1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AH! WindowURL and WindowSeek!

Discussion in 'Windows - Virus and spyware problems' started by kasmsod, Jun 11, 2006.

  1. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    OK... so I submitted the log file for analysis, and I STILL have those annoying popups...

    Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:28:07 PM, on 6/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\sdpasvc.exe
    c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\TEMP\h91746.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HiJackThis\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
    O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
    O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMBOLS~1\wuauclt.exe" -vt yax
    O4 - HKCU\..\Run: [Usswb] C:\Documents and Settings\G-Wood\My Documents\??curity\l?ass.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winggc32 - C:\WINDOWS\SYSTEM32\winggc32.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

    PLEASE HELP
     
  2. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi kasmsod , please post a fresh HijackThis log to here since your log seems to be messed up. It is unreadable.

    We'll help you when you post a fresh log ;)
     
  3. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Logfile of HijackThis v1.99.1
    Scan saved at 11:48:00 PM, on 6/16/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\sdpasvc.exe
    c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\TEMP\h91746.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HiJackThis\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
    O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
    O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
    O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMBOLS~1\wuauclt.exe" -vt yax
    O4 - HKCU\..\Run: [Usswb] C:\Documents and Settings\G-Wood\My Documents\??curity\l?ass.exe
    O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winggc32 - C:\WINDOWS\SYSTEM32\winggc32.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

     
  4. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi again kasmsod.

    Your log is still a one big mess :(

    Lets try this:

    Upload your HijackThis log to here -> http://pastebin.com

    Then post the link to the your log to here.

     
  5. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
  6. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok looks like that your log really is strange...

    Before we'll start the cleaning, I'll have to ask you that do you know anything about these strange O4 (startup) entries?

    eg:

    O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
     
    Last edited: Jun 17, 2006
  7. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    I have no idea what that means or most of that stuff is. I can usually recognize most of the processes running on the computer, but not those. When I submitted my logfile to the site analysis, half of the items came up as unknown processes. So, I really have no idea what's going on. If you could still help, that would be great. Since my first post, not only do I have the WindowURL and WondowSeek pop-ups, but I now have random pop-ups on my computer without being connected to the internet. My firewall is on, and says its working properly.

    :-/
     
  8. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
  9. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Ok, I didn't know where the file was, so I copied everything...
     
    Last edited: Jun 20, 2006
  10. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...
    UPX! 12/14/2005 4:40:30 PM 18432 C:\WINDOWS\ss3unstl.exe

    Checking %System% folder...
    aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
    aspack 5/26/2005 3:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
    aspack 7/22/2005 7:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
    aspack 12/5/2005 6:09:18 PM 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll
    aspack 2/3/2006 8:43:16 AM 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll
    aspack 3/31/2006 12:40:58 PM 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll
    PEC2 8/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
    PEC2 12/7/2005 12:05:52 PM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
    PECompact2 12/7/2005 12:05:52 PM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
    UPX! 8/16/2002 7:33:40 PM 127488 C:\WINDOWS\SYSTEM32\fmod.dll
    UPX! 3/4/2004 2:42:38 PM 9174 C:\WINDOWS\SYSTEM32\iagold.exe
    PTech 6/2/2006 1:39:54 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    PECompact2 6/8/2006 8:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 6/8/2006 8:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    UPX! 5/18/2006 10:19:30 PM 156672 C:\WINDOWS\SYSTEM32\oins.exe
    UPX! 12/5/2003 11:07:44 PM 5527 C:\WINDOWS\SYSTEM32\pstvdt.exe
    UPX! 8/29/2002 5:00:00 AM 7719 C:\WINDOWS\SYSTEM32\py.exe
    Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    winsync 8/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
    PTech 6/2/2006 1:39:46 PM 286000 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...
    PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    6/17/2006 5:23:58 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
    6/17/2006 11:13:56 PM H 54156 C:\WINDOWS\QTFont.qfn
    6/17/2006 5:24:04 PM HS 1169 C:\WINDOWS\SYSTEM32\mmf.sys
    5/14/2006 5:21:52 AM S 13309 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
    5/5/2006 9:22:46 AM S 12227 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
    5/29/2006 11:16:00 AM S 23751 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
    5/18/2006 2:15:12 AM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
    5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
    6/1/2006 3:28:56 PM S 11043 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
    6/2/2006 1:40:32 PM S 7160 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
    6/20/2006 6:59:58 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
    6/20/2006 1:08:38 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
    6/20/2006 5:07:40 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
    6/20/2006 6:35:42 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
    6/20/2006 6:30:16 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
    6/17/2006 12:21:02 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
    5/19/2006 10:28:38 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\ac868dcf-024b-4d5e-9e12-26a67066c124
    5/19/2006 10:28:38 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
    6/17/2006 5:24:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT
    6/20/2006 6:20:02 PM H 394 C:\WINDOWS\Tasks\{F445B4D2-170F-41BA-858F-20D838AB56DB}_KRISTIN_G-Wood.job

    Checking for CPL files...
    7/9/2003 1:13:16 AM 176128 C:\WINDOWS\SYSTEM32\ac3filter.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    11/12/1999 12:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    5/24/2002 11:45:48 AM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems 6/30/2003 5:12:56 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
    Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
    Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    SigmaTel Inc. 11/11/2002 5:57:32 PM 77824 C:\WINDOWS\SYSTEM32\STAC97.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
    Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\DLLCACHE\appwiz.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\DLLCACHE\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\DLLCACHE\inetcpl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\DLLCACHE\intl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\DLLCACHE\mmsys.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\DLLCACHE\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\DLLCACHE\odbccp32.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\DLLCACHE\powercfg.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 155648 C:\WINDOWS\SYSTEM32\DLLCACHE\sapi.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\DLLCACHE\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
    5/27/2003 2:38:16 PM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    9/28/2004 4:14:16 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus G Wireless Utility.lnk
    11/27/2005 6:55:02 PM 1833 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    11/27/2005 7:14:32 PM 1996 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
    8/21/2003 5:52:28 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    12/29/2005 7:41:30 PM 799 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
    4/29/2004 11:22:34 AM 6 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt
    3/1/2006 6:06:24 PM 2161 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

    Checking files in %USERPROFILE%\Startup folder...
    9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\G-Wood\Start Menu\Programs\Startup\DESKTOP.INI
    8/24/2003 4:12:42 PM 1534 C:\Documents and Settings\G-Wood\Start Menu\Programs\Startup\HotSync Manager.lnk

    Checking files in %USERPROFILE%\Application Data folder...
    6/15/2006 10:19:38 AM 320 C:\Documents and Settings\G-Wood\Application Data\bbbconfig.dat
    9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\G-Wood\Application Data\DESKTOP.INI
    4/24/2006 12:39:00 PM 54360 C:\Documents and Settings\G-Wood\Application Data\GDIPFONTCACHEV1.DAT
    6/7/2003 8:51:40 PM 12358 C:\Documents and Settings\G-Wood\Application Data\PFP100JCM.{PB
    6/7/2003 8:51:40 PM 61678 C:\Documents and Settings\G-Wood\Application Data\PFP100JPR.{PB

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TextPad
    {2F25CF20-C569-11D1-B94C-00608CB45480} = C:\Program Files\TextPad 4\System\shellext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
    {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
    {73B24247-042E-4EF5-ADC2-42F62E6FD654} =
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
    Real.com = C:\WINDOWS\System32\Shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
    ButtonText = AIM : C:\Program Files\AIM\aim.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    ButtonText = Real.com :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
    Search Band = %SystemRoot%\System32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
    {014DA6C9-189F-421A-88CD-07CFE51CFF10} = :
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    ATIModeChange Ati2mdxx.exe
    CARPService carpserv.exe
    SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    DadApp C:\Program Files\Dell\AccessDirect\dadapp.exe
    DVDSentry C:\WINDOWS\System32\DSentry.exe
    AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe
    HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    WinampAgent "C:\Program Files\Winamp3\winampa.exe"
    hnuvwczi C:\WINDOWS\dfuxyxpg.exe
    XFLOGT C:\WINDOWS\System32\XFLOGT.exe
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional// c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <h c:\WINDOWS\System32\<head>
    <title>the domain beneditutti.com is under construction</ti c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    <meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    <meta name="keywords" content="beneditutti.c c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    <meta http-equiv="imagetoolbar" CONTENT=" c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    <meta name="resource-type" content="docume c:\WINDOWS\System32\<meta name="resource-type" content="document">
    <meta name="revisit-after" content=" c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    <meta name="classification" content="Intern c:\WINDOWS\System32\<meta name="classification" content="Internet">
    <meta name="robots" content="A c:\WINDOWS\System32\<meta name="robots" content="ALL">
    <meta name="distribution" content="Glob c:\WINDOWS\System32\<meta name="distribution" content="Global">
    <meta name="rating" content="A c:\WINDOWS\System32\<meta name="rating" content="All">
    <meta name="doc-class" content="Complet c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859 c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    </h c:\WINDOWS\System32\</head>
    <BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000 c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    <table width="100%" border="0" cellspacing="0" cellpadding= c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    c:\WINDOWS\System32\ <tr>
    <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a>< c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.< c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    < c:\WINDOWS\System32\ </tr>
    <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle">< c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> < c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25">< c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    </ta c:\WINDOWS\System32\</table>
    <table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    <form method=get action="http://parked.directnic.com/result.p c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
    DeadAIM rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    SunJavaUpdateSched c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
    QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
    NI.UWA6P_0001_N822M1605 "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
    3134b70f.exe C:\WINDOWS\system32\3134b70f.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    AAW "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    SpyKiller C:\Program Files\SpyKiller\spykiller.exe /startup
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional// c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <h c:\WINDOWS\System32\<head>
    <title>the domain beneditutti.com is under construction</ti c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    <meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    <meta name="keywords" content="beneditutti.c c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    <meta http-equiv="imagetoolbar" CONTENT=" c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    <meta name="resource-type" content="docume c:\WINDOWS\System32\<meta name="resource-type" content="document">
    <meta name="revisit-after" content=" c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    <meta name="classification" content="Intern c:\WINDOWS\System32\<meta name="classification" content="Internet">
    <meta name="robots" content="A c:\WINDOWS\System32\<meta name="robots" content="ALL">
    <meta name="distribution" content="Glob c:\WINDOWS\System32\<meta name="distribution" content="Global">
    <meta name="rating" content="A c:\WINDOWS\System32\<meta name="rating" content="All">
    <meta name="doc-class" content="Complet c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859 c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    </h c:\WINDOWS\System32\</head>
    <BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000 c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    <table width="100%" border="0" cellspacing="0" cellpadding= c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    c:\WINDOWS\System32\ <tr>
    <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a>< c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.< c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41">< c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
    < c:\WINDOWS\System32\ </tr>
    <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle">< c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> < c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25">< c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    </ta c:\WINDOWS\System32\</table>
    <table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    <form method=get action="http://parked.directnic.com/result.p c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    ares "C:\Program Files\Ares\Ares.exe" -h
    AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
    RealPlayer "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    Aida "C:\PROGRA~1\SMBOLS~1\wuauclt.exe" -vt yax
    Usswb C:\Documents and Settings\G-Wood\My Documents\??curity\l?ass.exe
    3134b70f.exe C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item
    hkey HKLM
    command c:\WINDOWS\System32\
    inimapping 0


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 0
    startup 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
    NoActiveDesktopChanges 0


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1
    DisableTaskMgr 0


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun ‘

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
    = C:\WINDOWS\System32\NavLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs C:\WINDOWS\system32\ati2evxx.dll


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 6/20/2006 6:42:39 PM
     
  11. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    You don't have a firewall on your computer. Download and install one firewall.

    These are good (free) firewalls:
    ZoneAlarm --> http://www.zonelabs.com
    Kerio--> http://www.sunbelt-software.com/Kerio.cfm
    Outpost-> http://www.agnitum.com

    Ok, you got some infections on your computer....

    Cleaning instructions:

    Move HijackThis into its own folder C:\HJT

    Download and install Ewido anti-malware -> http://www.ewido.net/en/download
    Update it, but do NOT run a scan yet. We'll use it later.

    Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
    Do NOT run yet.

    Go to Control Panel -> Add/Remove programs -> Remove SpyKiller, PuritySCAN By OIN, OuterInfo, OIN if found

    If PuritySCAN By OIN, OuterInfo, OIN were not listed, download and run this uninstaller -> http://www.outerinfo.com/OiUninstaller.exe
    Tutorial for the uninstaller if needed -> http://www.outerinfo.com/howto.html

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
    O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
    O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
    O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
    O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O20 - Winlogon Notify: winggc32 - C:\WINDOWS\SYSTEM32\winggc32.dll

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Delete these folders (if found):
    C:\Program Files\SpyKiller
    C:\Program Files\PurityScan

    Delete these files (if found):
    C:\WINDOWS\dfuxyxpg.exe
    C:\WINDOWS\System32\XFLOGT.exe
    C:\WINDOWS\system32\3134b70f.exe
    C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
    C:\WINDOWS\SYSTEM32\winggc32.dll

    Run ATF Cleaner -> Check select all -> Press Empty selected

    Scan and clean your computer with Ewido and save the report.

    Clean the Recycle bin and make your hidden files visible again.

    Restart your computer normally.

    Post the following logs to here:
    -> a fresh HijackThis log
    -> Ewido's log
     
  12. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Ok, so I followed the instructions, and the popups are gone :). On another note though, the garbled commands are still in the hijackthis log. When I went to delete them (I did this twice) my computer shut off and said that it had a fatal error. I decided to leave them there, but I don't know if they are good or bad though. When I scanned with ewido, PurityScan was found and couldn't be deleted, and I tried to run that uninstaller and add/remove programs but they didn't work either. Thanks for the help, but if you have any ideas for how to get rid of the garbled mess in the logfile, that would be great too. :)

    Logfile of HijackThis v1.99.1
    Scan saved at 9:21:05 PM, on 6/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\sdpasvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\HJT\HiJackThis\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
    O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
    O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
    O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe



    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 7:57:28 PM 6/21/2006

    + Scan result:



    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092497.dll -> Adware.PurityScan : Cleaned.
    C:\WINDOWS\SYSTEM32\__delete_on_reboot__a_t_i_2_e_v_x_x_._d_l_l_ -> Adware.PurityScan : Cleaned.
    [1036] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1060] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1132] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1196] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1332] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1392] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1484] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1512] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1548] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1572] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [1916] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [2196] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [2416] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [2572] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [2624] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [2688] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [284] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [3668] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [3708] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [3940] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [4020] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [4048] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [436] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [520] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [608] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [656] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [668] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [816] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [916] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    [968] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092479.exe -> Adware.Trymedia : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.10\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.11\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.12\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.13\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.14\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.15\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.4\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.5\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.6\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.7\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.8\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.9\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092478.dll -> Downloader.Agent.b : Cleaned.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092477.exe -> Downloader.PurityScan.co : Cleaned.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092476.exe -> Downloader.PurityScan.cp : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.22\rdgUS2404.exe -> Downloader.Small.cxq : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.23\rdgUS2404.exe -> Downloader.Small.cxq : Cleaned.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.24\rdgUS2404.exe -> Downloader.Small.cxq : Cleaned.
    C:\WINDOWS\SYSTEM32\asxbbx.dll -> Not-A-Virus.Hoax.Win32.Renos.dj : Cleaned.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092473.exe -> Proxy.Agent.l : Cleaned.
    C:\Documents and Settings\G-Wood\Cookies\g-wood@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092474.dll -> Trojan.Goldid : Cleaned.
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092475.dll -> Trojan.Golid : Cleaned.


    ::Report end
     
  13. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok looking better but still some infections...

    Download F-Secure Blacklight and save it to your desktop -> http://www.f-secure.com/blacklight/try.shtml

    Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

    You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

    DON'T choose Rename if something was found!

    Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
     
  14. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    06/22/06 10:49:21 [Info]: BlackLight Engine 1.0.41 initialized
    06/22/06 10:49:21 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    06/22/06 10:49:21 [Note]: 7019 4
    06/22/06 10:49:21 [Note]: 7005 0
    06/22/06 10:49:25 [Note]: 7006 0
    06/22/06 10:49:25 [Note]: 7011 284
    06/22/06 10:49:25 [Note]: 7026 0
    06/22/06 10:49:25 [Note]: 7026 0
    06/22/06 10:49:35 [Note]: FSRAW library version 1.7.1018
    06/22/06 11:54:47 [Note]: 7007 0
     
  15. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Sorry for the delay.

    Cleaning instructions:

    Ok we'll have to use a stronger tool....

    1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
    2. Copy all text in quote box below to Notepad (starting from
    Files to delete:)

    Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system

    3. Now, open The Avenger
    ->"Below Script file to execute" select "Input Script Manually".
    ->Now click magnifying glass which opens a new window "View/edit script".
    -> Paste the text you earlier copied to Notepad here
    -> Click Done.
    -> Now click green light in order to start script.
    -> Click "Yes" .

    4.Avenger will do the following
    -> Reboot your computer.
    -> While booting, it will open a dos prompt, it's normal
    -> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
    -> Avenger has created a backup here -> C:\avenger\backup.zip.

    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
    O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
    O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
    O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
    O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
    O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
    O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
    O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
    O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
    O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
    O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
    O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
    O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
    O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
    O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
    O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
    O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
    O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
    O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
    O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
    O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
    O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
    O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
    O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
    O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
    O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll


    Restart your computer normally.

    NOTE!, if you get that error message with HijackThis again, please post its contents to here too.

    Copy/paste contents of avenger.txt along with a fresh HjT-log.

    Then we'll continue.
     
  16. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\vfvtxqan

    *******************

    Script file located at: \??\C:\nbjfmnrt.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\system32\3134b70f.exe deleted successfully.


    File C:\WINDOWS\system32\ati2evxx.dll not found!
    Deletion of file C:\WINDOWS\system32\ati2evxx.dll failed!

    Could not process line:
    C:\WINDOWS\system32\ati2evxx.dll
    Status: 0xc0000034

    File C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:52:47 PM, on 6/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\sdpasvc.exe
    c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\HJT\HiJackThis\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

    Error Message:

    An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll)
    Error #5 - Invalid procedure call or argument

    Please email me at merijn@spywareinfo.com, reporting the following:
    * What you were trying to fix when the error occurred, if applicable
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2900.2180
    HijackThis version: 1.99.1

    This message has been copied to your clipboard.
    Click OK to continue the rest of the scan.


    Hopefully, there's not much more. All the crazy stuff is gone except that one file. Thanks for your help thus far.
     
    Last edited: Jun 23, 2006
  17. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok looks better already :)

    Press Start
    -> Run
    -> Write this to the field: regedit

    At first, you should take a backup of your registry:
    -> (In regedit) select My Computer, right-click it and press Export
    -> Name it to RegBackup and save it to the C:\

    Then go: (in regedit)
    -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    -> Search and delete NI.UWA6P_0001_N822M1605
    -> Close Regedit

    Restart your computer.

    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

    Post a new HijackThis log and the contents of SmitfraudFix.

     
    Last edited: Jun 24, 2006
  18. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    when I go to run "regedit" it does not open anything...
     
  19. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46

    Ok lets try this instead....

    Open Notepad
    -> copy the following lines into a new document:


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NI.UWA6P_0001_N822M1605"=-


    Save the document to your desktop as Fix.reg and filetype: All Files
    Go to your desktop and run the file Fix.reg and answer yes to any questions.

    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

    Post the SmitfraudFix log to here along with a new HijackThis log.
     
  20. kasmsod

    kasmsod Member

    Joined:
    Jun 11, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    11
    SmitFraudFix v2.65

    Scan done at 10:20:03.99, Sun 06/25/2006
    Run from C:\Documents and Settings\G-Wood\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\G-Wood\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\G-Wood\FAVORI~1

    C:\DOCUME~1\G-Wood\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source"="http://weatherpixie.com/CDF/index.php?place=KCOU&trooper=23&type=F"
    "SubscribedURL"="http://weatherpixie.com/CDF/pixie.cdf.php?place=KCOU&type=F&trooper=23"
    "FriendlyName"="::The Weather Pixie:: KCOU"

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End


    Logfile of HijackThis v1.99.1
    Scan saved at 10:21:36 AM, on 6/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\sdpasvc.exe
    c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HiJackThis\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

     

Share This Page