Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 28.11.2024 / 13:53
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > ah! windowurl and windowseek!
Show topics
 
Forums
Forums
AH! WindowURL and WindowSeek!
  Jump to:
 
Posted Message
kasmsod
Newbie
_ 		11. June 2006 @ 14:34 _ Link to this message    Send private message to this user   
OK... so I submitted the log file for analysis, and I STILL have those annoying popups...

Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:28:07 PM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\sdpasvc.exe
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\h91746.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMBOLS~1\wuauclt.exe" -vt yax
O4 - HKCU\..\Run: [Usswb] C:\Documents and Settings\G-Wood\My Documents\??curity\l?ass.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcins...
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winggc32 - C:\WINDOWS\SYSTEM32\winggc32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

PLEASE HELP
[ + quote]
Advertisement
_ 		__
JaPK
Senior Member
_ 		12. June 2006 @ 07:41 _ Link to this message    Send private message to this user   
Hi kasmsod , please post a fresh HijackThis log to here since your log seems to be messed up. It is unreadable.

We'll help you when you post a fresh log ;)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		16. June 2006 @ 20:50 _ Link to this message    Send private message to this user   
Logfile of HijackThis v1.99.1
Scan saved at 11:48:00 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\sdpasvc.exe
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\h91746.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMBOLS~1\wuauclt.exe" -vt yax
O4 - HKCU\..\Run: [Usswb] C:\Documents and Settings\G-Wood\My Documents\??curity\l?ass.exe
O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcins...
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winggc32 - C:\WINDOWS\SYSTEM32\winggc32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
[ + quote]
JaPK
Senior Member
_ 		17. June 2006 @ 04:16 _ Link to this message    Send private message to this user   
Hi again kasmsod.

Your log is still a one big mess :(

Lets try this:

Upload your HijackThis log to here -> http://pastebin.com

Then post the link to the your log to here.


[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		17. June 2006 @ 06:44 _ Link to this message    Send private message to this user   
[ + quote]
JaPK
Senior Member
_ 		17. June 2006 @ 22:50 _ Link to this message    Send private message to this user   
Ok looks like that your log really is strange...

Before we'll start the cleaning, I'll have to ask you that do you know anything about these strange O4 (startup) entries?

eg:

O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 17. June 2006 @ 22:51
kasmsod
Newbie
_ 		18. June 2006 @ 06:17 _ Link to this message    Send private message to this user   
I have no idea what that means or most of that stuff is. I can usually recognize most of the processes running on the computer, but not those. When I submitted my logfile to the site analysis, half of the items came up as unknown processes. So, I really have no idea what's going on. If you could still help, that would be great. Since my first post, not only do I have the WindowURL and WondowSeek pop-ups, but I now have random pop-ups on my computer without being connected to the internet. My firewall is on, and says its working properly.

:-/
[ + quote]
JaPK
Senior Member
_ 		18. June 2006 @ 11:01 _ Link to this message    Send private message to this user   
Ok, I'll help you, but I need some more information first.

Please download WinPFind from here -> http://www.bleepingcomputer.com/files/winpfind.php

Run a scan with it and post it's log to here.

Then we'll start the cleaning process ;)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		20. June 2006 @ 15:44 _ Link to this message    Send private message to this user   
Ok, I didn't know where the file was, so I copied everything...
[ + quote]

This message has been edited since posting. Last time this message was edited on 20. June 2006 @ 15:47
kasmsod
Newbie
_ 		20. June 2006 @ 15:48 _ Link to this message    Send private message to this user   
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/14/2005 4:40:30 PM 18432 C:\WINDOWS\ss3unstl.exe

