Options

here4search.com spyware

Unknown
edited April 2005 in Spyware & Virus Removal
Logfile of HijackThis v1.99.1
Scan saved at 5:29:52 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\vbubko9ky51xsithd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jason\Desktop\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.refugeegamers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.refugeegamers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\CNUZWK~1.DLL
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\system32\vbubko9ky51xsithd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AOL Instant Messenger\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
O16 - DPF: {0036F389-FEF8-43AC-9220-16430E0012ED} - http://naupoint.com/toolbar/installer/iEBINST5.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {19B6C07F-7AA5-4170-88A9-EF184DC2EC40} - http://38.144.58.94/install.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com/cba8cbaf/enter.cab
O16 - DPF: {335D6D81-E788-1586-1372-520D5DD868DC} - http://63.219.178.91/1/rdgUS1342.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5A14E92A-6D80-35F2-FE8F-29DE4CD1492D} - http://69.50.182.94/1/rdgUS1735.exe
O16 - DPF: {5C50A515-6EEF-32C0-39A9-1126693C2C22} - http://63.219.178.91/1/rdgUS1342.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093789607140
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
O20 - AppInit_DLLs: w9mzburrdh18h4l.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Please download CWShredder but don't run it yet.
    http://cwshredder.net/bin/CWSInstall.exe


    Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

    Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


    Make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\CNUZWK~1.DLL
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O16 - DPF: {0036F389-FEF8-43AC-9220-16430E0012ED} - http://naupoint.com/toolbar/installer/iEBINST5.cab
    O16 - DPF: {19B6C07F-7AA5-4170-88A9-EF184DC2EC40} - http://38.144.58.94/install.cab
    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com/cba8cbaf/enter.cab
    O16 - DPF: {335D6D81-E788-1586-1372-520D5DD868DC} - http://63.219.178.91/1/rdgUS1342.exe
    O16 - DPF: {5A14E92A-6D80-35F2-FE8F-29DE4CD1492D} - http://69.50.182.94/1/rdgUS1735.exe
    O16 - DPF: {5C50A515-6EEF-32C0-39A9-1126693C2C22} - http://63.219.178.91/1/rdgUS1342.exe
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: w9mzburrdh18h4l.dll.dll.dll.dll.dll.dll


    Reboot your computer into Safe Mode


    Now run CWShredder, making sure to click "Fix".


    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\WINDOWS\chp.dll
    C:\WINDOWS\system32\CNUZWK~1.DLL
    w9mzburrdh18h4l.dll.dll.dll.dll.dll.dll


    Run a full scan with Adaware.

    Reboot your computer to go back to normal mode and post a new log.
  • Jason32
    edited March 2005
    still there

    Logfile of HijackThis v1.99.1
    Scan saved at 4:05:36 AM, on 3/29/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\NavNT\vptray.exe
    D:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Rage3DTweak\RegTwk.exe
    D:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\vbubko9ky51xsithd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jason\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
    O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\system32\vbubko9ky51xsithd.exe
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AOL Instant Messenger\aim.exe
    O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093789607140
    O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: vi25ws5p2dvihtl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    • Download DLLCompare.
    • Double-click on DllCompare.exe to run the program.
    • Click "Run Locate.com" and it will scan your system for files.
    • Once the scan has finished click "Compare" to compare your files to valid Windows files.
    • Once it has finished comparing click "Make a Log of what was found".
    • Click "Yes" at the View Log file? prompt to view the log.
    • Copy and paste the entire log into this topic.
    • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
    • Click "Exit" to exit DLLCompare.
  • Jason32
    edited March 2005
    * DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    O^E says: "There were no files found :)"
    ________________________________________________

    1,329 items found: 1,329 files, 0 directories.
    Total of file sizes: 284,289,645 bytes 271.12 M

    Administrator Account = True

    AppInit_DLLs value = 8n2rfgs3y2y2htl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll (not hidden)
    End log
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Download the following file:

    http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip


    and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

    Please copy and paste that log here.
  • Jason32
    edited March 2005
    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\Jason\Desktop\finditnt2000xp\Find It NT-2K-XP
    System Files in System32 Directory

    Volume in drive C has no label.
    Volume Serial Number is E41D-51C5

    Directory of C:\WINDOWS\System32

    03/24/2005 04:46 PM <DIR> dllcache
    04/05/2004 10:40 PM <DIR> Microsoft
    0 File(s) 0 bytes
    2 Dir(s) 4,859,969,536 bytes free
    Hidden Files in System32 Directory

    Volume in drive C has no label.
    Volume Serial Number is E41D-51C5

    Directory of C:\WINDOWS\System32

    03/24/2005 04:46 PM <DIR> dllcache
    04/05/2004 11:29 PM <DIR> GroupPolicy
    04/05/2004 10:30 PM 488 logonui.exe.manifest
    04/05/2004 10:30 PM 488 WindowsLogon.manifest
    04/05/2004 10:30 PM 749 nwc.cpl.manifest
    04/05/2004 10:30 PM 749 sapi.cpl.manifest
    04/05/2004 10:30 PM 749 ncpa.cpl.manifest
    04/05/2004 10:30 PM 749 cdplayer.exe.manifest
    04/05/2004 10:30 PM 749 wuaucpl.cpl.manifest
    7 File(s) 4,721 bytes
    2 Dir(s) 4,859,965,440 bytes free
    Files Named "Guard"

    Volume in drive C has no label.
    Volume Serial Number is E41D-51C5

    Directory of C:\WINDOWS\System32

    Temp Files in System32 Directory

    Volume in drive C has no label.
    Volume Serial Number is E41D-51C5

    Directory of C:\WINDOWS\System32

    09/22/2004 06:46 PM 5,550,080 setb7.tmp
    1 File(s) 5,550,080 bytes
    0 Dir(s) 4,859,965,440 bytes free
    User Agent

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "SV1"=""

    Keys Under Notify

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    "DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
    "Logoff"="NavLogoffEvent"
    "StartShell"="NavStartShellEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    Locate.com Results

    No matches found.
    Strings.exe Qoologic Results

    Strings.exe Aspack Results

    C:\WINDOWS\system32\ntdll.dll: .aspack
    HKLM Run Key

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="D:\\Program Files\\NavNT\\vptray.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
    "QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "NvMixerTray"="C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NvMixerTray.exe"
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "Control handler"="C:\\WINDOWS\\system32\\vbubko9ky51xsithd.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Download KillBox and unzip it to your desktop.
    http://www.downloads.subratam.org/KillBox.zip


    Open Killbox and select the Delete on reboot option.


    Copy and paste the following file to the field labeled "Full path of file to delete"

    C:\WINDOWS\system32\vbubko9ky51xsithd.exe

    Press the Delete button (the button that looks like a red circle with a white X in it).

    A first dialog box will ask if you want to delete the file on reboot, press the YES button.

    A second dialog box will ask you if you want to REBOOT now. Press the NO button.


    Copy and paste the following file to the field labeled "Full path of file to delete"

    C:\WINDOWS\system32\8n2rfgs3y2y2htl.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

    Press the Delete button (the button that looks like a red circle with a white X in it).

    A first dialog box will ask if you want to delete the file on reboot, press the YES button.

    A second dialog box will ask you if you want to REBOOT now. This time press the YES button.


    Your computer will reboot.


    Please post a new hijackthis log.
  • Jason32
    edited April 2005
    Thought I'd mention that some spyware remove program keeps installing as well... I think it's the Isearch program but can't remember. I uninstall it whenever I see it... but later it will all the sudden reinstall and automatically start running.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:30:58 AM, on 4/1/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\NavNT\vptray.exe
    D:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Rage3DTweak\RegTwk.exe
    D:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Jason\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
    O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\system32\vbubko9ky51xsithd.exe
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AOL Instant Messenger\aim.exe
    O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093789607140
    O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: 3so1hwm3xk4d9sl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Please remove these entries from Add/Remove Programs in the Control Panel(if present):

    Security IGuard


    Make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\system32\vbubko9ky51xsithd.exe
    O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: 3so1hwm3xk4d9sl.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll



    Reboot your computer into Safe Mode


    Now run CWShredder, making sure to click "Fix".


    Then delete these files or directories. Let me know if any of these are not present or if you are unable to delete any of them.

    C:\WINDOWS\system32\W8C6S4~1.DLL
    C:\WINDOWS\system32\vbubko9ky51xsithd.exe
    C:\WINDOWS\chp.dll
    3so1hwm3xk4d9sl.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll <-- on this file, try to rename it to bad.old and then delete it.



    Reboot your computer to go back to normal mode.


    Please run this online virus scan. Make sure to set it to autoclean.

    http://housecall.trendmicro.com/housecall/start_corp.asp



    Reboot and post a new hijackthis log. Let me know of any complications that you had.
  • Jason32
    edited April 2005
    Made sure I had the settings set to view all hidden files... the IGuard was still uninstalled from last time I did it.
    okie dokie when I tried to use hijackthis to remove those I got one error:

    An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: v6o5d29m111jbdl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll)
    Error #5 - Invalid procedure call or argument

    Please email me at merijn@spywareinfo.com, reporting the following:
    * What you were trying to fix when the error occurred, if applicable
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2900.2180
    HijackThis version: 1.99.1

    This message has been copied to your clipboard.
    Click OK to continue the rest of the scan.

    booted into safe mode and ran cwshredder... it found nothing infected
    did a search for those files:directories you listed and couldn't find any of them
    here are some that I found similar to those but haven't deleted yet

    w8c6s4xcm66.dll
    1fpwi8fh4hxkcyl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    36xpfgiiho8ccnl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    5dpf7ikhvxombul.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    7ul77899tpgf7yl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    ex6uikyykibe4jl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    ge6z325cd3fthtl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    kde9mp35bypt7yl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    nyi9ue8g4gj6gtl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    p3u8up523okyy4l.dll.dll.dll.dll.dll.dll
    riy15hyt33rf7yl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    sgx1o194zlr59sl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    t1r31eokz59jhtl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    t2khpfhrlept7yl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    tv1xnn4kx5utzzl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    w9mzburrdh18h4l.dll.dll.dll.dll.dll.dll

    also ran the virus scanner and removed anything it found... here's a new hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:42:42 PM, on 4/1/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Rage3DTweak\RegTwk.exe
    D:\Program Files\NavNT\defwatch.exe
    D:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Documents and Settings\Jason\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
    O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AOL Instant Messenger\aim.exe
    O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093789607140
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: 6u91nbtut6dbwzl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Don't be concerned about the error from Hijackthis. It's just choking the huge file extension of the dll files that you are trying to delete.


    Download this file and unzip to a folder on your desktop.
    http://skads.org/special/rkfiles.zip


    Reboot into Safe Mode and delete these files.

    C:\WINDOWS\system32\W8C6S4~1.DLL
    C:\WINDOWS\chp.dll

    Also delete all of those dll files with the long repeating .dll extensions. If you find one that you are not sure of, check the date to see if it's within the last few days. And to be doubly safe you can rename the file to badfile.old or something like that.


    Now while in Safe Mode run Hijackthis and remove these lines.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: 6u91nbtut6dbwzl.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll



    Go to the folder that you created when you downloaded the file earlier and doubleclick rkfiles.bat
    It will scan for a while.
    Wait till the doswindow closes and reboot back to normal mode.

    Post the contents of C:\log.txt in your next reply along with a new hijackthis log.
  • Jason32
    edited April 2005
    Still wasn't able to find either of those 2 files... even manually checked through the windows and system32 directories. Search didn't find anything either...

    the w8c6s4xcm66.dll was still there and I can not delete it
    I deleted all of the .dll.dll.dll etc. files except for the current one the program appears to be using cause it wouldn't let me delete that either.
    couldn't find anything similar to the chp.dll file.

    C:\log.txt:

    C:\Documents and Settings\Jason\Desktop\rkfiles

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Files Found in system Folder............
    C:\WINDOWS\system32\cpuinf32.dll: UPX!
    C:\WINDOWS\system32\fmod.dll: UPX!
    C:\WINDOWS\system32\mplaa6.dll: UPX!
    C:\WINDOWS\system32\mplam6.dll: UPX!
    C:\WINDOWS\system32\mplapx.dll: UPX!
    C:\WINDOWS\system32\mplaw7.dll: UPX!
    C:\WINDOWS\system32\mplva6.dll: UPX!
    C:\WINDOWS\system32\mplvm6.dll: UPX!
    C:\WINDOWS\system32\mplvpx.dll: UPX!
    C:\WINDOWS\system32\mplvw7.dll: UPX!
    C:\WINDOWS\system32\patin.cpl: UPX!
    C:\WINDOWS\system32\UninstXviDDec.exe: UPX!
    C:\WINDOWS\system32\badfile2.old: PEC2
    C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
    C:\WINDOWS\system32\Dwapilib.tlb: dwProvSpec2
    C:\WINDOWS\system32\h02734tu1px6.dll: PEC2
    C:\WINDOWS\system32\i7gt6dnwxxo38.dll: PEC2
    C:\WINDOWS\system32\yd3n3b4ux19bh4l.dll: PEC2
    C:\WINDOWS\itshta.exe: PEC2
    C:\WINDOWS\stop.31403_4.exe: PEC2

    Files Found in all users startup Folder............
    Files Found in all users windows Folder............
    C:\WINDOWS\daemon.dll: UPX!
    C:\WINDOWS\IFinst26.exe: UPX!
    C:\WINDOWS\RMAgentOutput.dll: UPX!
    C:\WINDOWS\tsc.exe: UPX!
    C:\WINDOWS\vsapi32.dll: UPX!t4
    Finished
    bye

    hijack log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:22:08 PM, on 4/2/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\NavNT\vptray.exe
    D:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Rage3DTweak\RegTwk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Jason\Desktop\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\75626K~1.DLL
    O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AOL Instant Messenger\aim.exe
    O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {2D37BEBB-9C89-4DAB-B6CA-1C03B50D2C60} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2D37BEBB-9C89-4DAB-B6CA-1C03B50D2C60} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093789607140
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: i7gt6dnwxxo38.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

    All the old files I fix keep popping up again in each new hijack log and some of them just seem to rename themselves.
  • DexterDexter Vancouver, BC Canada
    edited April 2005
    Jason,

    Sam has gone away for a few days so I am going to be trying to help you with this problem. If you are not sure how to do some of the things I tell you, check the links I provide for instructions. You may want to print these instructions out for easy reference, or copy and paste to Notepad. Do not leave your browser open while performing these fixes.

    This is a stubborn infection, so it will take several passes to get it clean.

    I want to make sure first of all that:

    - you are indeed running Hijack This in Safe Mode.

    - You also should move your Hijack This from your desktop and into its' own folder. When you reboot in Safe Mode your desktop may be different, so it's important that HijackThis.exe is in its own folder, as explained here. You can move the other programs you need, such as Killbox, into this folder for easy finding.

    Also, before running these fixes, I see that you have the Microsoft Anti-Spyware program, did you try using that to remove this problem? If not, please give it a shot as well.

    So after that, I want you to PULL THE PLUG ON YOUR COMPUTER. Do not use the power switch or the start menu to reboot. This is called a hard-reboot, and is designed to prevent any files from renaming or hiding themselves during a soft reboot.

    Then, plug the power back in, and boot into Safe Mode. Do not open any browser windows. Run, FIX THE FOLLOWING :

    **************

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\75626K~1.DLL

    O9 - Extra button: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {147A6F03-5044-4028-AE4C-C166D3D23F99} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2892BC75-774F-4B57-B4BA-FD69D25F5C27} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {2D37BEBB-9C89-4DAB-B6CA-1C03B50D2C60} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2D37BEBB-9C89-4DAB-B6CA-1C03B50D2C60} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4D0FB1AF-82AA-42B7-A8F5-20E19B3008AE} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {55C2B9B8-8818-46D5-922B-C5D658A716B5} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D89E0B36-B735-4190-8314-4139D95CB904} - (no file) (HKCU)

    (((ALL OF THESE HAVE THE FILE MISSING, SO WE ARE CLEANING UP THE ENTRIES TO MAKE THE LOG CLEANER.)))

    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - AppInit_DLLs: i7gt6dnwxxo38.dll

    Exit HJT, stay in Safe Mode, and launch Killbox. Delete each of the following, using the delete on reboot option:

    C:\WINDOWS\system32\75626K~1.DLL
    C:\WINDOWS\chp.dll


    Next, close Killbox. Click on Start -> Run. Type in REGEDIT. Be very careful in Regedit, one wrong move here and you could really screw things up.

    This is the key to stopping this thing from propogating, we need to remove the AppInit_DLLs entry.

    Use the navigation pane on the left to expand the entry keys. Click the + button beside each key to open them up. You need to open up the following keys, until you locate:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

    On the right hand side, you will see several items listed, look for AppInit_DLLs.

    When you find AppInit_DLLs, you need to delete it. But you can't just click the delete button. You need to fool the computer into thinking this key is not active, otherwise, it will keep coming back every time you delete it. Here's what you do:


    One the Left hand side, click the folder named "Windows" so that it is selected.

    Rightclick on it, and select Rename. Rename the folder to Windows2.

    Now, go back to the Right hand side, and delete the AppInit_DLLs key. Just click it and hit the delete key.

    Hit F5 to refresh the screen. If that AppInit_DLLs doesn't come back, your making progress :)

    Rename the Windows2 folder back to Windows.

    Exit Regedit.

    Then, go into C: -> Windows -> Downloaded Program Files, and delete everything in there. Anything you really need will be re-downloaded on demand when you visit the website that needs them.

    Open My Computer, right click on your C drive, select Properties, and click Disk Cleanup. This will open the Disk Cleanup Manager. It will take a few minutes to scan your hard drive, then present you with a window and several cleaning options. Make sure to chose the options to clean Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

    Do a HARD REBOOT again, and let the computer boot up normally. Do not launch a browser. Do a full scan with Norton Anti-virus, then all of your anti-spyware apps.

    Then go into Windows -> System32, and look for any of those bad DLL files that you saw above. If you find any, delete them with Killbox.

    Then, Hard Reboot again, go into Internet Explorer and see if the problem is gone.

    Let me know....

    Dexter...
  • Jason32
    edited April 2005
    Ok I followed everything you said and got up to the regedit part.
    1. I moved the hijackthis into it's own folder on the c: drive
    2. Ran NAV
    3. Pulled the powerplug...
    4. plugged it back in and used the f8 method to go into safe mode
    5. ran hijack this (found the exact entries you had listed and fixed them)
    6. did the killbox step
    7. went to regedit and this is where things are still screwed up

    I found the AppInit_DLLs in the exact location you said... I then renamed the folder to Windows2... deleted the AppInit_DLLs... but when I tried to rename the folder back it said a folder by that name already exists... so I refreshed and it looks like the AppInit_DLLs is recreating a windows folder with just that key in it each time I reanme the original.

    I'm not able to use the rename option because right after you rename the folder to anything besides "Windows" it jsut creates a new one. I even tried leaving the original as "Windows2" and deleted the new "Windows" folder with just the AppInit_DLLs in it... but it still just creates another one. I'm currently at work and left the computer in safemode at home at this step... I'll check for a response before I head home tomorrow morning, otherwise I'll have to just reboot into normal mode and see what else you've said. Is there a way to stop it from reproducing a new "Windows" folder?
  • DexterDexter Vancouver, BC Canada
    edited April 2005
    Well, that's an interesting trick....

    I'll have to do some research on that, I'll reply back when I find a method to prevent that.

    Dexter...
  • A2IA2I
    edited April 2005
    Dexter if you allow ,me.

    Hi Jason32 May I offer you an alternative ? :nudge:

    go to

    http://housecall.trendmicro.com/housecall/start_corp.asp

    run a scan.

    try this download

    http://download.microsoft.com/download/8/1/5/815d2d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe

    update definitions **run scan after you did the msconfig underneat read first plz.

    Alternative scanner for you can be next url

    http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10373771.html (Webroot Spy Sweeper 3.5) update first before msconfig underneat option.

    Here comes the bigg 'Trick' :type:

    if possible go to Start/Run msconfig [Disable all startups items]Follow the prompt (Use this option if your ready update and set to go, and your sure you update all ur scanners so they are armed.)

    If you read through my post on another Topic you can see how you can digg a little deeper with Ms Antispyware so its ground level with windows and has no obstacles allowed or blocked jet.

    http://www.short-media.com/forum/showpost.php?p=260639&postcount=2

    Arm ur Ms antispyware like I say there! important.

    Hold ready

    http://www.snapfiles.com/get/winsockxpfix.html download before the msconfig trick.

    allways usefull.

    if your done with downloads and updates disable the startup items all with msconfig. follow the promt then you start scanning

    you know what items hijackthis found but download

    http://www.neuber.com/taskmanager/index.html

    Make sure you target those items only and put them in quarantine with this program it might give you and error on the bigg .dll .dll .dll files but it will continue.

    make sure When you start to scan you have everything on your pc ready and update.

    If you encounter any problems plz post.

    I will help.

    ty.
  • DexterDexter Vancouver, BC Canada
    edited April 2005
    A2i,

    first of all, if you read through this entire thread, you will see that Buckeye_Sam already instructed this member to run a Trend Micro Housecall scan. And if you look closely at this member's HJT log, you will see that in the 016 DPF section, the Housecall engine has been downloaded on his computer, so it is likely that it has been run.

    Second, the Winsockxpfix program you linked to is designed to restore connectivity if connectivity has been lost. Clearly, in this case connectivity has not been lost, so that program is not likely to be helpful in this case.

    Third, although the MS Anti-spyware app is useful as part of a "cocktail" approach, it is not going to fix every problem. And, if you again look carefully at the member's log, you will see that MS Anti-Spyware has been installed on this computer, so a better approach is to ask the user if they have run their copy yet, as opposed to instructing them to download a new one. :)

    Dexter...
  • DexterDexter Vancouver, BC Canada
    edited April 2005
    Jason32,

    ok, a bit more research done, and I think your trick here is going to be that you will need to remove the file with the system offline, using the Windows XP install CD, and its' Recovery Mode option. Here is the method:
    The manual method of removing the About:Blank hijacker is probably the most difficult, since if it is not followed absolutely correctly it can return quickly. There are two programs that are needed to help with this removal. The first is HijackThis and the next is a registry program called Reglite.exe, this particular program for whatever reason seems to be able to find the hidden dll file without the hijacker trying to undo the work and attack the system again.

    Once you've downloaded HijackThis and Reglite, open Registrar Lite and navigate to the following entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    Look for the Key named AppInit_DLLs, the value in this key is the hidden dll file that is causing your problems. Write down the name of this file and think of it as the hidden.dll file

    Secondly, use the Windows Recovery Console in Windows XP to rename the file.

    * Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option show below
    * Type cd \windows\system32 and press Enter
    * Type the following line to remove the read-only characteristic, replacing hidden.dll with the name of the dll file found with RegLite

    ATTRIB -R hidden.dll

    * Rename the hidden.dll file by typing the following command (replacing the word hidden.dll with the actual filename)

    RENAME hidden.dll badfile.dll

    * Type Exit and press Enter to Reboot Windows

    Method courtesy of: http://www.pchell.com/support/aboutblank.shtml

    So, give that a shot, find the name of the current bad DLL in Appinit_Dlls, I recommend you actually do that then PULL THE PLUG to prevent a DLL rename, boot up in Recovery mode, change the permissions on the bad DLL, and then rename it to a different file.

    Let me know if that helps.

    Dexter...
  • Jason32
    edited April 2005
    oi... alright I tried 2 methods of getting to the Recover Console... first when I try by booting from the cd I can get up to the point where you press "R" for the Recovery Console option... then it's saying "Setup can not detect any hard disk drives" and says it can't continue... if I try through the "run" command it says that the cd is an older version and can't run setup... I have service pack 2 installed but it's still an XP cd... the one I originally used to install windows on this computer. :mad:

    Any advice? I'm going to keep trying to find out what I can do or what may be wrong.
  • DexterDexter Vancouver, BC Canada
    edited April 2005
    Is your computer using a SATA hard drive for its' C drive? If so, when you boot up with the XP CD, one of the first things it says is to Press F6 if you need to install drivers for SCSI or other mass storage device. You will need the drivers for your SATA hard drive, they will be on a floppy drive. Press F6, stick that floppy in, and folllow the steps to load the drivers from the floppy. This tells the Setup program how to talk to your particular hard drive. Without that information, it does not know how to see your hard drives, which is what I am guessing is the source of your "Setup can not detect any hard disk drives" message.

    Dexter...
  • Jason32
    edited April 2005
    Alright, sorry to keep throwing out questions Dexter and making things harder for you but got another one... Probably was stupid for doing this but I didn't bother putting in a floppy with this computer... now I have an old one that I could throw in but is it possible for me to download the SATA RAID drivers and burn them onto a cd instead? Or to even some way have them read off the computer directly? I'm rather unexperienced with computer hardware and software so a lot of this is new to me. I noticed you have the drivers on your download page and I'm currently using the Silicon Image SIL 3112 SATARaid Controller drivers v1.0.0.47

    By the way thanks for putting up with all of this! :D
  • DexterDexter Vancouver, BC Canada
    edited April 2005
    I believe you can only use a floppy drive to load the PEM storage drivers during Setup. You will need to have the floppy drive installed, at least temporarily. Kind of a hassle, unfortunately.

    Dexter...
  • Jason32
    edited April 2005
    Alright finally got around to putting the floppy in and I can see the drive listed but there's no light comming on when I pop a disk in. Like I said... I'm not very good with this stuff... is there anything I might need to do to get the floppy drive working?
  • DexterDexter Vancouver, BC Canada
    edited April 2005
    Check the BIOS to make sure the floppy is enabled.

    Dexter...
  • Jason32
    edited April 2005
    Dexter, While checking on the spyware removes I realized I had Adaware 6 and not SE installed... I installed that and I think it may have actually solved this problem.... thought I'd let you know. My homepage is now fixed but would you mind checking over a hijack this log to just make sure...

    Logfile of HijackThis v1.99.1
    Scan saved at 6:33:26 PM, on 4/16/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\NavNT\defwatch.exe
    D:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Rage3DTweak\RegTwk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\wp.exe
    D:\Program Files\AOL Instant Messenger\aim.exe
    D:\Program Files\Ventrilo\Ventrilo.exe
    C:\Security\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refugeegamers.com/
    O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AOL Instant Messenger\aim.exe
    O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - D:\Program Files\Free Surfer\FS20.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {2FF508F0-AB33-44AC-95F9-E9D9AA670152} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2FF508F0-AB33-44AC-95F9-E9D9AA670152} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {36F197C8-BCCC-42E7-AE8C-E2F2B50FCF03} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {36F197C8-BCCC-42E7-AE8C-E2F2B50FCF03} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {8E02A368-4C65-4B5D-AC6E-D21A6E1B05F6} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E02A368-4C65-4B5D-AC6E-D21A6E1B05F6} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {8E06B34C-3F1D-4FBF-B20A-EAFE2E20C6F5} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8E06B34C-3F1D-4FBF-B20A-EAFE2E20C6F5} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {A9ECFD1F-38A8-4E79-8203-CFF595847578} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A9ECFD1F-38A8-4E79-8203-CFF595847578} - (no file) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {BF1D6075-68B7-4925-97F8-513ECDD4F694} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BF1D6075-68B7-4925-97F8-513ECDD4F694} - (no file) (HKCU)
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093789607140
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINDOWS\chp.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
Sign In or Register to comment.