR 8,192 8.00 K
vx1x.nls Thu Dec 23 2004 8:19:34p ...HR 8,192 8.00 K
vx2x.nls Thu Dec 23 2004 8:19:40p ...HR 8,192 8.00 K
vx2.nls Thu Dec 23 2004 8:19:42p ...HR 8,192 8.00 K
vx3.nls Thu Dec 23 2004 8:19:44p ...HR 8,192 8.00 K
vx3x.nls Thu Dec 23 2004 8:19:44p ...HR 8,192 8.00 K
vx0.nls Thu Dec 23 2004 8:19:48p ...HR 8,192 8.00 K

8 items found: 8 files, 0 directories.
Total of file sizes: 58,364 bytes 56.99 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: extract4C:\Find-Qoologic
C:\WINDOWS\USER.DAT: bC:\Temp\KillBox.exe\1indit\find.bat\1ologic\qoologic.bat\1
C:\WINDOWS\USER.DAT: fC:\findit\find.bat\1Find-Qoologic\qoologic.bat\1
C:\WINDOWS\USER.DAT: fqoologic dos.doc
C:\WINDOWS\USER.DAT: qoologic dos.doc.lnk
C:\WINDOWS\USER.DAT: gqoologic.txt
C:\WINDOWS\USER.DAT: qoologic.txt.lnk
C:\WINDOWS\USER.DAT: qoologic dos.doc.lnk
C:\WINDOWS\USER.DAT: qoologic.txt.lnk
C:\WINDOWS\sbnesi.dll: updates.qoologic.com
C:\WINDOWS\xwahxl.exe: updates.qoologic.com
C:\WINDOWS\VPTNFILE.349: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.349: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.349: TROJ_QOOLOGIC.A
C:\WINDOWS\ioqcil.dll: updates.qoologic.com
C:\WINDOWS\lpt$vpn.349: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.349: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.349: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\qrgwqv.exe: .aspack
C:\WINDOWS\gbkpgw.dat: .aspack
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\Start Menu\Programs\StartUp\ftihfk.exe: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SystemTray"="SysTray.Exe"
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\cpqeadm.exe"
"EACLEAN"="C:\\Program Files\\Compaq\\Easy Access Button Support\\eaclean.exe"
"CPQInet"="c:\\compaq\\CPQInet\\CpqInet.exe"
"Digital Dashboard"="C:\\Program Files\\Compaq\\Digital Dashboard\\DevGulp.exe"
"CountrySelection"="pctptt.exe"
"LexmarkPrinTray"="PrinTray.exe"
"NAV Agent"="c:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.EXE"
"NPROTECT"="c:\\Program Files\\Norton SystemWorks\\Norton Utilities\\nprotect.exe"
"PTSNOOP"="ptsnoop.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"Narrator"="C:\\WINDOWS\\qrgwqv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


 

· Registered
Joined
·
46,465 Posts
click Here and download the the new version of Killbox and save it to your desktop.

Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\sbnesi.dll

C:\WINDOWS\xwahxl.exe

C:\WINDOWS\Start Menu\Programs\StartUp\ftihfk.exe

C:\WINDOWS\ioqcil.dll

C:\WINDOWS\qrgwqv.exe

C:\WINDOWS\gbkpgw.dat


After you paste the last file name in Killbox and it asks you if you want to reboot, answer yes and let it reboot. Don't answer yes and let it reboot until the last one has been entered.

After it restarts, post another Hijack This log along with a new log from find.bat
 

· Registered
Joined
·
12 Posts
Discussion Starter · #16 ·
After killbox ask for confimation it does not ask for reboot.
The pull down on the lower right is set for KERNALL32.DLL.
Is this correct?
I still cut and paste all 6 files.
After reboot I ran hjt and findit.
Here are the logs.

Logfile of HijackThis v1.99.0
Scan saved at 6:06:32 AM, on 1/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HIGHJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\qrgwqv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/FunBuddyIconsFWBInitialSetup1.0.0.8.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 390D-9DB3
Directory of C:\WINDOWS\SYSTEM

YFK8 CT6 1,020 11-14-04 9:29a Yfk8.ct6
NTO9G Y89 1,104 07-10-04 5:59p Nto9g.y89
AGM8 DV7 434 06-28-04 6:01a Agm8.dv7
3 file(s) 2,558 bytes
0 dir(s) 5,282.94 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 390D-9DB3
Directory of C:\WINDOWS\SYSTEM

VX0 NLS 8,192 12-23-04 8:19p VX0.NLS
VX3 NLS 8,192 12-23-04 8:19p VX3.NLS
VX3X NLS 8,192 12-23-04 8:19p VX3X.NLS
VX2 NLS 8,192 12-23-04 8:19p VX2.NLS
VX2X NLS 8,192 12-23-04 8:19p VX2X.NLS
VX1X NLS 8,192 12-23-04 8:19p VX1X.NLS
VX1 NLS 8,192 12-23-04 8:19p VX1.NLS
YFK8 CT6 1,020 11-14-04 9:29a Yfk8.ct6
NTO9G Y89 1,104 07-10-04 5:59p Nto9g.y89
ZLLICTBL DAT 4,212 07-07-04 9:59p zllictbl.dat
AGM8 DV7 434 06-28-04 6:01a Agm8.dv7
CQ609XDH GID 32,425 09-26-02 9:42p cq609xdh.GID
FOLDER HTT 13,122 07-22-99 12:25a folder.htt
DESKTOP INI 266 07-22-99 12:25a desktop.ini
14 file(s) 109,927 bytes
0 dir(s) 5,282.93 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"yie6_SBC"="IEAK"
"YPC 3.0.3"="Yahoo! Parental Controls"
"FunWebProducts"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
yfk8.ct6 Sun Nov 14 2004 9:29:06a ..SH. 1,020 0.99 K
vx1.nls Thu Dec 23 2004 8:19:32p ...HR 8,192 8.00 K
vx1x.nls Thu Dec 23 2004 8:19:34p ...HR 8,192 8.00 K
vx2x.nls Thu Dec 23 2004 8:19:40p ...HR 8,192 8.00 K
vx2.nls Thu Dec 23 2004 8:19:42p ...HR 8,192 8.00 K
vx3.nls Thu Dec 23 2004 8:19:44p ...HR 8,192 8.00 K
vx3x.nls Thu Dec 23 2004 8:19:44p ...HR 8,192 8.00 K
vx0.nls Thu Dec 23 2004 8:19:48p ...HR 8,192 8.00 K

8 items found: 8 files, 0 directories.
Total of file sizes: 58,364 bytes 56.99 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\SYSTEM.DAT: C:\Find-It\qoologic.txt
C:\WINDOWS\USER.DAT: Find-Qoologic
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: extract4C:\Find-Qoologic
C:\WINDOWS\USER.DAT: bC:\Temp\KillBox.exe\1indit\find.bat\1ologic\qoologic.bat\1
C:\WINDOWS\USER.DAT: fC:\findit\find.bat\1Find-Qoologic\qoologic.bat\1
C:\WINDOWS\USER.DAT: gqoologic.txt
C:\WINDOWS\USER.DAT: qoologic.txt.lnk
C:\WINDOWS\USER.DAT: qoologic dos.doc.lnk
C:\WINDOWS\USER.DAT: qoologic.txt.lnk
C:\WINDOWS\VPTNFILE.349: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.349: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.349: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.349: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.349: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.349: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\SYSTEM.DAT: C:\Find-It\aspack.txt
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SystemTray"="SysTray.Exe"
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\cpqeadm.exe"
"EACLEAN"="C:\\Program Files\\Compaq\\Easy Access Button Support\\eaclean.exe"
"CPQInet"="c:\\compaq\\CPQInet\\CpqInet.exe"
"Digital Dashboard"="C:\\Program Files\\Compaq\\Digital Dashboard\\DevGulp.exe"
"CountrySelection"="pctptt.exe"
"LexmarkPrinTray"="PrinTray.exe"
"NAV Agent"="c:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.EXE"
"NPROTECT"="c:\\Program Files\\Norton SystemWorks\\Norton Utilities\\nprotect.exe"
"PTSNOOP"="ptsnoop.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"Narrator"="C:\\WINDOWS\\qrgwqv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


 

· Registered
Joined
·
46,465 Posts
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\qrgwqv.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.exe


Restart your computer.
 

· Registered
Joined
·
12 Posts
Discussion Starter · #18 ·
We maybe getting somewhere
Here is the latest hjt log

Logfile of HijackThis v1.99.0
Scan saved at 7:18:42 AM, on 1/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIGHJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\e7o3u1d6.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 
1 - 20 of 23 Posts
Status
Not open for further replies.
Top