Dan Posted November 25, 2004 Report Share Posted November 25, 2004 This is a log from the lappy. It's been slowing down, and it is about 2 years old.Log:Logfile of HijackThis v1.98.2Scan saved at 11:34:12 PM, on 11/24/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\Ati2evxx.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\MsPMSPSv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\WINNT\system32\pctspk.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\AccessDirect\dadapp.exeC:\WINNT\System32\DSentry.exeC:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exeC:\Program Files\Dell\AccessDirect\DadTray.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Dimension\D4.exeC:\Program Files\Winamp\Winampa.exeC:\WINNT\addins\dosav.exeC:\WINNT\system32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Sony Handheld\HOTSYNC.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.naupoint.com/toolbar/ie.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklmR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.naupoint.com/toolbar/ie.htmlO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocxO2 - BHO: 1096922178 - {262277EC-5BB5-4849-8BF2-1824330C9CAC} - (no file)O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dllO2 - BHO: No description - {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} - C:\WINNT\DOWNLO~1\iEBINST2.dllO2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - c:\temp\picbdo.datO2 - BHO: No description - {60261C06-81B0-4DE0-9313-E5BA203A64E9} - C:\WINNT\DOWNLO~1\pdfmgr.dllO2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - c:\temp\avajw.datO2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - c:\temp\picbdo.datO2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - c:\temp\vasod.datO2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dllO2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - c:\temp\picbdo.datO3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dllO3 - Toolbar: NAUPOINTBAR - {4E7BD74F-2B8D-469E-95BE-B378BA9CB52D} - C:\WINNT\DOWNLO~1\NAUPOI~1.DLL (file missing)O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [PCTVOICE] pctspk.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exeO4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -rO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [Dimension4] C:\Program Files\Dimension\D4.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [sysUpd] C:\WINNT\sysupd.exeO4 - HKLM\..\Run: [odbcip] C:\WINNT\Config\odbcip.exeO4 - HKLM\..\Run: [*odbcip] C:\WINNT\Config\odbcip.exeO4 - HKLM\..\Run: [*fontcat] C:\WINNT\Tasks\fontcat.exeO4 - HKLM\..\Run: [*tapiinet] C:\WINNT\Windows Update Setup Files\tapiinet.exeO4 - HKLM\..\Run: [*cmdc] C:\WINNT\Fonts\cmdc.exeO4 - HKLM\..\Run: [*adps] C:\WINNT\msagent\adps.exeO4 - HKLM\..\Run: [*runvss] C:\WINNT\Driver Cache\runvss.exeO4 - HKLM\..\Run: [*wjava] C:\WINNT\Web\PRINTERS\wjava.exeO4 - HKLM\..\Run: [*dosav] C:\WINNT\addins\dosav.exeO4 - HKLM\..\RunOnce: [*dosav] C:\WINNT\addins\dosav.exe rerunO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\RunOnce: [*WinLogon] C:\WINNT\Registration\runole.exe ren time:1101183691O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXEO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dllO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO16 - DPF: {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} (No description) - http://naupoint.com/toolbar/installer/iEBINST2.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20b4f5475f8849...ip/RdxIE601.cabO16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cabO16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} - O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://titan.isc-seo.upenn.edu:8000/jinitiator/oajinit.exeO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cabO16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262} (ZABOClientControl Class) - https://zinc.isc-seo.upenn.edu/wi/ActiveX/ZABOIEEN.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{62DE7D74-EA28-4954-AE70-58DEBAAA8A1C}: NameServer = 66.187.144.3 66.187.130.31 Link to post Share on other sites
Metallica Posted November 28, 2004 Report Share Posted November 28, 2004 I would like to help this person.At least try to. Can I?Regards,Pieter Link to post Share on other sites
Besttechie Posted November 29, 2004 Report Share Posted November 29, 2004 Hi Metallica,Check your PM's please. B Link to post Share on other sites
Metallica Posted November 29, 2004 Report Share Posted November 29, 2004 OK Thanks.dknoppix,There is a tool I'd like you to try.1. Download the FixVundo.exe file from: http://securityresponse.symantec.com/avcenter/FixVundo.exe2. Save the file to a convenient location, such as your Windows desktop.3. Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.(No need for this step, I've authenticated it already)4. Close all the running programs.5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.6. If you are running Windows Me or XP, turn off System Restore. Do Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot.7. Locate the file that you just downloaded.8. Double-click the FixVundo.exe file to start the removal tool.9. Click Start to begin the process, and then allow the tool to run.Important: Do not launch any new applications while the tool is running.10. Restart the computer.11. Run the removal tool again to ensure that the system is clean.12. If you are running Windows Me/XP, then re-enable System Restore.(Check the box)13. If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.14. Run HijackThis again and post the new log.Note. This will at most take care of one of your infections, so there will be lots left to do.Regards,Pieter Link to post Share on other sites
Dan Posted December 2, 2004 Author Report Share Posted December 2, 2004 Here you go! Logfile of HijackThis v1.98.2Scan saved at 09:42:36 PM, on 12/01/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\Ati2evxx.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\MsPMSPSv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\WINNT\system32\pctspk.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\AccessDirect\dadapp.exeC:\WINNT\System32\DSentry.exeC:\Program Files\Dell\AccessDirect\DadTray.exeC:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Dimension\D4.exeC:\Program Files\Winamp\Winampa.exeC:\WINNT\Fonts\keyinfo.exeC:\WINNT\system32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Yahoo!\Messenger\ypager.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Sony Handheld\HOTSYNC.EXEC:\Program Files\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.naupoint.com/toolbar/ie.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.naupoint.com/toolbar/ie.htmlO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocxO2 - BHO: 1096922178 - {262277EC-5BB5-4849-8BF2-1824330C9CAC} - (no file)O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - c:\temp\systun.datO2 - BHO: No description - {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} - C:\WINNT\DOWNLO~1\iEBINST2.dllO2 - BHO: No description - {60261C06-81B0-4DE0-9313-E5BA203A64E9} - C:\WINNT\DOWNLO~1\pdfmgr.dllO2 - BHO: No description - {6375B3AD-4440-4C1F-95E5-A24198ED671C} - C:\WINNT\DOWNLO~1\sp1.dllO2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - c:\temp\ofniyek.datO2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dllO2 - BHO: No description - {D97EF13D-5746-4EA8-AD5C-9EE95E60016F} - C:\WINNT\DOWNLO~1\rvba.dllO3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dllO3 - Toolbar: NAUPOINTBAR - {4E7BD74F-2B8D-469E-95BE-B378BA9CB52D} - C:\WINNT\DOWNLO~1\NAUPOI~1.DLL (file missing)O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [PCTVOICE] pctspk.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exeO4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -rO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [Dimension4] C:\Program Files\Dimension\D4.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [odbcip] C:\WINNT\Config\odbcip.exeO4 - HKLM\..\Run: [*odbcip] C:\WINNT\Config\odbcip.exeO4 - HKLM\..\Run: [*fontcat] C:\WINNT\Tasks\fontcat.exeO4 - HKLM\..\Run: [*tapiinet] C:\WINNT\Windows Update Setup Files\tapiinet.exeO4 - HKLM\..\Run: [*cmdc] C:\WINNT\Fonts\cmdc.exeO4 - HKLM\..\Run: [*adps] C:\WINNT\msagent\adps.exeO4 - HKLM\..\Run: [*runvss] C:\WINNT\Driver Cache\runvss.exeO4 - HKLM\..\Run: [*dosav] C:\WINNT\addins\dosav.exeO4 - HKLM\..\Run: [*keyinfo] C:\WINNT\Fonts\keyinfo.exeO4 - HKLM\..\RunOnce: [*keyinfo] C:\WINNT\Fonts\keyinfo.exe rerunO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXEO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dllO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO16 - DPF: {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} (No description) - http://naupoint.com/toolbar/installer/iEBINST2.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20b4f5475f8849...ip/RdxIE601.cabO16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cabO16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} - O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://titan.isc-seo.upenn.edu:8000/jinitiator/oajinit.exeO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cabO16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262} (ZABOClientControl Class) - https://zinc.isc-seo.upenn.edu/wi/ActiveX/ZABOIEEN.cab Link to post Share on other sites