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 5/26/2005 3:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 7/22/2005 7:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
aspack 12/5/2005 6:09:18 PM 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll
aspack 2/3/2006 8:43:16 AM 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll
aspack 3/31/2006 12:40:58 PM 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll
PEC2 8/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 12/7/2005 12:05:52 PM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 12/7/2005 12:05:52 PM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 8/16/2002 7:33:40 PM 127488 C:\WINDOWS\SYSTEM32\fmod.dll
UPX! 3/4/2004 2:42:38 PM 9174 C:\WINDOWS\SYSTEM32\iagold.exe
PTech 6/2/2006 1:39:54 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 8:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 8:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 5/18/2006 10:19:30 PM 156672 C:\WINDOWS\SYSTEM32\oins.exe
UPX! 12/5/2003 11:07:44 PM 5527 C:\WINDOWS\SYSTEM32\pstvdt.exe
UPX! 8/29/2002 5:00:00 AM 7719 C:\WINDOWS\SYSTEM32\py.exe
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
PTech 6/2/2006 1:39:46 PM 286000 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/17/2006 5:23:58 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
6/17/2006 11:13:56 PM H 54156 C:\WINDOWS\QTFont.qfn
6/17/2006 5:24:04 PM HS 1169 C:\WINDOWS\SYSTEM32\mmf.sys
5/14/2006 5:21:52 AM S 13309 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
5/5/2006 9:22:46 AM S 12227 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
5/29/2006 11:16:00 AM S 23751 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
5/18/2006 2:15:12 AM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
6/1/2006 3:28:56 PM S 11043 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
6/2/2006 1:40:32 PM S 7160 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
6/20/2006 6:59:58 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
6/20/2006 1:08:38 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
6/20/2006 5:07:40 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
6/20/2006 6:35:42 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
6/20/2006 6:30:16 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
6/17/2006 12:21:02 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
5/19/2006 10:28:38 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\ac868dcf-024b-4d5e-9e12-26a67066c124
5/19/2006 10:28:38 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
6/17/2006 5:24:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT
6/20/2006 6:20:02 PM H 394 C:\WINDOWS\Tasks\{F445B4D2-170F-41BA-858F-20D838AB56DB}_KRISTIN_G-Wood.job

Checking for CPL files...
7/9/2003 1:13:16 AM 176128 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
11/12/1999 12:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
5/24/2002 11:45:48 AM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 6/30/2003 5:12:56 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
SigmaTel Inc. 11/11/2002 5:57:32 PM 77824 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\DLLCACHE\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\DLLCACHE\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\DLLCACHE\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\DLLCACHE\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\DLLCACHE\mmsys.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\DLLCACHE\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\DLLCACHE\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\DLLCACHE\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155648 C:\WINDOWS\SYSTEM32\DLLCACHE\sapi.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\DLLCACHE\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
5/27/2003 2:38:16 PM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
9/28/2004 4:14:16 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus G Wireless Utility.lnk
11/27/2005 6:55:02 PM 1833 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
11/27/2005 7:14:32 PM 1996 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
8/21/2003 5:52:28 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
12/29/2005 7:41:30 PM 799 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
4/29/2004 11:22:34 AM 6 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt
3/1/2006 6:06:24 PM 2161 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\G-Wood\Start Menu\Programs\Startup\DESKTOP.INI
8/24/2003 4:12:42 PM 1534 C:\Documents and Settings\G-Wood\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
6/15/2006 10:19:38 AM 320 C:\Documents and Settings\G-Wood\Application Data\bbbconfig.dat
9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\G-Wood\Application Data\DESKTOP.INI
4/24/2006 12:39:00 PM 54360 C:\Documents and Settings\G-Wood\Application Data\GDIPFONTCACHEV1.DAT
6/7/2003 8:51:40 PM 12358 C:\Documents and Settings\G-Wood\Application Data\PFP100JCM.{PB
6/7/2003 8:51:40 PM 61678 C:\Documents and Settings\G-Wood\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TextPad
{2F25CF20-C569-11D1-B94C-00608CB45480} = C:\Program Files\TextPad 4\System\shellext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{014DA6C9-189F-421A-88CD-07CFE51CFF10} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIModeChange Ati2mdxx.exe
CARPService carpserv.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
DadApp C:\Program Files\Dell\AccessDirect\dadapp.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
WinampAgent "C:\Program Files\Winamp3\winampa.exe"
hnuvwczi C:\WINDOWS\dfuxyxpg.exe
XFLOGT C:\WINDOWS\System32\XFLOGT.exe
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional// c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<h c:\WINDOWS\System32\<head>
<title>the domain beneditutti.com is under construction</ti c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
<meta name="keywords" content="beneditutti.c c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
<meta http-equiv="imagetoolbar" CONTENT=" c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
<meta name="resource-type" content="docume c:\WINDOWS\System32\<meta name="resource-type" content="document">
<meta name="revisit-after" content=" c:\WINDOWS\System32\<meta name="revisit-after" content="14">
<meta name="classification" content="Intern c:\WINDOWS\System32\<meta name="classification" content="Internet">
<meta name="robots" content="A c:\WINDOWS\System32\<meta name="robots" content="ALL">
<meta name="distribution" content="Glob c:\WINDOWS\System32\<meta name="distribution" content="Global">
<meta name="rating" content="A c:\WINDOWS\System32\<meta name="rating" content="All">
<meta name="doc-class" content="Complet c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859 c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
</h c:\WINDOWS\System32\</head>
<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000 c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
<table width="100%" border="0" cellspacing="0" cellpadding= c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
c:\WINDOWS\System32\ <tr>
<td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a>< c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
<td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.< c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
< c:\WINDOWS\System32\ </tr>
<td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle">< c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
<td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> < c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
<td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25">< c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
</ta c:\WINDOWS\System32\</table>
<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
<form method=get action="http://parked.directnic.com/result.p c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
DeadAIM rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
SunJavaUpdateSched c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
NI.UWA6P_0001_N822M1605 "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
3134b70f.exe C:\WINDOWS\system32\3134b70f.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
AAW "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
SpyKiller C:\Program Files\SpyKiller\spykiller.exe /startup
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional// c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<h c:\WINDOWS\System32\<head>
<title>the domain beneditutti.com is under construction</ti c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
<meta name="keywords" content="beneditutti.c c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
<meta http-equiv="imagetoolbar" CONTENT=" c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
<meta name="resource-type" content="docume c:\WINDOWS\System32\<meta name="resource-type" content="document">
<meta name="revisit-after" content=" c:\WINDOWS\System32\<meta name="revisit-after" content="14">
<meta name="classification" content="Intern c:\WINDOWS\System32\<meta name="classification" content="Internet">
<meta name="robots" content="A c:\WINDOWS\System32\<meta name="robots" content="ALL">
<meta name="distribution" content="Glob c:\WINDOWS\System32\<meta name="distribution" content="Global">
<meta name="rating" content="A c:\WINDOWS\System32\<meta name="rating" content="All">
<meta name="doc-class" content="Complet c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859 c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
</h c:\WINDOWS\System32\</head>
<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000 c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
<table width="100%" border="0" cellspacing="0" cellpadding= c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
c:\WINDOWS\System32\ <tr>
<td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a>< c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
<td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.< c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
<td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41">< c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
< c:\WINDOWS\System32\ </tr>
<td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle">< c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
<td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> < c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
<td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25">< c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
</ta c:\WINDOWS\System32\</table>
<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
<form method=get action="http://parked.directnic.com/result.p c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
ares "C:\Program Files\Ares\Ares.exe" -h
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
RealPlayer "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
Aida "C:\PROGRA~1\SMBOLS~1\wuauclt.exe" -vt yax
Usswb C:\Documents and Settings\G-Wood\My Documents\??curity\l?ass.exe
3134b70f.exe C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command c:\WINDOWS\System32\
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoActiveDesktopChanges 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun ?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\WINDOWS\system32\ati2evxx.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/20/2006 6:42:39 PM
[ + quote]
JaPK
Senior Member
_ 		21. June 2006 @ 07:11 _ Link to this message    Send private message to this user   
You don't have a firewall on your computer. Download and install one firewall.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

Ok, you got some infections on your computer....

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.

Go to Control Panel -> Add/Remove programs -> Remove SpyKiller, PuritySCAN By OIN, OuterInfo, OIN if found

If PuritySCAN By OIN, OuterInfo, OIN were not listed, download and run this uninstaller -> http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed -> http://www.outerinfo.com/howto.html

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - Winlogon Notify: winggc32 - C:\WINDOWS\SYSTEM32\winggc32.dll

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\Program Files\SpyKiller
C:\Program Files\PurityScan

Delete these files (if found):
C:\WINDOWS\dfuxyxpg.exe
C:\WINDOWS\System32\XFLOGT.exe
C:\WINDOWS\system32\3134b70f.exe
C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
C:\WINDOWS\SYSTEM32\winggc32.dll

Run ATF Cleaner -> Check select all -> Press Empty selected

Scan and clean your computer with Ewido and save the report.

Clean the Recycle bin and make your hidden files visible again.

Restart your computer normally.

Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		21. June 2006 @ 18:26 _ Link to this message    Send private message to this user   
Ok, so I followed the instructions, and the popups are gone :). On another note though, the garbled commands are still in the HijackThis log. When I went to delete them (I did this twice) my computer shut off and said that it had a fatal error. I decided to leave them there, but I don't know if they are good or bad though. When I scanned with ewido, PurityScan was found and couldn't be deleted, and I tried to run that uninstaller and add/remove programs but they didn't work either. Thanks for the help, but if you have any ideas for how to get rid of the garbled mess in the logfile, that would be great too. :)

Logfile of HijackThis v1.99.1
Scan saved at 9:21:05 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HiJackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcins...
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:57:28 PM 6/21/2006

+ Scan result:



C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092497.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\SYSTEM32\__delete_on_reboot__a_t_i_2_e_v_x_x_._d_l_l_ -> Adware.PurityScan : Cleaned.
[1036] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1060] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1132] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1196] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1332] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1392] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1484] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1512] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1548] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1572] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[1916] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[2196] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[2416] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[2572] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[2624] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[2688] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[284] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[3668] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[3708] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[3940] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[4020] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[4048] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[436] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[520] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[608] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[656] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[668] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[816] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[916] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
[968] C:\WINDOWS\system32\ati2evxx.dll -> Adware.PurityScan : Error during cleaning.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092479.exe -> Adware.Trymedia : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\rdgUS2404.exe -> Downloader.Agent.alf : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092478.dll -> Downloader.Agent.b : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092477.exe -> Downloader.PurityScan.co : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092476.exe -> Downloader.PurityScan.cp : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.22\rdgUS2404.exe -> Downloader.Small.cxq : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.23\rdgUS2404.exe -> Downloader.Small.cxq : Cleaned.
C:\WINDOWS\Downloaded Program Files\CONFLICT.24\rdgUS2404.exe -> Downloader.Small.cxq : Cleaned.
C:\WINDOWS\SYSTEM32\asxbbx.dll -> Not-A-Virus.Hoax.Win32.Renos.dj : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092473.exe -> Proxy.Agent.l : Cleaned.
C:\Documents and Settings\G-Wood\Cookies\g-wood@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092474.dll -> Trojan.Goldid : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP849\A0092475.dll -> Trojan.Golid : Cleaned.


::Report end
[ + quote]
JaPK
Senior Member
_ 		21. June 2006 @ 19:56 _ Link to this message    Send private message to this user   
Ok looking better but still some infections...

Download F-Secure Blacklight and save it to your desktop -> http://www.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		22. June 2006 @ 08:58 _ Link to this message    Send private message to this user   
06/22/06 10:49:21 [Info]: BlackLight Engine 1.0.41 initialized
06/22/06 10:49:21 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/22/06 10:49:21 [Note]: 7019 4
06/22/06 10:49:21 [Note]: 7005 0
06/22/06 10:49:25 [Note]: 7006 0
06/22/06 10:49:25 [Note]: 7011 284
06/22/06 10:49:25 [Note]: 7026 0
06/22/06 10:49:25 [Note]: 7026 0
06/22/06 10:49:35 [Note]: FSRAW library version 1.7.1018
06/22/06 11:54:47 [Note]: 7007 0
[ + quote]
JaPK
Senior Member
_ 		22. June 2006 @ 22:05 _ Link to this message    Send private message to this user   
Sorry for the delay.

Cleaning instructions:

Ok we'll have to use a stronger tool....

1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
2. Copy all text in quote box below to Notepad (starting from
Files to delete:)

Quote:
Files to delete:
C:\WINDOWS\system32\3134b70f.exe
C:\WINDOWS\system32\ati2evxx.dll
C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system

3. Now, open The Avenger
->"Below Script file to execute" select "Input Script Manually".
->Now click magnifying glass which opens a new window "View/edit script".
-> Paste the text you earlier copied to Notepad here
-> Click Done.
-> Now click green light in order to start script.
-> Click "Yes" .

4.Avenger will do the following
-> Reboot your computer.
-> While booting, it will open a dos prompt, it's normal
-> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
-> Avenger has created a backup here -> C:\avenger\backup.zip.

Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

O4 - HKLM\..\Run: [hnuvwczi] C:\WINDOWS\dfuxyxpg.exe
O4 - HKLM\..\Run: [XFLOGT] C:\WINDOWS\System32\XFLOGT.exe
O4 - HKLM\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKLM\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKLM\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKLM\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKLM\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKLM\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKLM\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKLM\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKLM\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKLM\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKLM\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKLM\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKLM\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKLM\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKLM\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKLM\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKLM\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
O4 - HKLM\..\Run: [3134b70f.exe] C:\WINDOWS\system32\3134b70f.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//] c:\WINDOWS\System32\<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [<title>the domain beneditutti.com is under construction</ti] c:\WINDOWS\System32\<title>the domain beneditutti.com is under construction</title>
O4 - HKCU\..\Run: [<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.c] c:\WINDOWS\System32\<meta name="description" content="beneditutti.com is under construction. This page is courtesy of directNIC.com">
O4 - HKCU\..\Run: [<meta name="keywords" content="beneditutti.c] c:\WINDOWS\System32\<meta name="keywords" content="beneditutti.com">
O4 - HKCU\..\Run: [<meta http-equiv="imagetoolbar" CONTENT="] c:\WINDOWS\System32\<meta http-equiv="imagetoolbar" CONTENT="no">
O4 - HKCU\..\Run: [<meta name="resource-type" content="docume] c:\WINDOWS\System32\<meta name="resource-type" content="document">
O4 - HKCU\..\Run: [<meta name="revisit-after" content="] c:\WINDOWS\System32\<meta name="revisit-after" content="14">
O4 - HKCU\..\Run: [<meta name="classification" content="Intern] c:\WINDOWS\System32\<meta name="classification" content="Internet">
O4 - HKCU\..\Run: [<meta name="robots" content="A] c:\WINDOWS\System32\<meta name="robots" content="ALL">
O4 - HKCU\..\Run: [<meta name="distribution" content="Glob] c:\WINDOWS\System32\<meta name="distribution" content="Global">
O4 - HKCU\..\Run: [<meta name="rating" content="A] c:\WINDOWS\System32\<meta name="rating" content="All">
O4 - HKCU\..\Run: [<meta name="doc-class" content="Complet] c:\WINDOWS\System32\<meta name="doc-class" content="Completed">
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/c] c:\WINDOWS\System32\<link rel="stylesheet" href="http://parked.directnic.com/newstyle.css" type="text/css">
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</head>
O4 - HKCU\..\Run: [<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#000] c:\WINDOWS\System32\<BODY TOPMARGIN="0" LEFTMARGIN="0" MARGINHEIGHT="0" MARGINWIDTH="0" BGCOLOR="#FFFFFF" TEXT="#000000" vLink=#0000ff>
O4 - HKCU\..\Run: [<table width="100%" border="0" cellspacing="0" cellpadding=] c:\WINDOWS\System32\<table width="100%" border="0" cellspacing="0" cellpadding="0">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a><] c:\WINDOWS\System32\ <td background="http://parked.directnic.com/images/top_bg.gif"><a href="http://directnic.com"><img src="http://parked.directnic.com/images/dnic.gif" width="372" height="41" border="0"></a></td>
O4 - HKCU\..\Run: [ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.<] c:\WINDOWS\System32\ <td align="right" background="http://parked.directnic.com/images/top_bg.gif" class="head">beneditutti.com is under construction.</td>
O4 - HKCU\..\Run: [ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"><] c:\WINDOWS\System32\ <td width="10"><img src="http://parked.directnic.com/images/top_rt.gif" width="10" height="41"></td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"><] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"><img src="http://parked.directnic.com/images/btm_lt.gif" width="24" height="25" align="absmiddle"></td>
O4 - HKCU\..\Run: [ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> <] c:\WINDOWS\System32\ <td align="left" background="http://parked.directnic.com/images/btm_bg.gif" class="wtext"> </td>
O4 - HKCU\..\Run: [ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"><] c:\WINDOWS\System32\ <td><img src="http://parked.directnic.com/images/btm_rt.gif" width="10" height="25"></td>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EB] c:\WINDOWS\System32\<table WIDTH="100%" height="31" CELLPADDING="0" CELLSPACING="0" BORDER="0" BGCOLOR="#E7EBF0">
O4 - HKCU\..\Run: [ <form method=get action="http://parked.directnic.com/result.p] c:\WINDOWS\System32\ <form method=get action="http://parked.directnic.com/result.php">
O4 - HKCU\..\Run: [3134b70f.exe] C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll


Restart your computer normally.

NOTE!, if you get that error message with HijackThis again, please post its contents to here too.

Copy/paste contents of avenger.txt along with a fresh HjT-log.

Then we'll continue.
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		23. June 2006 @ 14:54 _ Link to this message    Send private message to this user   
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vfvtxqan

*******************

Script file located at: \??\C:\nbjfmnrt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\3134b70f.exe deleted successfully.


File C:\WINDOWS\system32\ati2evxx.dll not found!
Deletion of file C:\WINDOWS\system32\ati2evxx.dll failed!

