1
   

Hijacked by "heretofind"

Forums: Internet
Email this Topic Print this Page
 
 
computeridiot
 
Reply Fri 3 Sep, 2004 11:54 am
Edit: Moderator: Moved from Forum Help to Internet

Yesterday I was hijacked by the infamous www.heretofind.com which is apparently related to the porno page mk:@MSITStore:C:\spe\start.chm::/start.html#. This was not all bad because I had already been hijacked by homesearch and given up trying to get rid of it. heretofind and it's accompanying porno page overroad the homesearch. I eliminated heretofind by blocking the address so now my home page is the porno page which I am unable to block although I can navigate to any address I want from that page. Since my wife has some issues with me using this porno page as my home page I would truly like to get rid of it and the heretofind and even the homesearch while I'm at it.

I would greatly appreciate any help anyone would care to provide. If anyone is so inclined please bear in mind I chose the name "Computeridiot" for a good reason and you will not be able to take anything for granted regarding my computer knowledge. Current version HJT log follows:

Logfile of HijackThis v1.98.2
Scan saved at 12:11:30 PM, on 9/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\d3ax32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\system32\addzw.exe
C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
C:\WINDOWS\System32\Jygj0Vv.exe
C:\WINDOWS\System32\Kmzow73.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DA961EB4-D503-2B8A-69AB-C4905735F48D} - C:\WINDOWS\atlqb32.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [addzw.exe] C:\WINDOWS\system32\addzw.exe
O4 - HKLM\..\Run: [3N@#2WF2MZJN@#] C:\WINDOWS\System32\Vtz7.exe
O4 - HKLM\..\RunOnce: [msim32.exe] C:\WINDOWS\system32\msim32.exe
O4 - HKLM\..\RunOnce: [netkt.exe] C:\WINDOWS\system32\netkt.exe
O4 - HKLM\..\RunOnce: [netif32.exe] C:\WINDOWS\netif32.exe
O4 - HKLM\..\RunOnce: [iewm.exe] C:\WINDOWS\iewm.exe
O4 - HKLM\..\RunOnce: [crai32.exe] C:\WINDOWS\crai32.exe
O4 - HKLM\..\RunOnce: [ntvw32.exe] C:\WINDOWS\system32\ntvw32.exe
O4 - HKLM\..\RunOnce: [mfcoq.exe] C:\WINDOWS\system32\mfcoq.exe
O4 - Startup: Corel Print House Registration.lnk = C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
O16 - DPF: {229F0CEB-F661-47CA-AF4A-7C72091071F8} (AndalePowerUploader.PowerUploader) - http://download.andale.com/PowerUploader/AndalePowerUploader106.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctloeai.dll
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 4,434 • Replies: 10
No top replies

 
Don77
 
  1  
Reply Fri 3 Sep, 2004 09:06 pm
Hi computer,,,,
Help a memeber get rid of a similiar mess,
This will take us a couple runs so be patient and we will get it cleaned up for you,
First
You have a Peper Trojan
Go here and run the The Removal Tool
. You must be connected to the internet for it to work.
Close all open windows then run it. It will run in a flash so don't think it hasn't worked!
Reboot


Nextt
Download AboutBuster
Then Unzip it to your desktop..

Next, reboot into 'SAFE MODE'. (By tapping the F8 key on start up)
Next:
Run About Buster twice in safe Mode Save the logs it generates,
While still in safe mode,
Please restart HJT put a check next to the following if they still exist, close all open windows and click "fix.checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mytwn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [addzw.exe] C:\WINDOWS\system32\addzw.exe
O4 - HKLM\..\Run: [3N@#2WF2MZJN@#] C:\WINDOWS\System32\Vtz7.exe
O4 - HKLM\..\RunOnce: [msim32.exe] C:\WINDOWS\system32\msim32.exe
O4 - HKLM\..\RunOnce: [netkt.exe] C:\WINDOWS\system32\netkt.exe
O4 - HKLM\..\RunOnce: [netif32.exe] C:\WINDOWS\netif32.exe
O4 - HKLM\..\RunOnce: [iewm.exe] C:\WINDOWS\iewm.exe
O4 - HKLM\..\RunOnce: [crai32.exe] C:\WINDOWS\crai32.exe
O4 - HKLM\..\RunOnce: [ntvw32.exe] C:\WINDOWS\system32\ntvw32.exe
O4 - HKLM\..\RunOnce: [mfcoq.exe] C:\WINDOWS\system32\mfcoq.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctloeai.dll
make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present

C:\WINDOWS\system32\addzw.exe
C:\WINDOWS\system32\msim32.exe
C:\WINDOWS\system32\netkt.exe
C:\WINDOWS\netif32.exe
C:\WINDOWS\iewm.exe
C:\WINDOWS\crai32.exe
C:\WINDOWS\system32\ntvw32.exe
C:\WINDOWS\system32\mfcoq.exe
C:\WINDOWS\System32\ms.exe
C:\WINDOWS\System32\ctloeai.dll

Restart your computer,

Run AboutBuster twice again please, Again save the log from it and post back all the logs from AboutBuster and a fresh HJT log please.
0 Replies
 
computeridiot
 
  1  
Reply Sat 4 Sep, 2004 01:18 pm
heretofind
Thank you Don77. Have done as instructed and so far so good. In deleting the files you listed prior to running AboutBuster the last time I was unable to find the last one ctloeai.dll. This first appeared about a month ago. Almost immediately upon starting my computer a Norton rtvscan window appears describing this as a Backdoor.Agent B and leaves it alone since access is denied. It continues to give notifications so I move the window out of sight at the bottom of the screen and continue using the computer. I did search the registry and found it in HKEYUSERS in Software/Microsoft/Search assistant. Presently in that same registry folder are some of the files I had just deleted in the safe mode such as netkt.exe, netif32.exe, iewm.exe, ntvw.exe. Since I'm reluctant to go crashing through my registry I left them alone. Maybe it won't matter. The ctloeai.dll thing is still here but so far I don't seem to be hijacked.

Scanned at: 12:29:34 PM on: 9/4/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 5 Random Key Entries
Deleted 2 Service Keys Successfully!
Removed! : C:\WINDOWS\aavfi.dll
Removed! : C:\WINDOWS\aeeve.dat
Removed! : C:\WINDOWS\aefxu.dat
Removed! : C:\WINDOWS\ahnhh.dat
Removed! : C:\WINDOWS\ajwkv.dll
Removed! : C:\WINDOWS\anlwm.dll
Removed! : C:\WINDOWS\apdez.dat
Removed! : C:\WINDOWS\appce.exe
Removed! : C:\WINDOWS\appii32.exe
Removed! : C:\WINDOWS\appws32.exe
Removed! : C:\WINDOWS\atlcd32.exe
Removed! : C:\WINDOWS\atlmr.exe
Removed! : C:\WINDOWS\avrgq.dat
Removed! : C:\WINDOWS\axrpo.dat
Removed! : C:\WINDOWS\axrpo.dll
Removed! : C:\WINDOWS\azbqc.dll
Removed! : C:\WINDOWS\baqov.dll
Removed! : C:\WINDOWS\bcyij.dll
Removed! : C:\WINDOWS\bdxvr.dll
Removed! : C:\WINDOWS\bfzdt.dll
Removed! : C:\WINDOWS\bhihc.dll
Removed! : C:\WINDOWS\bhihf.dll
Removed! : C:\WINDOWS\bhnykq.dat
Removed! : C:\WINDOWS\bjgeo.dll
Removed! : C:\WINDOWS\bkgly.dll
Removed! : C:\WINDOWS\bkljt.dll
Removed! : C:\WINDOWS\bpnxl.dll
Removed! : C:\WINDOWS\butlx.dll
Removed! : C:\WINDOWS\caxmi.dat
Removed! : C:\WINDOWS\cbxnfa.dat
Removed! : C:\WINDOWS\cdotap.dat
Removed! : C:\WINDOWS\ckojk.dll
Removed! : C:\WINDOWS\cnsnr.dat
Removed! : C:\WINDOWS\crbo32.exe
Removed! : C:\WINDOWS\crfn32.exe
Removed! : C:\WINDOWS\csofu.dat
Removed! : C:\WINDOWS\ctchv.dat
Removed! : C:\WINDOWS\cvoox.dat
Removed! : C:\WINDOWS\cvoox.dll
Removed! : C:\WINDOWS\cziiy.dll
Removed! : C:\WINDOWS\d3em32.dll
Removed! : C:\WINDOWS\d3sb32.exe
Removed! : C:\WINDOWS\dbrqx.dll
Removed! : C:\WINDOWS\dbzau.dat
Removed! : C:\WINDOWS\dceqk.dat
Removed! : C:\WINDOWS\dfvyo.dat
Removed! : C:\WINDOWS\dlvyu.dll
Removed! : C:\WINDOWS\dmdvwy.dat
Removed! : C:\WINDOWS\dqumo.dll
Removed! : C:\WINDOWS\dqvhq.dll
Removed! : C:\WINDOWS\dqxjl.dat
Removed! : C:\WINDOWS\dsjdu.dll
Removed! : C:\WINDOWS\duuni.dll
Removed! : C:\WINDOWS\dwnfw.dll
Removed! : C:\WINDOWS\dwzww.dll
Removed! : C:\WINDOWS\dxxqj.dat
Removed! : C:\WINDOWS\dzbouq.dat
Removed! : C:\WINDOWS\easzl.dll
Removed! : C:\WINDOWS\ebats.dll
Removed! : C:\WINDOWS\ecovk.dll
Removed! : C:\WINDOWS\edqmd.dll
Removed! : C:\WINDOWS\eghmd.dat
Removed! : C:\WINDOWS\egrbv.dll
Removed! : C:\WINDOWS\ejtwe.dll
Removed! : C:\WINDOWS\emyje.dll
Removed! : C:\WINDOWS\eosbs.dat
Removed! : C:\WINDOWS\esklb.dat
Removed! : C:\WINDOWS\evlgie.dat
Removed! : C:\WINDOWS\exzmt.dat
Removed! : C:\WINDOWS\ezrex.dat
Removed! : C:\WINDOWS\fakjb.dll
Removed! : C:\WINDOWS\fdqjg.dll
Removed! : C:\WINDOWS\filxzd.dat
Removed! : C:\WINDOWS\fjndt.dll
Removed! : C:\WINDOWS\flfnb.dat
Removed! : C:\WINDOWS\foxnv.dll
Removed! : C:\WINDOWS\fpauk.dll
Removed! : C:\WINDOWS\fpiun.dat
Removed! : C:\WINDOWS\fpuff.dat
Removed! : C:\WINDOWS\fpwish.dat
Removed! : C:\WINDOWS\fqmhf.dll
Removed! : C:\WINDOWS\ftmmr.dll
Removed! : C:\WINDOWS\fuqfx.dat
Removed! : C:\WINDOWS\fwauuk.dat
Removed! : C:\WINDOWS\fxscq.dll
Removed! : C:\WINDOWS\gbrnd.dat
Removed! : C:\WINDOWS\gefdn.dll
Removed! : C:\WINDOWS\gekgk.dll
Removed! : C:\WINDOWS\gggnv.dll
Removed! : C:\WINDOWS\ggpdg.dat
Removed! : C:\WINDOWS\ghusm.dll
Removed! : C:\WINDOWS\gomqp.dll
Removed! : C:\WINDOWS\gshyv.dll
Removed! : C:\WINDOWS\gwird.dat
Removed! : C:\WINDOWS\gxoli.dll
Removed! : C:\WINDOWS\gzfjjy.dat
Removed! : C:\WINDOWS\hepgp.dll
Removed! : C:\WINDOWS\hgwws.dat
Removed! : C:\WINDOWS\hkzgq.dll
Removed! : C:\WINDOWS\hluqgy.dat
Removed! : C:\WINDOWS\hmcxe.dat
Removed! : C:\WINDOWS\hmfep.dll
Removed! : C:\WINDOWS\hpzdc.dll
Removed! : C:\WINDOWS\hqhxb.dll
Removed! : C:\WINDOWS\hrykru.dat
Removed! : C:\WINDOWS\hskjj.dat
Removed! : C:\WINDOWS\htneh.dat
Removed! : C:\WINDOWS\htvpw.dll
Removed! : C:\WINDOWS\hxuis.dat
Removed! : C:\WINDOWS\iedo.exe
Removed! : C:\WINDOWS\iefb32.exe
Removed! : C:\WINDOWS\iemq.exe.$$$
Removed! : C:\WINDOWS\iewa32.exe
Removed! : C:\WINDOWS\iiwum.dll
Removed! : C:\WINDOWS\impmh.dat
Removed! : C:\WINDOWS\imxel.dat
Removed! : C:\WINDOWS\inyxbu.dat
Removed! : C:\WINDOWS\ipash.dll
Removed! : C:\WINDOWS\ipge.exe
Removed! : C:\WINDOWS\ipxg32.exe
Removed! : C:\WINDOWS\ipyy.exe
Removed! : C:\WINDOWS\iwhzo.dll
Removed! : C:\WINDOWS\ixjco.dll
Removed! : C:\WINDOWS\ixjkb.dll
Removed! : C:\WINDOWS\javaib.dll
Removed! : C:\WINDOWS\jccyc.dat
Removed! : C:\WINDOWS\jchwl.dll
Removed! : C:\WINDOWS\jdnkh.dat
Removed! : C:\WINDOWS\jdvye.dll
Removed! : C:\WINDOWS\jhbfs.dat
Removed! : C:\WINDOWS\jhbfs.dll
Removed! : C:\WINDOWS\jkamf.dat
Removed! : C:\WINDOWS\jmhll.dat
Removed! : C:\WINDOWS\jojxk.dll
Removed! : C:\WINDOWS\jqahu.dat
Removed! : C:\WINDOWS\jqahu.dll
Removed! : C:\WINDOWS\jsbzm.dll
Removed! : C:\WINDOWS\jszal.dll
Removed! : C:\WINDOWS\jtoqo.dll
Removed! : C:\WINDOWS\jxqay.dll
Removed! : C:\WINDOWS\jzhho.dat
Removed! : C:\WINDOWS\kaffc.dll
Removed! : C:\WINDOWS\kanmy.dll
Removed! : C:\WINDOWS\kbyin.dll
Removed! : C:\WINDOWS\kgurq.dat
Removed! : C:\WINDOWS\kidaj.dll
Removed! : C:\WINDOWS\kizso.dat
Removed! : C:\WINDOWS\kkksm.dat
Removed! : C:\WINDOWS\kkyat.dll
Removed! : C:\WINDOWS\klerxl.dat
Removed! : C:\WINDOWS\kmrlf.dll
Removed! : C:\WINDOWS\knhaf.dll
Removed! : C:\WINDOWS\kotjx.dll
Removed! : C:\WINDOWS\kqntc.dll
Removed! : C:\WINDOWS\kqvjon.dat
Removed! : C:\WINDOWS\ktljz.dat
Removed! : C:\WINDOWS\kwvctj.dat
Removed! : C:\WINDOWS\lerlk.dll
Removed! : C:\WINDOWS\leuji.dll
Removed! : C:\WINDOWS\levfi.dll
Removed! : C:\WINDOWS\lgtsu.dll
Removed! : C:\WINDOWS\licowo.dat
Removed! : C:\WINDOWS\liuhu.dat
Removed! : C:\WINDOWS\ljqlw.dll
Removed! : C:\WINDOWS\lkicl.dll
Removed! : C:\WINDOWS\llwcd.dll
Removed! : C:\WINDOWS\lmalp.dll
Removed! : C:\WINDOWS\lqiaz.dat
Removed! : C:\WINDOWS\lriumj.dat
Removed! : C:\WINDOWS\lrzlue.dat
Removed! : C:\WINDOWS\lzyix.dll
Removed! : C:\WINDOWS\mcxgw.dll
Removed! : C:\WINDOWS\mdzqu.dll
Removed! : C:\WINDOWS\medvr.dat
Removed! : C:\WINDOWS\mfcdi32.exe
Removed! : C:\WINDOWS\mfcdk.exe
Removed! : C:\WINDOWS\mfcjm32.exe
Removed! : C:\WINDOWS\mfcsc.exe
Removed! : C:\WINDOWS\mqebm.dll
Removed! : C:\WINDOWS\msbt32.exe
Removed! : C:\WINDOWS\msnm32.exe
Removed! : C:\WINDOWS\msslu.dat
Removed! : C:\WINDOWS\mszc32.exe
Removed! : C:\WINDOWS\mszm32.exe
Removed! : C:\WINDOWS\mtyxc.dll
Removed! : C:\WINDOWS\mvfgj.dll
Removed! : C:\WINDOWS\nabyo.dat
Removed! : C:\WINDOWS\nawgg.dat
Removed! : C:\WINDOWS\ndckm.dll
Removed! : C:\WINDOWS\necpa.dll
Removed! : C:\WINDOWS\netdn.exe
Removed! : C:\WINDOWS\netom32.exe
Removed! : C:\WINDOWS\nhnnrz.dat
Removed! : C:\WINDOWS\njulu.dll
Removed! : C:\WINDOWS\nkevi.dll
Removed! : C:\WINDOWS\nlieg.dat
Removed! : C:\WINDOWS\n_malvax.dat
Removed! : C:\WINDOWS\n_mpytqu.dat
Removed! : C:\WINDOWS\odgmj.dll
Removed! : C:\WINDOWS\oggoj.dll
Removed! : C:\WINDOWS\ogvqzn.dat
Removed! : C:\WINDOWS\ohblm.dll
Removed! : C:\WINDOWS\olhca.dll
Removed! : C:\WINDOWS\opgtbm.dat
Removed! : C:\WINDOWS\optba.dll
Removed! : C:\WINDOWS\oszuf.dat
Removed! : C:\WINDOWS\otsbb.dat
Removed! : C:\WINDOWS\oyuci.dll
Removed! : C:\WINDOWS\ozzrd.dll
Removed! : C:\WINDOWS\pemej.dll
Removed! : C:\WINDOWS\pfowf.dll
Removed! : C:\WINDOWS\pgust.dat
Removed! : C:\WINDOWS\phhkz.dll
Removed! : C:\WINDOWS\pjtfh.dll
Removed! : C:\WINDOWS\ppjjz.dat
Removed! : C:\WINDOWS\puepp.dll
Removed! : C:\WINDOWS\pwpph.dll
Removed! : C:\WINDOWS\pyaij.dll
Removed! : C:\WINDOWS\qbhgh.dat
Removed! : C:\WINDOWS\qbouc.dll
Removed! : C:\WINDOWS\qinnr.dll
Removed! : C:\WINDOWS\qqvti.dat
Removed! : C:\WINDOWS\qtjlx.dll
Removed! : C:\WINDOWS\qtmeu.dll
Removed! : C:\WINDOWS\rfzlm.dll
Removed! : C:\WINDOWS\rgypj.dat
Removed! : C:\WINDOWS\rnsmb.dat
Removed! : C:\WINDOWS\rpine.dat
Removed! : C:\WINDOWS\sdkms32.exe
Removed! : C:\WINDOWS\sdkzc.dll
Removed! : C:\WINDOWS\sfdyso.dat
Removed! : C:\WINDOWS\sghon.dat
Removed! : C:\WINDOWS\sgtnk.dll
Removed! : C:\WINDOWS\sjwnz.dat
Removed! : C:\WINDOWS\sxmty.dll
Removed! : C:\WINDOWS\sysfm32.exe
Removed! : C:\WINDOWS\sysxo.exe
Removed! : C:\WINDOWS\tiiwu.dat
Removed! : C:\WINDOWS\tkevb.dll
Removed! : C:\WINDOWS\tlsde.dat
Removed! : C:\WINDOWS\todrt.dll
Removed! : C:\WINDOWS\tqdfn.dat
Removed! : C:\WINDOWS\tqdfn.dll
Removed! : C:\WINDOWS\ttaql.dll
Removed! : C:\WINDOWS\tuwde.dll
Removed! : C:\WINDOWS\tvpql.dll
Removed! : C:\WINDOWS\tvvqg.dat
Removed! : C:\WINDOWS\txhpll.dat
Removed! : C:\WINDOWS\ucqum.dll
Removed! : C:\WINDOWS\ucrvi.dat
Removed! : C:\WINDOWS\udipjp.dat
Removed! : C:\WINDOWS\uiwlr.dll
Removed! : C:\WINDOWS\unbzb.dat
Removed! : C:\WINDOWS\ussiz.dat
Removed! : C:\WINDOWS\ussiz.dll
Removed! : C:\WINDOWS\uwclo.dll
Removed! : C:\WINDOWS\uxegh.dll
Removed! : C:\WINDOWS\vczef.dll
Removed! : C:\WINDOWS\vehbf.dll
Removed! : C:\WINDOWS\vgdgd.dll
Removed! : C:\WINDOWS\vgpbm.dll
Removed! : C:\WINDOWS\vhgqf.dat
Removed! : C:\WINDOWS\vmogzl.dat
Removed! : C:\WINDOWS\vonyn.dat
Removed! : C:\WINDOWS\vozji.dat
Removed! : C:\WINDOWS\vozji.dll
Removed! : C:\WINDOWS\vsfdc.dll
Removed! : C:\WINDOWS\vuqmvg.dat
Removed! : C:\WINDOWS\vzpae.dat
Removed! : C:\WINDOWS\wacso.dll
Removed! : C:\WINDOWS\wbece.dat
Removed! : C:\WINDOWS\winkj.exe
Removed! : C:\WINDOWS\wmaeak.dat
Removed! : C:\WINDOWS\wmozv.dll
Removed! : C:\WINDOWS\wrzqm.dat
Removed! : C:\WINDOWS\wzews.dll
Removed! : C:\WINDOWS\xbokh.dll
Removed! : C:\WINDOWS\xfjlem.dat
Removed! : C:\WINDOWS\xicdq.dat
Removed! : C:\WINDOWS\xknzf.dat
Removed! : C:\WINDOWS\xlrch.dll
Removed! : C:\WINDOWS\xmwrr.dll
Removed! : C:\WINDOWS\xnvyh.dat
Removed! : C:\WINDOWS\xrkmd.dll
Removed! : C:\WINDOWS\xrmzw.dll
Removed! : C:\WINDOWS\xsdtz.dat
Removed! : C:\WINDOWS\xubqo.dat
Removed! : C:\WINDOWS\xxqjn.dll
Removed! : C:\WINDOWS\yaavo.dll
Removed! : C:\WINDOWS\ybkhi.dll
Removed! : C:\WINDOWS\ydulf.dat
Removed! : C:\WINDOWS\ylqyv.dll
Removed! : C:\WINDOWS\ynaqz.dat
Removed! : C:\WINDOWS\yrtstk.dat
Removed! : C:\WINDOWS\yuvgwg.dat
Removed! : C:\WINDOWS\yxtma.dll
Removed! : C:\WINDOWS\yxuer.dll
Removed! : C:\WINDOWS\yztqw.dll
Removed! : C:\WINDOWS\zauuz.dll
Removed! : C:\WINDOWS\zgfsc.dll
Removed! : C:\WINDOWS\zhnpc.dll
Removed! : C:\WINDOWS\zicscp.dat
Removed! : C:\WINDOWS\zjvvb.dll
Removed! : C:\WINDOWS\zqfsiz.dat
Removed! : C:\WINDOWS\zujrp.dll
Removed! : C:\WINDOWS\zuywk.dat
Removed! : C:\WINDOWS\zvnfh.dll
Removed! : C:\WINDOWS\System32\aaeze.dat
Removed! : C:\WINDOWS\System32\aaiml.dll
Removed! : C:\WINDOWS\System32\addti.exe
Removed! : C:\WINDOWS\System32\addzw.exe
Removed! : C:\WINDOWS\System32\apiez32.dll
Removed! : C:\WINDOWS\System32\apiqh32.exe
Removed! : C:\WINDOWS\System32\apiuo32.exe
Removed! : C:\WINDOWS\System32\appnq.dll
Removed! : C:\WINDOWS\System32\appom.exe
Removed! : C:\WINDOWS\System32\aqkmk.dat
Removed! : C:\WINDOWS\System32\asgpi.dat
Removed! : C:\WINDOWS\System32\atltq32.exe
Removed! : C:\WINDOWS\System32\atlyr32.exe
Removed! : C:\WINDOWS\System32\awida.dat
Removed! : C:\WINDOWS\System32\awyml.dat
Removed! : C:\WINDOWS\System32\bcaax.dat
Removed! : C:\WINDOWS\System32\bellf.dat
Removed! : C:\WINDOWS\System32\bellf.dll
Removed! : C:\WINDOWS\System32\bhygt.dat
Removed! : C:\WINDOWS\System32\bnnui.dll
Removed! : C:\WINDOWS\System32\bowit.dll
Removed! : C:\WINDOWS\System32\brjtc.dll
Removed! : C:\WINDOWS\System32\budlm.dat
Removed! : C:\WINDOWS\System32\bwgxk.dll
Removed! : C:\WINDOWS\System32\bzipa.dat
Removed! : C:\WINDOWS\System32\chejk.dat
Removed! : C:\WINDOWS\System32\cjcrn.dat
Removed! : C:\WINDOWS\System32\clujj.dat
Removed! : C:\WINDOWS\System32\cnckv.dat
Removed! : C:\WINDOWS\System32\cqrlf.dat
Removed! : C:\WINDOWS\System32\crqd.exe
Removed! : C:\WINDOWS\System32\crrb32.exe
Removed! : C:\WINDOWS\System32\cslok.dll
Removed! : C:\WINDOWS\System32\d3uv.exe
Removed! : C:\WINDOWS\System32\d3vx.exe
Removed! : C:\WINDOWS\System32\dfyqb.dll
Removed! : C:\WINDOWS\System32\dhffi.dat
Removed! : C:\WINDOWS\System32\djffp.dll
Removed! : C:\WINDOWS\System32\dkdkt.dat
Removed! : C:\WINDOWS\System32\dlbzw.dll
Removed! : C:\WINDOWS\System32\dmthe.dat
Removed! : C:\WINDOWS\System32\dnkjr.dll
Removed! : C:\WINDOWS\System32\dnlgt.dat
Removed! : C:\WINDOWS\System32\dqocu.dat
Removed! : C:\WINDOWS\System32\dusot.dat
Removed! : C:\WINDOWS\System32\dvnkd.dat
Removed! : C:\WINDOWS\System32\eahbw.dll
Removed! : C:\WINDOWS\System32\eavze.dat
Removed! : C:\WINDOWS\System32\efoge.dll
Removed! : C:\WINDOWS\System32\egujl.dll
Removed! : C:\WINDOWS\System32\ejwgh.dll
Removed! : C:\WINDOWS\System32\ellov.dat
Removed! : C:\WINDOWS\System32\enugu.dll
Removed! : C:\WINDOWS\System32\eqaaz.dll
Removed! : C:\WINDOWS\System32\eqbec.dll
Removed! : C:\WINDOWS\System32\etedl.dll
Removed! : C:\WINDOWS\System32\eufce.dll
Removed! : C:\WINDOWS\System32\evadu.dat
Removed! : C:\WINDOWS\System32\evjlm.dll
Removed! : C:\WINDOWS\System32\evsst.dat
Removed! : C:\WINDOWS\System32\ewnsh.dat
Removed! : C:\WINDOWS\System32\fabel.dat
Removed! : C:\WINDOWS\System32\fbekv.dat
Removed! : C:\WINDOWS\System32\finwx.dll
Removed! : C:\WINDOWS\System32\flaac.dat
Removed! : C:\WINDOWS\System32\fldqy.dat
Removed! : C:\WINDOWS\System32\fldqy.dll
Removed! : C:\WINDOWS\System32\fmvai.dat
Removed! : C:\WINDOWS\System32\fvdao.dll
Removed! : C:\WINDOWS\System32\fyfgq.dll
Removed! : C:\WINDOWS\System32\gasua.dat
Removed! : C:\WINDOWS\System32\gizzp.dll
Removed! : C:\WINDOWS\System32\glxok.dll
Removed! : C:\WINDOWS\System32\glxpo.dll
Removed! : C:\WINDOWS\System32\gtzno.dat
Removed! : C:\WINDOWS\System32\gudgv.dat
Removed! : C:\WINDOWS\System32\hfjxv.dat
Removed! : C:\WINDOWS\System32\hfjxv.dll
Removed! : C:\WINDOWS\System32\hiiwx.dat
Removed! : C:\WINDOWS\System32\hkdwf.dat
Removed! : C:\WINDOWS\System32\hokfg.dat
Removed! : C:\WINDOWS\System32\honlg.dll
Removed! : C:\WINDOWS\System32\huumn.dat
Removed! : C:\WINDOWS\System32\hzhmd.dll
Removed! : C:\WINDOWS\System32\hzuxr.dll
Removed! : C:\WINDOWS\System32\iajod.dat
Removed! : C:\WINDOWS\System32\iaywx.dat
Removed! : C:\WINDOWS\System32\iaywx.dll
Removed! : C:\WINDOWS\System32\iffii.dll
Removed! : C:\WINDOWS\System32\ikcbb.dat
Removed! : C:\WINDOWS\System32\ipfx.exe
Removed! : C:\WINDOWS\System32\ipmd32.exe
Removed! : C:\WINDOWS\System32\ippt.exe
Removed! : C:\WINDOWS\System32\ipwb32.exe
Removed! : C:\WINDOWS\System32\ipxz.exe
Removed! : C:\WINDOWS\System32\irdbb.dll
Removed! : C:\WINDOWS\System32\ivvfw.dll
Removed! : C:\WINDOWS\System32\iwfjm.dll
Removed! : C:\WINDOWS\System32\izneh.dat
Removed! : C:\WINDOWS\System32\javadt32.exe
Removed! : C:\WINDOWS\System32\jeunv.dll
Removed! : C:\WINDOWS\System32\jfugr.dll
Removed! : C:\WINDOWS\System32\jgvif.dat
Removed! : C:\WINDOWS\System32\jqakv.dat
Removed! : C:\WINDOWS\System32\jrtgd.dat
Removed! : C:\WINDOWS\System32\jvjcj.dat
Removed! : C:\WINDOWS\System32\jvter.dll
Removed! : C:\WINDOWS\System32\jyrzf.dll
Removed! : C:\WINDOWS\System32\kgton.dat
Removed! : C:\WINDOWS\System32\kizka.dat
Removed! : C:\WINDOWS\System32\kjfoi.dat
Removed! : C:\WINDOWS\System32\kjfoi.dll
Removed! : C:\WINDOWS\System32\kntis.dll
Removed! : C:\WINDOWS\System32\koopk.dat
Removed! : C:\WINDOWS\System32\ksdaj.dat
Removed! : C:\WINDOWS\System32\ksvbr.dll
Removed! : C:\WINDOWS\System32\ktemy.dll
Removed! : C:\WINDOWS\System32\ktmrv.dat
Removed! : C:\WINDOWS\System32\kxywt.dll
Removed! : C:\WINDOWS\System32\kyjch.dll
Removed! : C:\WINDOWS\System32\lcbhb.dll
Removed! : C:\WINDOWS\System32\lcpmw.dll
Removed! : C:\WINDOWS\System32\lstoj.dat
Removed! : C:\WINDOWS\System32\lweze.dll
Removed! : C:\WINDOWS\System32\lyuzw.dll
Removed! : C:\WINDOWS\System32\mfcfs32.exe
Removed! : C:\WINDOWS\System32\mfcin32.exe
Removed! : C:\WINDOWS\System32\mfcnw32.exe
Removed! : C:\WINDOWS\System32\mhthv.dat
Removed! : C:\WINDOWS\System32\mjvcj.dll
Removed! : C:\WINDOWS\System32\mlwvq.dat
Removed! : C:\WINDOWS\System32\mocht.dat
Removed! : C:\WINDOWS\System32\mqgjk.dat
Removed! : C:\WINDOWS\System32\mrmod.dll
Removed! : C:\WINDOWS\System32\msya.exe
Removed! : C:\WINDOWS\System32\mthei.dll
Removed! : C:\WINDOWS\System32\mttzd.dat
Removed! : C:\WINDOWS\System32\muezs.dll
Removed! : C:\WINDOWS\System32\myzgk.dat
Removed! : C:\WINDOWS\System32\nebji.dat
Removed! : C:\WINDOWS\System32\netyr32.exe
Removed! : C:\WINDOWS\System32\nhtpt.dat
Removed! : C:\WINDOWS\System32\nmifn.dat
Removed! : C:\WINDOWS\System32\nmzbn.dll
Removed! : C:\WINDOWS\System32\nnpag.dat
Removed! : C:\WINDOWS\System32\nosmz.dat
Removed! : C:\WINDOWS\System32\nxipt.dll
Removed! : C:\WINDOWS\System32\nzpje.dll
Removed! : C:\WINDOWS\System32\oengq.dll
Removed! : C:\WINDOWS\System32\ojupu.dat
Removed! : C:\WINDOWS\System32\oqndf.dat
Removed! : C:\WINDOWS\System32\ormhe.dat
Removed! : C:\WINDOWS\System32\oroih.dat
Removed! : C:\WINDOWS\System32\oroih.dll
Removed! : C:\WINDOWS\System32\owcqp.dat
Removed! : C:\WINDOWS\System32\psfet.dll
Removed! : C:\WINDOWS\System32\pvjrr.dll
Removed! : C:\WINDOWS\System32\pxekw.dat
Removed! : C:\WINDOWS\System32\qaolk.dll
Removed! : C:\WINDOWS\System32\qbssj.dat
Removed! : C:\WINDOWS\System32\qeizl.dll
Removed! : C:\WINDOWS\System32\qgmfc.dat
Removed! : C:\WINDOWS\System32\qhjnh.dll
Removed! : C:\WINDOWS\System32\qluir.dll
Removed! : C:\WINDOWS\System32\qpblu.dat
Removed! : C:\WINDOWS\System32\qutth.dll
Removed! : C:\WINDOWS\System32\rjivt.dll
Removed! : C:\WINDOWS\System32\rngti.dat
Removed! : C:\WINDOWS\System32\rrnvu.dll
Removed! : C:\WINDOWS\System32\rssrg.dat
Removed! : C:\WINDOWS\System32\sdkee.exe
Removed! : C:\WINDOWS\System32\sdkyw.dll
Removed! : C:\WINDOWS\System32\sdtug.dat
Removed! : C:\WINDOWS\System32\sedpw.dll
Removed! : C:\WINDOWS\System32\senfn.dat
Removed! : C:\WINDOWS\System32\sqcjo.dll
Removed! : C:\WINDOWS\System32\ssrge.dll
Removed! : C:\WINDOWS\System32\sysnw.exe
Removed! : C:\WINDOWS\System32\systf32.exe
Removed! : C:\WINDOWS\System32\tezlx.dat
Removed! : C:\WINDOWS\System32\tfisx.dll
Removed! : C:\WINDOWS\System32\tiywr.dll
Removed! : C:\WINDOWS\System32\tpuve.dat
Removed! : C:\WINDOWS\System32\ttnjn.dat
Removed! : C:\WINDOWS\System32\txkzw.dll
Removed! : C:\WINDOWS\System32\uctcq.dat
Removed! : C:\WINDOWS\System32\ujlkv.dat
Removed! : C:\WINDOWS\System32\ukmbx.dat
Removed! : C:\WINDOWS\System32\uktmw.dat
Removed! : C:\WINDOWS\System32\uktmw.dll
Removed! : C:\WINDOWS\System32\uoqms.dat
Removed! : C:\WINDOWS\System32\vbmnk.dat
Removed! : C:\WINDOWS\System32\vixyl.dat
Removed! : C:\WINDOWS\System32\vvwxk.dat
Removed! : C:\WINDOWS\System32\vvwxk.dll
Removed! : C:\WINDOWS\System32\vwlzr.dll
Removed! : C:\WINDOWS\System32\vxwjk.dat
Removed! : C:\WINDOWS\System32\vzpgv.dll
Removed! : C:\WINDOWS\System32\wamlp.dll
Removed! : C:\WINDOWS\System32\wdiwz.dll
Removed! : C:\WINDOWS\System32\wfdyl.dll
Removed! : C:\WINDOWS\System32\whndw.dat
Removed! : C:\WINDOWS\System32\whndw.dll
Removed! : C:\WINDOWS\System32\wijpx.dat
Removed! : C:\WINDOWS\System32\wivvq.dat
Removed! : C:\WINDOWS\System32\wivvq.dll
Removed! : C:\WINDOWS\System32\wmjuv.dat
Removed! : C:\WINDOWS\System32\wqcag.dat
Removed! : C:\WINDOWS\System32\wqcag.dll
Removed! : C:\WINDOWS\System32\wtjfl.dat
Removed! : C:\WINDOWS\System32\wyttx.dll
Removed! : C:\WINDOWS\System32\xalws.dat
Removed! : C:\WINDOWS\System32\xcekw.dll
Removed! : C:\WINDOWS\System32\xcwhb.dat
Removed! : C:\WINDOWS\System32\xigrj.dll
Removed! : C:\WINDOWS\System32\xnpko.dat
Removed! : C:\WINDOWS\System32\xqtpg.dat
Removed! : C:\WINDOWS\System32\xubjl.dll
Removed! : C:\WINDOWS\System32\xvqex.dat
Removed! : C:\WINDOWS\System32\xwiyt.dat
Removed! : C:\WINDOWS\System32\xyakw.dat
Removed! : C:\WINDOWS\System32\yaidr.dat
Removed! : C:\WINDOWS\System32\ydnkj.dat
Removed! : C:\WINDOWS\System32\ydqvk.dll
Removed! : C:\WINDOWS\System32\yhoap.dat
Removed! : C:\WINDOWS\System32\yptez.dll
Removed! : C:\WINDOWS\System32\yutxl.dat
Removed! : C:\WINDOWS\System32\ywctq.dat
Removed! : C:\WINDOWS\System32\yxbus.dll
Removed! : C:\WINDOWS\System32\zcohy.dat
Removed! : C:\WINDOWS\System32\zkoby.dat
Removed! : C:\WINDOWS\System32\zlytc.dat
Removed! : C:\WINDOWS\System32\zoanq.dll
Removed! : C:\WINDOWS\System32\ztnxt.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 5 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 1:48:36 PM on: 9/4/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 5 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 5 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!






Logfile of HijackThis v1.98.2
Scan saved at 1:54:07 PM, on 9/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\Dad\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Startup: Corel Print House Registration.lnk = C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {229F0CEB-F661-47CA-AF4A-7C72091071F8} (AndalePowerUploader.PowerUploader) - http://download.andale.com/PowerUploader/AndalePowerUploader106.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctloeai.dll
0 Replies
 
computeridiot
 
  1  
Reply Sat 4 Sep, 2004 01:25 pm
heretofind
Hi Don77. Forget everything I just said. The porno page is back along with heretofind. Last HJT log follows:

Logfile of HijackThis v1.98.2
Scan saved at 2:24:19 PM, on 9/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Startup: Corel Print House Registration.lnk = C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
O16 - DPF: {229F0CEB-F661-47CA-AF4A-7C72091071F8} (AndalePowerUploader.PowerUploader) - http://download.andale.com/PowerUploader/AndalePowerUploader106.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctloeai.dll
0 Replies
 
Don77
 
  1  
Reply Sat 4 Sep, 2004 01:37 pm
Figured that, Like I said earlier this will take a couple pass's,
Dowload the following program

CWShredder
It should be the current version, but check for updates

Run Program cwshredder and have it fix anything it finds.

Make sure you click the "Fix" button

Next:
Download Ad-aware CHECK FOR UPDATES.
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK."

Restart your computer,
Click Start, Click Run, Type RegEdit in the box, Navigate to the following keys, Check them twice to be sure you have the right one, Then right Click and Delete
Using RegEdit, carefully remove the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}

Restart your computer, and then remove the following files:
c:\windows\start.chm
c:\windows\system32\c_10230.dll

Next
Using the Internet Properties dialog box, delete your cookies and empty your Temporary Internet Files (check off "Delete all offline content"). Reset the home page to your desired home page.

Rescan with Ad-aware again please

Post back a fresh log please
0 Replies
 
computeridiot
 
  1  
Reply Sat 4 Sep, 2004 08:28 pm
heretofind
Did that. After running Ad-aware the first time and restarting none of the registry keys selected for removal were present nor were the two files. Second Ad-aware scan found 0 New objects. Fresh hjt log follows and we may be getting close but no cigar yet. Of course I had hjt fix the obvious but it returns.:

Logfile of HijackThis v1.98.2
Scan saved at 9:11:47 PM, on 9/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\Dad\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heretofind.com/show.php?id=0&q=www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Startup: Corel Print House Registration.lnk = C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
O16 - DPF: {229F0CEB-F661-47CA-AF4A-7C72091071F8} (AndalePowerUploader.PowerUploader) - http://download.andale.com/PowerUploader/AndalePowerUploader106.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctloeai.dll
0 Replies
 
Don77
 
  1  
Reply Mon 6 Sep, 2004 06:49 am
Hi again Computer,

Lets give this a run again.
Please download this tool to fix the start.chm hijack.

http://tools.zerosrealm.com/startchmfix.exe

Download it to preferably the Desktop . Run it and it will extract the folder to the desktop.

Open the folder after extracted.

Please make sure all Internet Explorers are closed.

Double click the fix.bat

Only run it once or you will lose the backups although they shouldn't be needed.

Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here. The Tool is designed so that if it is unable to remove the file, it will tell the user to reboot and will remove it on Reboot.

If no files show in the bad file listing then do a Reboot and do a search for either of these highlighted files and DELETE them Make sure you can view all Hidden Files/Folders :

C:\Windows\System32\ C_10230.DLL or
C:\Windows\System\crt32_v2.dll

Reboot

Next and very Important
Delete the entire contents of the below Temp folders, but not the TEMP folder itself.

Remove all the files and sub-folders from the below TEMP Folders:

C:\Documents and Settings\ \Local Settings\Temp
C:\temp
C:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .


Most Important, Go to Windows Update and install ALL critical updates.


( Where and what is your Anti Virus?)
Run a couple free online scans bitdefender

TrendMicro

Post back a fresh log please when done,
0 Replies
 
computeridiot
 
  1  
Reply Mon 6 Sep, 2004 01:14 pm
heretofind
Did that stuff. Bad files found by startchmfx:

C:\WINDOWS\System32\CRT32_V2.DLL
C:\WINDOWS\System32\CTLOEAI.DLL +++ File read error

After rebooting the 2 files you designated were searched for with all hidden files/folders viewable. C_10230.DLL was not found. cret32_v2.dll was found and deleted. I might point out that C_10230.DLL was found with a registry search in a Search Assistant folder in Microsoft Software under HKEY_USERS but immediately reappears upon deletion from the registry.

Feel free to give up on this if you wish because I'm about ready to. I suspect that the CTLOEAI.DLL file which rtvscan continuously notifies me about has something to do with this although it first appeared well after homesearch attacked and at least 2 weeks before I was blessed with heretofind. It is not visible in WINDOWS\System32 and is not found with a search. However it is in the registry at HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\System32\ctloeai.dll. It immediately reappears upon deletion from the registry and in the rtvscan notification it is access denied.My antivirus is Norton Corporate Edition. I also suspect notepad now that it was mentioned in startchmfix. When checking the notepad in both(all) loctions as suggested by startchmfix it is indeed authored by Microsoft. However I started having problems with notepad about when homesearch struck. It closes about 6 seconds after opening and anything in it is lost unless saved. All files I have saved in notepad form or any files downloaded in notepad form do the same thing upon opening although I can always reopen the saved ones. Something is certainly not right with notepad.

I can keep fiddling with this and try everything you've suggested over again. I might get lucky or hopelessly screw up my computer which it almost is already anyway. At anyrate current hjt scan follows and thanks for all the help.

Logfile of HijackThis v1.98.2
Scan saved at 1:15:02 PM, on 9/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Startup: Corel Print House Registration.lnk = C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
O16 - DPF: {229F0CEB-F661-47CA-AF4A-7C72091071F8} (AndalePowerUploader.PowerUploader) - http://download.andale.com/PowerUploader/AndalePowerUploader106.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctloeai.dll
0 Replies
 
Don77
 
  1  
Reply Tue 7 Sep, 2004 06:20 pm
Lets see if we can dig a little deeper into this,
Go Here Download FindnFix.exe. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system (C:\FINDnFIX, do not move this folder or any files in it). Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information, so let it run until the information is collected and a log file is generated. Post the contents of Log.txt in this thread
0 Replies
 
computeridiot
 
  1  
Reply Wed 8 Sep, 2004 05:50 pm
Well.........strange things happen. After I posted the last hjt log above I checked the obvious things and clicked fix. I did another bitdefender scan which found 4 infected files which I deleted. Then I ran Ad-aware one more time which found a few things. Then I ran NortonAV which found and quarantined 1 infected file. Then.........IT WAS GONE! homesearch, heretofind, the porno page - and my notepad even started working again. I've shut down and restarted about 6 times since Monday with no problems, not even so much as one pop-up. I've got my fingers crossed but I think we fixed it. The ctloeai.dll thing is still here but it doesn't seem to be causing any problems. I really appreciate your help. I would have posted sooner but I wanted to make sure this stuff was really gone. FYI a current hjt scan follows:

Logfile of HijackThis v1.98.2
Scan saved at 6:31:28 PM, on 9/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Startup: Corel Print House Registration.lnk = C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx
O9 - Extra button: Microsoft® JavaScript® Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {9164E3BB-254A-41E1-BF51-C1D32AE161EE} - C:\WINDOWS\system32\Comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {229F0CEB-F661-47CA-AF4A-7C72091071F8} (AndalePowerUploader.PowerUploader) - http://download.andale.com/PowerUploader/AndalePowerUploader106.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctloeai.dll
0 Replies
 
Don77
 
  1  
Reply Wed 8 Sep, 2004 06:39 pm
Thats great,,, Do me a favor though,
Dowload the latest version of Spybot 1.3 . Please check it for updates, Run the program and have it fix anything it finds in Red.

Rescan with Ad-aware again

Please make sure you have windows updates please,
Post back a fresh log, When done with the above please
0 Replies
 
 

Related Topics

Obama Promotes Making the Internet a Utility - Discussion by engineer
YouTube Is Doomed - Discussion by Shapeless
So I just joined Facebook.... - Discussion by DrewDad
Tracking and revealing the trolls....ok or not? - Question by dlowan
You are calling Congress about SOPA today, right? - Discussion by maxdancona
Internet disinformation overload - Discussion by rosborne979
Participatory Democracy Online - Discussion by wandeljw
OpenDNS and net neutrality - Question by Butrflynet
Are you for or against net neutrality, and why? - Discussion by Pronounce
Internet Explorer 8? - Question by Pitter
Blizzard Forum Says You Must Use Real Names ... - Discussion by jespah
 
  1. Forums
  2. » Hijacked by "heretofind"
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 09/29/2024 at 12:23:07