Metallica Posted December 2, 2004 Report Share Posted December 2, 2004 Hi dknoppix,Thanks for trying that. Looks like it only got part of it. (But the worst part, so that'got to be worth something)Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.naupoint.com/toolbar/ie.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.naupoint.com/toolbar/ie.htmlO2 - BHO: 1096922178 - {262277EC-5BB5-4849-8BF2-1824330C9CAC} - (no file)O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - c:\temp\systun.datO2 - BHO: No description - {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} - C:\WINNT\DOWNLO~1\iEBINST2.dllO2 - BHO: No description - {60261C06-81B0-4DE0-9313-E5BA203A64E9} - C:\WINNT\DOWNLO~1\pdfmgr.dllO2 - BHO: No description - {6375B3AD-4440-4C1F-95E5-A24198ED671C} - C:\WINNT\DOWNLO~1\sp1.dllO2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - c:\temp\ofniyek.datO2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dllO2 - BHO: No description - {D97EF13D-5746-4EA8-AD5C-9EE95E60016F} - C:\WINNT\DOWNLO~1\rvba.dllO3 - Toolbar: NAUPOINTBAR - {4E7BD74F-2B8D-469E-95BE-B378BA9CB52D} - C:\WINNT\DOWNLO~1\NAUPOI~1.DLL (file missing)O4 - HKLM\..\Run: [odbcip] C:\WINNT\Config\odbcip.exeO4 - HKLM\..\Run: [*odbcip] C:\WINNT\Config\odbcip.exeO4 - HKLM\..\Run: [*fontcat] C:\WINNT\Tasks\fontcat.exeO4 - HKLM\..\Run: [*tapiinet] C:\WINNT\Windows Update Setup Files\tapiinet.exeO4 - HKLM\..\Run: [*cmdc] C:\WINNT\Fonts\cmdc.exeO4 - HKLM\..\Run: [*adps] C:\WINNT\msagent\adps.exeO4 - HKLM\..\Run: [*runvss] C:\WINNT\Driver Cache\runvss.exeO4 - HKLM\..\Run: [*dosav] C:\WINNT\addins\dosav.exeO4 - HKLM\..\Run: [*keyinfo] C:\WINNT\Fonts\keyinfo.exeO4 - HKLM\..\RunOnce: [*keyinfo] C:\WINNT\Fonts\keyinfo.exe rerunO16 - DPF: {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} (No description) - http://naupoint.com/toolbar/installer/iEBINST2.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20b4f5475f8849...ip/RdxIE601.cabO16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cabO16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -Reboot after doing so, preferably Reboot into safe mode and delete:C:\WINNT\Config\odbcip.exeC:\WINNT\Tasks\fontcat.exeC:\WINNT\Windows Update Setup Files\tapiinet.exeC:\WINNT\Fonts\cmdc.exeC:\WINNT\msagent\adps.exeC:\WINNT\Driver Cache\runvss.exeC:\WINNT\addins\dosav.exeC:\WINNT\Fonts\keyinfo.exeThen (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.Keep us posted,Pieter Link to post Share on other sites
Dan Posted December 3, 2004 Author Report Share Posted December 3, 2004 Here ya go....we were delteing the Temp files during safe mode, and It said that:otniyek.exe couldn't be delted because it is being used by the system. That confuzzles me..Logfile of HijackThis v1.98.2Scan saved at 07:33:15 PM, on 12/02/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\Ati2evxx.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\MsPMSPSv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\WINNT\system32\pctspk.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\AccessDirect\dadapp.exeC:\WINNT\System32\DSentry.exeC:\Program Files\Dell\AccessDirect\DadTray.exeC:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Dimension\D4.exeC:\Program Files\Winamp\Winampa.exeC:\WINNT\Fonts\keyinfo.exeC:\WINNT\system32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Yahoo!\Messenger\ypager.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Sony Handheld\HOTSYNC.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\HJT\HijackThis.exeO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocxO2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - c:\temp\ofniyek.datO3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [PCTVOICE] pctspk.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exeO4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -rO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [Dimension4] C:\Program Files\Dimension\D4.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [*keyinfo] C:\WINNT\Fonts\keyinfo.exeO4 - HKLM\..\RunOnce: [*keyinfo] C:\WINNT\Fonts\keyinfo.exe rerunO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXEO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dllO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://titan.isc-seo.upenn.edu:8000/jinitiator/oajinit.exeO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cabO16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262} (ZABOClientControl Class) - https://zinc.isc-seo.upenn.edu/wi/ActiveX/ZABOIEEN.cabThanks,dk Link to post Share on other sites
Metallica Posted December 3, 2004 Report Share Posted December 3, 2004 Not as good as I thought, that tool.Please go tohttp://www.bleepingcomputer.com/files/killbox.phpand download Killbox from there.Unzip the folder to your desktop.Double-click on the Killbox.exe icon/Select the Delete on reboot option.In the field labeled "Full path of file to delete" enter:C:\WINNT\Fonts\keyinfo.exeThen press the button that looks like a red circle with a white X in it.When it asks if you would like to Reboot now, press the YES button.Make sure it reboots into safe mode and try emptying the Temp folders again.Regards,Pieter Link to post Share on other sites
Dan Posted December 4, 2004 Author Report Share Posted December 4, 2004 Well yesterday, I was looking for the file, and it wasn't there... Link to post Share on other sites
Metallica Posted December 4, 2004 Report Share Posted December 4, 2004 You not being able to find it does not necessarily mean it is not there.Check your running processes. Regards,Pieter Link to post Share on other sites