Could not process line:
C:\WINDOWS\system32\ati2evxx.dll
Status: 0xc0000034

File C:\Documents and Settings\G-Wood\Local Settings\Application Data\3134b70f.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 5:52:47 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\sdpasvc.exe
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\HJT\HiJackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\G-Wood\Local Settings\Temporary Internet Files\Content.IE5\BRY53X53\WinAntiVirusPro2006FreeInstall[1].exe" -nag /BEFOREINSTALL
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcins...
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Error Message:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\ati2evxx.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


Hopefully, there's not much more. All the crazy stuff is gone except that one file. Thanks for your help thus far.
[ + quote]

This message has been edited since posting. Last time this message was edited on 23. June 2006 @ 14:56
JaPK
Senior Member
_ 		24. June 2006 @ 01:56 _ Link to this message    Send private message to this user   
Ok looks better already :)

Press Start
-> Run
-> Write this to the field: regedit

At first, you should take a backup of your registry:
-> (In regedit) select My Computer, right-click it and press Export
-> Name it to RegBackup and save it to the C:\

Then go: (in regedit)
-> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-> Search and delete NI.UWA6P_0001_N822M1605
-> Close Regedit

Restart your computer.

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Post a new HijackThis log and the contents of SmitfraudFix.


[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 24. June 2006 @ 01:56
kasmsod
Newbie
_ 		24. June 2006 @ 07:19 _ Link to this message    Send private message to this user   
when I go to run "regedit" it does not open anything...
[ + quote]
JaPK
Senior Member
_ 		25. June 2006 @ 01:09 _ Link to this message    Send private message to this user   
Ok lets try this instead....

Open Notepad
-> copy the following lines into a new document:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NI.UWA6P_0001_N822M1605"=-


Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and run the file Fix.reg and answer yes to any questions.

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Post the SmitfraudFix log to here along with a new HijackThis log.

[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		25. June 2006 @ 07:22 _ Link to this message    Send private message to this user   
SmitFraudFix v2.65

Scan done at 10:20:03.99, Sun 06/25/2006
Run from C:\Documents and Settings\G-Wood\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\G-Wood\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\G-Wood\FAVORI~1

C:\DOCUME~1\G-Wood\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://weatherpixie.com/CDF/index.php?place=KCOU&trooper=23&type=...
"SubscribedURL"="http://weatherpixie.com/CDF/pixie.cdf.php?place=KCOU&type=F&troop...
"FriendlyName"="::The Weather Pixie:: KCOU"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of HijackThis v1.99.1
Scan saved at 10:21:36 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\sdpasvc.exe
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcins...
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
[ + quote]
JaPK
Senior Member
_ 		25. June 2006 @ 08:14 _ Link to this message    Send private message to this user   
Ok almost clean...

Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.

Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Post the contents of C:\Rapport.txt and a fresh HijackThis log to here.
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
kasmsod
Newbie
_ 		25. June 2006 @ 22:00 _ Link to this message    Send private message to this user   
SmitFraudFix v2.65

Scan done at 11:25:32.13, Sun 06/25/2006
Run from C:\Documents and Settings\G-Wood\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\G-Wood\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of HijackThis v1.99.1
Scan saved at 1:00:21 AM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\sdpasvc.exe
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smsu.edu
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.2\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcins...
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
[ + quote]
JaPK
Senior Member
_ 		26. June 2006 @ 06:46 _ Link to this message    Send private message to this user   
OK good, you're clean now =)

You should update your Java (old version has all kinds of vulnerabilities)

1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup)
2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart.
3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
4. After updating, uninstall the old Java (if found) from Add/Remove Programs, named as
Java 2 Runtime Environment, SE v1.4.2_02

Now that you're clean, here are some tips how to stay clean.

-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore...
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

-> Use CCleaner -> http://www.ccleaner.com
Download and install CCleaner. Clean your registry and temporary files with it regularly.

-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
Download and install Ad-Aware. Update it and scan your computer regularly with it.

-> Use Ewido -> http://www.ewido.net/en
Download and install Ewido. Update it and scan your computer regularly with it.

-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster will prevent spyware from being installed to your computer.

-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
This prevents your computer from connecting to harmful sites.

-> Change your browser to Firefox -> http://www.mozilla.org
Firefox is faster, safer and quicker browser than Internet Explorer.

-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
Visit Windows Update regularly.

-> Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
So how did I get infected in the first place?

Stay clean ;)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 26. June 2006 @ 06:47
kasmsod
Newbie
_ 		26. June 2006 @ 09:08 _ Link to this message    Send private message to this user   
Thank you SO much for your help. I'm so glad I found this site. My computer runs so much better now.

I really appreciate it.
[ + quote]
Advertisement
_ 		__
 
_
JaPK
Senior Member
_ 		26. June 2006 @ 10:23 _ Link to this message    Send private message to this user   
You're welcome ;)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > ah! windowurl and windowseek!
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork