Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My HJT scan Please Help!

Started by Ster , Jan 13 2006 02:56 PM

  • This topic is locked This topic is locked
21 replies to this topic

#1 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 13 January 2006 - 02:56 PM

PLEASE HELP< WHAT MORE CAN I SAY.....ANY IDEAS WOULD BE APPRECIATED!


Logfile of HijackThis v1.99.1
Scan saved at 1:48:17 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mizvlym.exe
C:\WINDOWS\system32\777A827E807F86.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FCHelp\FCHelp.exe
C:\WINDOWS\dkjfpwj.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinAntiVirus 2005 Pro\cs_srv.exe
C:\Program Files\Common Files\WinSoftware\wff.exe
C:\Program Files\WinAntiVirus 2005 Pro\Updater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Staples\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.gmcc.ab.ca; *.macewan.ca;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsl731.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasmqky.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsa7.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [mizvlym] C:\WINDOWS\mizvlym.exe
O4 - HKLM\..\Run: [7C7F878385848B86] 777A827E807F86.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alexa Web Search - http://client.alexa....ions/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get Alexa Data - http://client.alexa....ns/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa....ions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa....ons/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa....ions/review.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCHelp\FCHelp.dll
O20 - AppInit_DLLs: ipfoabkm.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVKernel - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dkjfpwj.exe

    Advertisements

Register to Remove

#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 13 January 2006 - 09:42 PM

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

#3 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 13 January 2006 - 11:22 PM

Alright! Thanks for the quick response, here's what I got from the I2mfix scan. L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{8FF43EAA-2BB1-4A53-8E18-D9221E56E593}"="CePMTab Property Sheet" "{9ED66769-A198-41FE-8615-601691C68846}"="TouchPad Property Sheet" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{E0D79300-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79301-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79302-84BE-11CE-9641-444553540000}"="WinZip" "{04c23aa0-3d34-11d2-b788-008029605ac7}"="NDPS Shell Extension" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes" "{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}"="Zinio Shell Extension" "{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}"="Zinio Magazine Column Provider" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ avisynth.dll Wed Dec 14 2005 2:08:24p A.... 196,608 192.00 K browseui.dll Wed Nov 23 2005 6:06:34p A.... 1,022,464 998.50 K bszip.dll Wed Nov 23 2005 4:56:12p A.... 62,464 61.00 K cdfview.dll Thu Oct 20 2005 8:39:26p A.... 151,040 147.50 K danim.dll Fri Nov 4 2005 8:16:24p A.... 1,054,208 1.00 M divxc32.dll Wed Dec 14 2005 2:07:10p A.... 414,272 404.56 K divxc32f.dll Wed Dec 14 2005 2:07:10p A.... 414,272 404.56 K dxtrans.dll Thu Oct 20 2005 8:39:28p A.... 205,312 200.50 K esent.dll Thu Oct 20 2005 3:20:04p A.... 1,082,368 1.03 M extmgr.dll Thu Oct 20 2005 8:39:28p ..... 55,808 54.50 K fontsub.dll Mon Oct 17 2005 2:14:46p A.... 80,896 79.00 K gdi32.dll Wed Dec 28 2005 7:54:36p A.... 280,064 273.50 K huffyuv.dll Wed Dec 14 2005 2:07:04p A.... 33,280 32.50 K iepeers.dll Thu Oct 20 2005 8:39:28p A.... 251,392 245.50 K inseng.dll Thu Oct 20 2005 8:39:28p A.... 96,256 94.00 K ipfoabkm.dll Tue Dec 13 2005 5:23:22p A.... 65,536 64.00 K irasmqky.dll Wed Nov 23 2005 9:13:26a A.... 229,376 224.00 K irismon.dll Thu Jan 12 2006 7:58:06p A.... 417,792 408.00 K irsmkaxi.dll Thu Jan 12 2006 7:58:20p A.... 393,216 384.00 K legitc~1.dll Fri Nov 4 2005 4:27:24p A.... 534,280 521.76 K mshtml.dll Wed Nov 23 2005 6:06:34p A.... 3,015,680 2.88 M mshtmled.dll Thu Oct 20 2005 8:39:30p A.... 448,512 438.00 K msrating.dll Thu Oct 20 2005 8:39:30p A.... 146,432 143.00 K mstime.dll Thu Oct 20 2005 8:39:30p A.... 530,944 518.50 K msxml3a.dll Wed Nov 23 2005 9:13:04a A.... 24,576 24.00 K nsa7.dll Tue Nov 8 2005 12:48:42p A.... 151,552 148.00 K nsb9.dll Fri Oct 21 2005 7:03:56p A.... 146,944 143.50 K nse440.dll Sat Oct 22 2005 5:03:56a A.... 146,944 143.50 K nsh34.dll Fri Oct 21 2005 7:03:56p A.... 146,944 143.50 K nsl443.dll Thu Dec 1 2005 12:06:50p A.... 161,792 158.00 K nsl452.dll Sat Oct 22 2005 5:03:56a A.... 146,944 143.50 K nsl731.dll Thu Dec 1 2005 11:41:16p A.... 68,096 66.50 K nsm796.dll Thu Dec 1 2005 11:41:16p A.... 68,096 66.50 K nsn45c.dll Thu Dec 1 2005 12:06:50p A.... 161,792 158.00 K nssf7.dll Fri Oct 21 2005 7:03:56p A.... 146,944 143.50 K nst33.dll Fri Oct 21 2005 7:03:56p A.... 146,944 143.50 K nsw196.dll Thu Dec 1 2005 12:06:50p A.... 161,792 158.00 K pngfilt.dll Thu Oct 20 2005 8:39:30p A.... 39,424 38.50 K rastmon.dll Wed Nov 23 2005 9:13:18a A.... 417,792 408.00 K shdocvw.dll Wed Nov 30 2005 8:59:30p A.... 1,492,480 1.42 M shlwapi.dll Thu Oct 20 2005 8:39:30p A.... 473,600 462.50 K t2embed.dll Mon Oct 17 2005 2:14:46p A.... 118,272 115.50 K urlmon.dll Fri Nov 4 2005 8:16:28p A.... 609,280 595.00 K wininet.dll Thu Oct 20 2005 8:39:30p A.... 658,432 643.00 K {fb0fd~1.dll Tue Jan 3 2006 3:03:56a A.... 204,800 200.00 K {fbd2e~1.dll Wed Nov 23 2005 1:41:42p A.... 160,256 156.50 K 46 items found: 46 files, 0 directories. Total of file sizes: 17,036,168 bytes 16.25 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C is C Drive Volume Serial Number is 0C1F-8A0D Directory of C:\WINDOWS\System32 01/13/2006 10:18 PM <DIR> .. 01/13/2006 10:18 PM <DIR> . 01/12/2006 08:15 PM <DIR> dllcache 02/03/2003 08:25 AM <DIR> Microsoft 04/30/2002 12:01 PM 10,240 Thumbs.db 1 File(s) 10,240 bytes 4 Dir(s) 8,160,632,832 bytes free

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 13 January 2006 - 11:26 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

#5 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 13 January 2006 - 11:49 PM

Great Here we go....HJT and other log

Logfile of HijackThis v1.99.1
Scan saved at 10:46:47 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\dkjfpwj.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mizvlym.exe
C:\WINDOWS\system32\777A827E807F86.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\WinAntiVirus 2005 Pro\cs_srv.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FCHelp\FCHelp.exe
C:\Program Files\EQTraffic\EQTraffic.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\WinSoftware\wff.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Staples\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.gmcc.ab.ca; *.macewan.ca;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsm796.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasmqky.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsa7.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [mizvlym] C:\WINDOWS\mizvlym.exe
O4 - HKLM\..\Run: [7C7F878385848B86] 777A827E807F86.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alexa Web Search - http://client.alexa....ions/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get Alexa Data - http://client.alexa....ns/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa....ions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa....ons/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa....ions/review.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCHelp\FCHelp.dll
O20 - AppInit_DLLs: ipfoabkm.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVKernel - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dkjfpwj.exe






L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 420 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 492 'winlogon.exe'
Killing PID 492 'winlogon.exe'
Killing PID 492 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1900 'explorer.exe'
Killing PID 1900 'explorer.exe'
Killing PID 1900 'explorer.exe'
Killing PID 1900 'explorer.exe'
Killing PID 1900 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 13 January 2006 - 11:50 PM

Step # 1

Please download and run CWShredder. Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

http://www.majorgeek...7fd6b3ff02edc90

REBOOT

Step #2

Please download and run Spybot 1.4 & AdAware SE Then follow the instructions in the link below to run.

Spybot & Adaware Tutorial

REBOOT

Step # 3

Then do a virus scan here >>> Trend Micro

Step # 4

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

#7 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 14 January 2006 - 09:08 PM

Okay I've done all the downloading and everything but I can't get my computer to start up in safe mode. Is there another way to do besides hitting the F8 key in startup? How do you tell if its in safe mode?

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 14 January 2006 - 10:02 PM

Run them in reg mode for now then a new hijackthis log.

#9 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 15 January 2006 - 02:34 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:31:56 AM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinAntiVirus 2005 Pro\cs_srv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FCHelp\FCHelp.exe
C:\Program Files\Common Files\WinSoftware\wff.exe
C:\Program Files\EQTraffic\EQTraffic.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Staples\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.gmcc.ab.ca; *.macewan.ca;<local>
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsc7A1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasmqky.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsa7.dll (file missing)
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa....ions/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - AppInit_DLLs: ipfoabkm.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVKernel - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dkjfpwj.exe (file missing)





---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:29:54 AM, 1/15/2006
+ Report-Checksum: 33898B79

+ Scan result:

HKLM\SOFTWARE\Alexa Internet -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Alexa Internet\Hosts -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{27D784D7-9217-4227-B43B-E06E4781E0CB} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{69A72A8A-84ED-4a75-8CE7-263DBEF3E5D3} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7BF3A7DB-A516-4e24-B40A-F60B34699E26} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EA20F195-32DA-4bd6-B348-FD01FC7D3D5A} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{04D79E9F-09A9-4AED-9FC2-6E63A3BCA51E} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0B32BCCD-4D64-48EB-8EC3-9BA0807D1349} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0BBB0424-E98E-4405-9A94-481854765C80} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0F3332B5-BC98-48AF-9FAC-05FEC94EBE73} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3E60160F-0ED6-4DCC-B6B6-850CDE4FD217} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F41980D-B681-488E-9757-0C9744F9C3CE} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49160F0D-6BE2-4F5F-BCDB-9256DA3BB120} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{5A9961FD-B0A6-4065-9552-EBFC199683A3} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6912BEB3-E20C-4953-8C8E-E91B12B55BFC} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{738CB0ED-54A7-4061-AE2E-40EFD9B1EEF6} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9AF74448-EBD1-484C-8B06-35E597C0B54C} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BAB764B-E4F3-4C7B-99AD-CDF636BBE3A8} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A69107CC-BEC8-4A34-B474-211B0F46A764} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A6A08CBD-6673-41B1-B997-3F83A25B45B0} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{ABF7C4D4-53EF-4C15-8951-D22F63C98E9F} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AC2A5E17-05ED-4E62-86E5-84779E8F0BCA} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B71C7D9A-DA43-4E8B-BB9B-1684AC2AF324} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B79D9232-A798-43DB-9E61-281D550460E4} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B7B84995-8B92-46BF-94AA-FA2F3DD23B84} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DC21CEDE-3B81-43D7-B816-DAEFA7B4901F} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FA77AD79-09CF-41FB-B171-CC856F9E737F} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\PopMenu.Menu -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\PopMenu.Menu\CLSID -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\PopMenu.Menu\CurVer -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\PopMenu.Menu.1 -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CLSID -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CurVer -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CLSID -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CurVer -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{547AB549-4DD8-4EA0-B070-F6EA062148FF} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9D74677A-E227-40fb-9511-F7E92EA4083A}\\BandCLSID -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{B8DB14B3-772F-4ee6-A322-2134DA8C52D6} -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\Alexa Web Search -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\Get Alexa Data -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\Mail to a Friend... -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\See Related Links -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Spyware.Alexa : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{B8DB14B3-772F-4ee6-A322-2134DA8C52D6} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\Microsoft\Internet Explorer\MenuExt\Alexa Web Search -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\Microsoft\Internet Explorer\MenuExt\Get Alexa Data -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\Microsoft\Internet Explorer\MenuExt\Mail to a Friend... -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\Microsoft\Internet Explorer\MenuExt\See Related Links -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Explorer Bars\{B8DB14B3-772F-4ee6-A322-2134DA8C52D6} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\Alexa Web Search -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\Get Alexa Data -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\Mail to a Friend... -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\See Related Links -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@2o7[4].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@ad.yieldmanager[4].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@casinotropez[2].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@casinotropez[3].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@fastclick[4].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@fastclick[6].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@fastclick[7].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@media.fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@serving-sys[4].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@serving-sys[5].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@serving-sys[6].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@serving-sys[7].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Staples\Cookies\staples@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Staples\Local Settings\Temp\99_app99.exe -> Dropper.Agent.xw : Cleaned with backup
C:\Documents and Settings\Staples\Local Settings\Temp\btnetw3.exe -> Not-A-Virus.Hoax.Win32.SpyWare.b : Cleaned with backup
C:\Documents and Settings\Staples\Local Settings\Temp\mndcntas.tmp -> Adware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\Staples\Local Settings\Temp\selassix.tmp -> Spyware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\Staples\Local Settings\Temp\Transponder.dll -> Adware.Agent : Cleaned with backup
C:\WINDOWS\system32\AlxRes.dll -> Spyware.Alexa : Cleaned with backup
C:\WINDOWS\system32\bho.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\irismon.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\irsmkaxi.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\nsb9.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nse440.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsh34.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsl443.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsl452.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsl731.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsm796.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsn45C.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nssF7.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nst33.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nsw196.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\rastmon.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\trafficsector_b2search.exe -> Dropper.Agent.abb : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__nsa7.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll -> Trojan.VB.aft : Cleaned with backup


::Report End

#10 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 15 January 2006 - 12:20 PM

Scan with hijackthis and put a check beside these lines and choose FIX

O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsc7A1.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasmqky.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsa7.dll (file missing)

O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe

O8 - Extra context menu item: Write a Review... - http://client.alexa....ions/review.htm

O20 - AppInit_DLLs: ipfoabkm.dll

O23 - Service: AVKernel - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe (file missing)
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\dkjfpwj.exe (file missing)

Then Reboot to normal mode.

Please do an online scan with Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

    Advertisements

Register to Remove

#11 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 16 January 2006 - 10:42 PM

------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, January 16, 2006 21:40:30 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 17/01/2006 Kaspersky Anti-Virus database records: 171541 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 68484 Number of viruses found: 7 Number of infected objects: 32 Number of suspicious objects: 0 Duration of the scan process: 3121 sec Infected Object Name - Virus Name C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0002/data0006 Infected: Backdoor.Win32.HacDef.bo C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0002 Infected: Backdoor.Win32.HacDef.bo C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0011 Infected: not-a-virus:AdWare.Win32.EZula.bn C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe Infected: not-a-virus:AdWare.Win32.EZula.bn C:\Documents and Settings\Staples\Local Settings\Temp\irsinst_ts.exe/data0002/data0006 Infected: Backdoor.Win32.HacDef.bo C:\Documents and Settings\Staples\Local Settings\Temp\irsinst_ts.exe/data0002 Infected: Backdoor.Win32.HacDef.bo C:\Documents and Settings\Staples\Local Settings\Temp\irsinst_ts.exe/data0011 Infected: not-a-virus:AdWare.Win32.EZula.bn C:\Documents and Settings\Staples\Local Settings\Temp\irsinst_ts.exe Infected: not-a-virus:AdWare.Win32.EZula.bn C:\Documents and Settings\Staples\Local Settings\Temp\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft C:\Documents and Settings\Staples\Local Settings\Temp\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft C:\Documents and Settings\Staples\Local Settings\Temp\Nat2.exe Infected: Trojan.Win32.VB.aft C:\Documents and Settings\Staples\Local Settings\Temp\s300.9.exe Infected: Trojan-Dropper.Win32.Agent.abb C:\Documents and Settings\Staples\Local Settings\Temp\tpsetup.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.e C:\Documents and Settings\Staples\Local Settings\Temp\tpsetup.exe Infected: not-a-virus:AdWare.Win32.Agent.e C:\Documents and Settings\Staples\Local Settings\Temp\trafficsector_installerV5a.exe/data0002 Infected: Trojan-Dropper.Win32.Agent.abb C:\Documents and Settings\Staples\Local Settings\Temp\trafficsector_installerV5a.exe/data0003/data0006 Infected: Backdoor.Win32.HacDef.bo C:\Documents and Settings\Staples\Local Settings\Temp\trafficsector_installerV5a.exe/data0003 Infected: Backdoor.Win32.HacDef.bo C:\Documents and Settings\Staples\Local Settings\Temp\trafficsector_installerV5a.exe Infected: Backdoor.Win32.HacDef.bo C:\WINDOWS\pf78.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a C:\WINDOWS\pf78.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a C:\WINDOWS\pf78.exe Infected: not-a-virus:AdWare.Win32.CASClient.a C:\WINDOWS\system32\b2search.exe Infected: not-a-virus:AdWare.Win32.EZula.bn C:\WINDOWS\system32\unirimon.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.l C:\WINDOWS\system32\unirimon.exe Infected: Trojan-Downloader.NSIS.Agent.l C:\WINDOWS\Temp\irsinst_ts.exe/data0002/data0006 Infected: Backdoor.Win32.HacDef.bo C:\WINDOWS\Temp\irsinst_ts.exe/data0002 Infected: Backdoor.Win32.HacDef.bo C:\WINDOWS\Temp\irsinst_ts.exe/data0011 Infected: not-a-virus:AdWare.Win32.EZula.bn C:\WINDOWS\Temp\irsinst_ts.exe Infected: not-a-virus:AdWare.Win32.EZula.bn C:\WINDOWS\Temp\trafficsector_installerV5a.exe/data0002 Infected: Trojan-Dropper.Win32.Agent.abb C:\WINDOWS\Temp\trafficsector_installerV5a.exe/data0003/data0006 Infected: Backdoor.Win32.HacDef.bo C:\WINDOWS\Temp\trafficsector_installerV5a.exe/data0003 Infected: Backdoor.Win32.HacDef.bo C:\WINDOWS\Temp\trafficsector_installerV5a.exe Infected: Backdoor.Win32.HacDef.bo Scan process completed.

#12 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 16 January 2006 - 10:55 PM

Download CCleaner from here >>>>> http://www.majorgeek...wnload4191.html

Save it to your desktop. Open CCleaner and click on "run cleaner" at the bottom right.

Next nake sure all hidden files are visable tutorial here >>>> http://www.xtra.co.n...1916458,00.html

then look for and delete these files

C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\b2search.exe
C:\WINDOWS\system32\unirimon.exe

Then reboot and a new kapersky log and hijackthis log please.

#13 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 17 January 2006 - 01:34 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:28:30 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\EQTraffic\EQTraffic.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FCHelp\FCHelp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Staples\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.gmcc.ab.ca; *.macewan.ca;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCHelp\FCHelp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVKernel - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 00:33:53
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/01/2006
Kaspersky Anti-Virus database records: 171540
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 64655
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 3194 sec

Infected Object Name - Virus Name
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0002/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0002 Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0011 Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\RECYCLER\S-1-5-21-1614895754-842925246-1060284298-1004\Dc1.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\RECYCLER\S-1-5-21-1614895754-842925246-1060284298-1004\Dc1.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\RECYCLER\S-1-5-21-1614895754-842925246-1060284298-1004\Dc1.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\RECYCLER\S-1-5-21-1614895754-842925246-1060284298-1004\Dc2.exe Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\WINDOWS\system32\unirimon.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.l
C:\WINDOWS\system32\unirimon.exe Infected: Trojan-Downloader.NSIS.Agent.l

Scan process completed.

#14 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 January 2006 - 01:48 PM

Run CCleaner again.


Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:


C:\WINDOWS\system32\unirimon.exe/data0001

C:\WINDOWS\system32\unirimon.exe

Then scan with ewido again post its log and a new Kapoersky log and hijackthis log please.

#15 Ster

Ster

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 17 January 2006 - 09:16 PM

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 20:03:03
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/01/2006
Kaspersky Anti-Virus database records: 171637
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 64407
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 6721 sec

Infected Object Name - Virus Name
C:\!KillBox\unirimon.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.l
C:\!KillBox\unirimon.exe Infected: Trojan-Downloader.NSIS.Agent.l
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0002/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0002 Infected: Backdoor.Win32.HacDef.bo
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe/data0011 Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UH6VYZST\irsinst_ts[2].exe Infected: not-a-virus:AdWare.Win32.EZula.bn

Scan process completed.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:05:02 PM, 1/17/2006
+ Report-Checksum: 825E8499

+ Scan result:

HKLM\SOFTWARE\WinSoftware -> Adware.WinFixer : Cleaned with backup
HKLM\SOFTWARE\WinSoftware\WinAntiVirus 2005 Pro -> Adware.WinFixer : Cleaned with backup
HKLM\SOFTWARE\WinSoftware\WinAntiVirus 2005 Pro\Quarantine -> Adware.WinFixer : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\WinSoftware -> Adware.WinFixer : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\WinSoftware\WinAntiVirus 2005 Pro -> Adware.WinFixer : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\WinSoftware\WinAntiVirus 2005 Pro\HomePageMonitoring -> Adware.WinFixer : Cleaned with backup
HKU\S-1-5-21-1614895754-842925246-1060284298-1004\Software\WinSoftware\WinAntiVirus 2005 Pro\Settings -> Adware.WinFixer : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 8:16:09 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\EQTraffic\EQTraffic.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FCHelp\FCHelp.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
C:\DOCUME~1\Staples\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.gmcc.ab.ca; *.macewan.ca;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\RunOnce: [fat.exe] C:\Program Files\WinAntiVirus 2005 Pro\fat.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FCHelp] "C:\Program Files\FCHelp\FCHelp.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Filter: text/html - {994D478A-2BD0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCHelp\FCHelp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVKernel - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus 2005 Pro\AVKernel.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·