SVT please help me out--About:blank, various others, keep manifesting....
SVT--thanks for your help and perserverence with this type of stuff. It is admirable that these forums are run by voluteers that really want to help people. I've run latest of Ad-Aware and Search and Destroy. Below is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:27:46 AM, on 3/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\InFocus\Projector Manager\Projmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINNT\system32\nbttopl.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\msrolder.exe
C:\PROGRA~1\COMMON~1\qooo\qooom.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HP 9100C\Link\hpnsjtr.exe
C:\PROGRA~1\COMMON~1\qooo\qoooa.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Documents and Settings\howardt\Desktop\Spyware Stuff\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDCLIENT\SOFTMON.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Projector Manager] C:\Program Files\InFocus\Projector Manager\Projmgr.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=WBIGONT2:5007 /S=WBIGONT2 /I=HTTP://WBIGONT2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LidPolicy] c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [PDEABt] C:\WINNT\jfhtda.exe
O4 - HKLM\..\Run: [xsnW3mS] nbttopl.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [gB46Rge4g] msrolder.exe
O4 - HKCU\..\Run: [qooo] C:\PROGRA~1\COMMON~1\qooo\qooom.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Sender Link.lnk = C:\HP 9100C\Link\hpnsjtr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: budget.mdu.com
O15 - Trusted Zone: http://budget.mdu.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mdu.com
O20 - AppInit_DLLs: mad.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk(R) Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
What do you think????
Logfile of HijackThis v1.99.1
Scan saved at 11:27:46 AM, on 3/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\InFocus\Projector Manager\Projmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINNT\system32\nbttopl.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\msrolder.exe
C:\PROGRA~1\COMMON~1\qooo\qooom.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HP 9100C\Link\hpnsjtr.exe
C:\PROGRA~1\COMMON~1\qooo\qoooa.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Documents and Settings\howardt\Desktop\Spyware Stuff\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDCLIENT\SOFTMON.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Projector Manager] C:\Program Files\InFocus\Projector Manager\Projmgr.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=WBIGONT2:5007 /S=WBIGONT2 /I=HTTP://WBIGONT2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LidPolicy] c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [PDEABt] C:\WINNT\jfhtda.exe
O4 - HKLM\..\Run: [xsnW3mS] nbttopl.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [gB46Rge4g] msrolder.exe
O4 - HKCU\..\Run: [qooo] C:\PROGRA~1\COMMON~1\qooo\qooom.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Sender Link.lnk = C:\HP 9100C\Link\hpnsjtr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: budget.mdu.com
O15 - Trusted Zone: http://budget.mdu.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mdu.com
O20 - AppInit_DLLs: mad.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk(R) Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
What do you think????
0
This discussion has been closed.
Comments
Download KillBox. Unzip it to your desktop.
http://www.downloads.subratam.org/KillBox.zip
Select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System32\mad.dll
Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.
Your computer will reboot.
Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.
http://free.grisoft.com/softw/70free/setup/avg70free_300a419.exe
Let me know what AVG finds.
Reboot and post a new hijackthis log.
Downloaded and ran AVG. AVG found 3 Trojans....IT RECOGNIZED THEM, BUT I'M NOT SURE IT KILLED THEM. The results reported that one of them was still infected, although all three now reside in AVG's Virus Vault. The culprits are/were:
1. Downloader.Dyfica.3.L residing at: C:\Documents and Settings\howardt\Local Settings\Temp\cln59.tmp
2. Downloader.Apropo.0 residing at: C:\Program Files\AutoUpdate\AutoUpdate.exe
3. Downloader.Small.25.AI residing at: C:\Program Files\Common Files\qooo\qoool.exe
New HJT log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 10:01:54 AM, on 3/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\InFocus\Projector Manager\Projmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINNT\jfhtda.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINNT\system32\mlasoltr.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\mdhef.exe
C:\PROGRA~1\COMMON~1\qooo\qooom.exe
C:\PROGRA~1\COMMON~1\qooo\qoooa.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HP 9100C\Link\hpnsjtr.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CxtPls\CxtPls.exe
C:\Documents and Settings\howardt\Desktop\Spyware Stuff\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDCLIENT\SOFTMON.EXE
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Projector Manager] C:\Program Files\InFocus\Projector Manager\Projmgr.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=WBIGONT2:5007 /S=WBIGONT2 /I=HTTP://WBIGONT2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LidPolicy] c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [PDEABt] C:\WINNT\jfhtda.exe
O4 - HKLM\..\Run: [xsnW3mS] mlasoltr.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [gB46Rge4g] mdhef.exe
O4 - HKCU\..\Run: [qooo] C:\PROGRA~1\COMMON~1\qooo\qooom.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Sender Link.lnk = C:\HP 9100C\Link\hpnsjtr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: budget.mdu.com
O15 - Trusted Zone: http://budget.mdu.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mdu.com
O20 - AppInit_DLLs: mad.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk(R) Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
I'm not sure if it's important, but it looks like the mad.dll made it through the Killbox procedure???
Thanks so much for your continued support!!!1
Media Pass
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDCLIE NT\SOFTMON.EXE
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [PDEABt] C:\WINNT\jfhtda.exe
O4 - HKLM\..\Run: [xsnW3mS] mlasoltr.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [gB46Rge4g] mdhef.exe
O4 - HKCU\..\Run: [qooo] C:\PROGRA~1\COMMON~1\qooo\qooom.exe
O20 - AppInit_DLLs: mad.dll
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINNT\system32\mad.dll
C:\WINNT\system32\ap9h4qmo.exe
C:\WINNT\system32\mlasoltr.exe
C:\WINNT\system32\mdhef.exe
C:\WINNT\jfhtda.exe
C:\PROGRA~1\COMMON~1\qooo
C:\Program Files\CxtPls
C:\Program Files\Media Pass
C:\Program Files\ISTsvc
Reboot your computer to go back to normal mode.
Please run these two online scans.
Make sure they are set to clean automatically:
http://www.bitdefender.com/scan/licence.php
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
If there are files that can not be removed by the scans please include that information in your next post.
Reboot and post a new hijackthis log.
OK...removed Media Pass. Ran HJT to fix entries. MediaPassK.exe not there and HJT errored out in fixing O20 - AppInit_DLLs: mad.dll
Deleted recommended files and directories...a few were not there as noted.
Bit defender came up clean.
Panda scan detected a number (around 20) and apparently cleaned them all.
The first time I got back online--about:blank was NOT apparent. However, upon refreshing the web page, it was back there to greet me
Also seeing that damn: SpecificPop Network stuff occasionally :shakehead
Latest HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:49:59 AM, on 3/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\InFocus\Projector Manager\Projmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HP 9100C\Link\hpnsjtr.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Documents and Settings\howardt\Desktop\Spyware Stuff\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mdunet.mdures.com/START/DEFAULT.HTM
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Projector Manager] C:\Program Files\InFocus\Projector Manager\Projmgr.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=WBIGONT2:5007 /S=WBIGONT2 /I=HTTP://WBIGONT2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LidPolicy] c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Sender Link.lnk = C:\HP 9100C\Link\hpnsjtr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: budget.mdu.com
O15 - Trusted Zone: http://budget.mdu.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mdu.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk(R) Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Remove everything that it finds.
Reboot and post a new hijackthis log. Let me know how things are running.
Downloaded and ran the MS spyware remover as recommended. It found 9 items and was apparently able to kill them all.
Unfortunately, still getting z1.adserver and about:blank popups!!! :bawling:
Latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:12:32 AM, on 3/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\InFocus\Projector Manager\Projmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HP 9100C\Link\hpnsjtr.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\howardt\Desktop\Spyware Stuff\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Projector Manager] C:\Program Files\InFocus\Projector Manager\Projmgr.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=WBIGONT2:5007 /S=WBIGONT2 /I=HTTP://WBIGONT2/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LidPolicy] c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Sender Link.lnk = C:\HP 9100C\Link\hpnsjtr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: budget.mdu.com
O15 - Trusted Zone: http://budget.mdu.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mdu.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mdu.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk(R) Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hibernation - Unknown owner - C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
ms0b920b.dll
ms9b1d3f.dll
Let's get a look at the dll files on your computer to see if there's something there that shouldn't be.
Thanks again for the attention.
I found neither of the DLL's you mentioned.
The DLLCompare Log is:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
________________________________________________
1,133 items found: 1,133 files, 0 directories.
Total of file sizes: 203,711,541 bytes 194.27 M
Administrator Account = True
End log
What do you think?
Post that log here.
As requested, here you go with the HJT extended startup list:
StartupList report, 3/24/2005, 3:27:27 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\howardt\Desktop\Spyware Stuff\HJT\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\InFocus\Projector Manager\Projmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\HP 9100C\Link\hpnsjtr.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Documents and Settings\howardt\Desktop\Spyware Stuff\HJT\HijackThis.exe
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
HP Digital Sender Link.lnk = C:\HP 9100C\Link\hpnsjtr.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\SYSTEM32\Userinit.exe,
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
AtiPTA = atiptaxx.exe
hkss = C:\Program Files\Compaq\HotKey Software\hkss.exe
cpqek = C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
Client Access Service = "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
Client Access Help Update = "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
Client Access Check Version = "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
Client Access Express Welcome = "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
IntelAPMClient = "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
Projector Manager = C:\Program Files\InFocus\Projector Manager\Projmgr.exe -hide
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
LANDeskInventoryClient = "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=WBIGONT2:5007 /S=WBIGONT2 /I=HTTP://WBIGONT2/ldlogon/ldappl3.ldz /NOUI
LANDeskVulscanClient = "C:\Program Files\LANDesk\LDClient\vulScan.exe" /agentBehavior=1
SDClientMonitor = "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
msnappau = "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
LidPolicy = c:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
CreateCD = C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
Checking for EXPLORER.EXE instances:
C:\WINNT\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINNT\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
[AvxScanOnline Control]
InProcServer32 = C:\WINNT\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Enumerating Windows NT/2000/XP services
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
LANDesk(R) Management Agent: "C:\Program Files\LANDesk\Shared Files\residentagent.exe" (autostart)
DefWatch: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Hibernation: C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
Intel Local Scheduler Service: C:\Program Files\LANDesk\LDClient\LocalSch.EXE (autostart)
Intel PDS: C:\WINNT\system32\cba\pds.exe (autostart)
Intel QIP Client Service: C:\Program Files\LANDesk\LDClient\qipclnt.exe (autostart)
LANDesk Targeted Multicast: C:\Program Files\LANDesk\LDClient\tmcsvc.exe (autostart)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LANDesk Remote Control Service: C:\PROGRA~1\LANDesk\LDClient\issuser.exe /SERVICE (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Symantec AntiVirus Client: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
WMDM PMSP Service: C:\WINNT\system32\mspmspsv.exe (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll
End of report, 13,223 bytes
Report generated in 0.230 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Come to think of it, Media Player suddenly started coming alive on startup? I wondered why it was autostarting, but frankly have been too lazy to fix the issue.
What are you thinking? Media Player kind of makes sense.....
C:\Program Files\Windows Media Player\wmplayer.exe
Then go here and download the current version.
http://www.microsoft.com/windows/windowsmedia/mp10/default.aspx
After that, go to Windows Update and install any critical updates found for your system.
http://windowsupdate.microsoft.com/
Followed your directions and rebooted...went to site where pop-ups usually happen (www.drudgreport.com) and NO problems!!!!
Exited MSIE, opened Media player, reopend MSIE, browsed to a few sites and NO APPARENT PROBLEMS!!!
Jared and Buckeye...THANKS SO MUCH!!!!!
Look OK and feels OK.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware