Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I've Been HiJacked!


  • This topic is locked This topic is locked
24 replies to this topic

#1 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 08 February 2006 - 10:34 PM

Please take a look at this log and let me know what I can do. I'm being bombed with popups.


Logfile of HijackThis v1.99.1
Scan saved at 11:32:25 PM, on 2/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\winsysban5.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\winsysban6.exe
C:\PROGRAM FILES\AVANT BROWSER\AVANT.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd6.exe
O4 - HKLM\..\Run: [winsysban] c:\windows\winsysban6.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - C:\PROGRAM FILES\AVANT BROWSER\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\PROGRAM FILES\AVANT BROWSER\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\PROGRAM FILES\AVANT BROWSER\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\PROGRAM FILES\AVANT BROWSER\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\PROGRAM FILES\AVANT BROWSER\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\PROGRAM FILES\AVANT BROWSER\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload192a.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dnn2015oe.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

    Advertisements

Register to Remove


#2 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 13 February 2006 - 04:22 PM

Thanks for sending your information. We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like.

If you still need help with your problem, please run Hijack This again. Scan and copy the log, then post it here, in this topic . We do need to see a current logfile.

To post, please use the Add Reply feature, so I will be notified.

Please provide a description of the problem.

Please do not edit your Hijack This log. We need to see the entire logfile, with no revisions.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#3 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 13 February 2006 - 08:06 PM

I think it's getting worse. The pop ups keep popping up and it's making everything lag. Take a look.

Logfile of HijackThis v1.99.1
Scan saved at 9:04:38 PM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VXNlcg\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\PROGRA~1\COMMON~1\uruo\uruom.exe
C:\Program Files\tiar\caat.exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020searc...884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020searc...884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd7.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban7.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [0ce80unc.dll] RUNDLL32.EXE 0ce80unc.dll,b 60875
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [uruo] C:\PROGRA~1\COMMON~1\uruo\uruom.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Lapt] "C:\Program Files\tiar\caat.exe" -vt yax
O4 - HKCU\..\Run: [Tknpdji] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload192a.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c32.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972994.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\SYSTEM32\pmkhh.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\kgrnel32.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\o648lghu1648.dll (file missing)
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

#4 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 13 February 2006 - 11:09 PM

Hi sawjai

Please copy and paste this text into a Notepad file and place it on your desktop, to review as you work. Please read this text, before beginning.

You have a massive amount of Malware on your PC. This will take several posts between us to remove all the Malware. It didn't all get there in one surfing session and it's going to take some work to get all of it. This is only the first step.


You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

To post, please use the Add Reply feature, so I will be notified.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#5 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 14 February 2006 - 12:01 AM