Dan Posted December 9, 2004 Author Report Share Posted December 9, 2004 I killbox'ed the file, and emptied the temp folders...:Logfile of HijackThis v1.98.2Scan saved at 09:42:38 PM, on 12/08/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\Ati2evxx.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NavNT\rtvscan.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\MsPMSPSv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\WINNT\system32\pctspk.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\AccessDirect\dadapp.exeC:\WINNT\System32\DSentry.exeC:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exeC:\Program Files\Dell\AccessDirect\DadTray.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Dimension\D4.exeC:\Program Files\Winamp\Winampa.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINNT\system32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Sony Handheld\HOTSYNC.EXEC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\HJT\HijackThis.exeO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocxO3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [PCTVOICE] pctspk.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exeO4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -rO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [Dimension4] C:\Program Files\Dimension\D4.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXEO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dllO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://titan.isc-seo.upenn.edu:8000/jinitiator/oajinit.exeO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cabO16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262} (ZABOClientControl Class) - https://zinc.isc-seo.upenn.edu/wi/ActiveX/ZABOIEEN.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{62DE7D74-EA28-4954-AE70-58DEBAAA8A1C}: NameServer = 66.187.144.3 66.187.130.31 Link to post Share on other sites
Metallica Posted December 9, 2004 Report Share Posted December 9, 2004 Good job. That is a clean log. How is the computer behaving?Regards,Pieter Link to post Share on other sites
Dan Posted December 9, 2004 Author Report Share Posted December 9, 2004 It's behaving fine...no more of norton and avg poping up... I told my mom to scan with CWShredder, and it deleted 1 thing...also got her spybot S&D...should have done that a LONG time ago... Link to post Share on other sites
Dan Posted December 10, 2004 Author Report Share Posted December 10, 2004 Well, apparently, Vundo isn't gone. Norton keeps on finding it in different files. Then when we go to look for it, it switches which file it infects. Ex: Vundo found in xmlfax.exe. Ex2: Vundo found in ******.exe* = randomThis worries me... :xdk Link to post Share on other sites
Metallica Posted December 10, 2004 Report Share Posted December 10, 2004 Can you post a new HijackThis log?I have never seen it without Startup entries, so it should show up in the log.Regards,Pieter Link to post Share on other sites
Dan Posted December 17, 2004 Author Report Share Posted December 17, 2004 Here is the HJT log from version 1.99.0.....there are 023's they are all good...and right after I wrote the other post, it stopped finding virus'....Logfile of HijackThis v1.99.0Scan saved at 09:23:21 PM, on 12/16/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\Ati2evxx.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\NavNT\rtvscan.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\MsPMSPSv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exeC:\WINNT\system32\pctspk.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\AccessDirect\dadapp.exeC:\WINNT\System32\DSentry.exeC:\Program Files\Dell\AccessDirect\DadTray.exeC:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Dimension\D4.exeC:\Program Files\Winamp\Winampa.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINNT\system32\ctfmon.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Yahoo!\Messenger\ypager.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeC:\Program Files\Sony Handheld\HOTSYNC.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\natalia\Desktop\hijackthis_sfx.exeC:\Program Files\HJT\HijackThis.exeO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dllO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [PCTVOICE] pctspk.exeO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exeO4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -rO4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [Dimension4] C:\Program Files\Dimension\D4.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXEO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dllO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://titan.isc-seo.upenn.edu:8000/jinitiator/oajinit.exeO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cabO16 - DPF: {F9B3E1F4-3F66-11D3-AD61-0090275A7262} (ZABOClientControl Class) - https://zinc.isc-seo.upenn.edu/wi/ActiveX/ZABOIEEN.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{62DE7D74-EA28-4954-AE70-58DEBAAA8A1C}: NameServer = 66.187.144.3 66.187.130.31O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exeO23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeO23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe Link to post Share on other sites
Recommended Posts