L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] "DllName"="C:\\WINDOWS\\system32\\NavLogon.dll" "StartShell"="NavStartShellEvent" "Logoff"="NavLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmkhh] "Asynchronous"=dword:00000001 "DllName"="pmkhh.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\kgrnel32.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\o648lghu1648.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjjq32] "Asynchronous"=dword:00000001 "DllName"="winjjq32.dll" "Impersonate"=dword:00000000 "Startup"="EvtStartup" "Shutdown"="EvtShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{5F7F2EDD-F19A-C67E-DF2E-CC19EAADDF97}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{6bc1bb05-ba15-415d-8c62-093a7f312fd2}"="eFax Messenger - Shell Extension" "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{CC7AAB97-852A-460D-94BE-DF24897EBE4C}"="" "{240246AE-70EB-4CE3-86EC-25300A8A5009}"="" "{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}"="" "{05DBA331-9A00-4969-8057-D94F1F48D407}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}] @="" [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}\InprocServer32] @="C:\\WINDOWS\\system32\\wrnetmgr.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}] @="" [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}\InprocServer32] @="C:\\WINDOWS\\system32\\ahrsvc.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}] @="" [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}\InprocServer32] @="C:\\WINDOWS\\system32\\kxdit.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}] @="" [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}\InprocServer32] @="C:\\WINDOWS\\system32\\kgrnel32.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ 0ce80unc.dll Thu Feb 9 2006 8:59:14a A.... 22,016 21.50 K 0ce89y3o.dll Sun Feb 12 2006 9:12:36p A.... 45,568 44.50 K adserv~1.dll Thu Feb 9 2006 9:51:20p A.... 16,896 16.50 K ahrsvc.dll Tue Feb 7 2006 2:54:04a ..S.R 236,671 231.12 K atmtd.dll Thu Feb 9 2006 8:59:48a A.... 687,592 671.48 K aurace.dll Fri Feb 3 2006 12:48:18p ..S.R 233,410 227.94 K browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K ctgmgr32.dll Fri Feb 3 2006 12:42:00p ..S.R 233,460 227.99 K dcom_13.dll Sun Feb 12 2006 12:59:40a A.... 66,560 65.00 K dcom_14.dll Mon Feb 13 2006 8:57:08p A.... 123,904 121.00 K gdi32.dll Wed Dec 28 2005 9:54:36p A.... 280,064 273.50 K idsacct.dll Fri Feb 3 2006 12:56:06p ..S.R 233,410 227.94 K iymontr.dll Thu Feb 9 2006 9:50:24p ..S.R 234,155 228.66 K kgrnel32.dll Mon Feb 13 2006 1:59:46a ..S.R 234,155 228.66 K kkdlt1.dll Mon Feb 13 2006 8:50:34p ..S.R 234,155 228.66 K mmjter40.dll Fri Feb 3 2006 12:51:28p ..S.R 235,267 229.75 K mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M pmkhh.dll Sun Feb 12 2006 12:59:42a ..SH. 38,925 38.01 K pncrt.dll Tue Dec 20 2005 10:30:02p A.... 278,528 272.00 K pndx5016.dll Tue Dec 20 2005 10:30:06p A.... 6,656 6.50 K pndx5032.dll Tue Dec 20 2005 10:30:06p A.... 5,632 5.50 K qlqo.dll Mon Jan 30 2006 9:17:38a A.... 139,264 136.00 K r0p80a~1.dll Sun Feb 12 2006 3:32:06p ..S.R 234,004 228.52 K repair~1.dll Thu Feb 9 2006 9:00:54a A.... 85,504 83.50 K rmoc3260.dll Tue Dec 20 2005 10:30:28p A.... 176,167 172.04 K s488le~1.dll Mon Feb 13 2006 1:59:46a ..S.R 236,039 230.50 K shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M sporder.dll Thu Feb 9 2006 9:00:44a A.... 8,464 8.27 K tgaffic.dll Fri Feb 3 2006 1:06:18p ..S.R 234,422 228.93 K winjjq32.dll Thu Feb 9 2006 12:29:46a A.... 16,896 16.50 K wraueng1.dll Wed Feb 1 2006 1:05:46p ..S.R 233,460 227.99 K wrnetmgr.dll Tue Jan 31 2006 11:29:04a ..S.R 237,074 231.52 K 32 items found: 32 files (14 H/S), 0 directories. Total of file sizes: 10,578,942 bytes 10.09 M Locate .tmp files: C:\WINDOWS\SYSTEM32\ guard.tmp Mon Feb 13 2006 7:07:46a ..S.R 234,155 228.66 K lat106.tmp Sun Feb 12 2006 9:17:42p A.... 0 0.00 K lat109.tmp Sun Feb 12 2006 9:19:02p A.... 0 0.00 K lat10b.tmp Sun Feb 12 2006 9:20:24p A.... 0 0.00 K 4 items found: 4 files (1 H/S), 0 directories. Total of file sizes: 234,155 bytes 228.66 K ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 50F5-F4C7 Directory of C:\WINDOWS\System32 02/13/2006 08:50 PM 234,155 kkdlt1.dll 02/13/2006 07:07 AM 234,155 guard.tmp 02/13/2006 01:59 AM 234,155 kgrnel32.dll 02/13/2006 01:59 AM 236,039 s488lelu1hq8.dll 02/12/2006 03:32 PM 234,004 r0p80a7ued.dll 02/12/2006 12:59 AM 38,925 pmkhh.dll 02/09/2006 09:50 PM 234,155 iymontr.dll 02/07/2006 02:54 AM 236,671 ahrsvc.dll 02/03/2006 01:06 PM 234,422 tgaffic.dll 02/03/2006 12:56 PM 233,410 iDsacct.dll 02/03/2006 12:51 PM 235,267 mmjter40.dll 02/03/2006 12:48 PM 233,410 aurace.dll 02/03/2006 12:41 PM 233,460 ctgmgr32.dll 02/01/2006 01:05 PM 233,460 wraueng1.dll 01/31/2006 11:29 AM 237,074 wrnetmgr.dll 01/30/2006 09:18 AM 405,504 ?ttrib.exe 01/18/2006 12:55 AM <DIR> dllcache 01/26/2005 02:22 PM 1,890 KGyGaAvL.sys 01/26/2005 02:22 PM 56 3D892943DF.sys 01/21/2005 05:28 PM <DIR> Microsoft 18 File(s) 3,730,212 bytes 2 Dir(s) 7,284,568,064 bytes free

#6 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 14 February 2006 - 11:53 AM

Hi sawjai, this is part #2 of the L2M fix and the final part of it, but still only the first step.
There is much more Malware we have to remove.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Please use the Add Reply feature to post, so I will be notified.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

Edited by Piatan, 14 February 2006 - 11:55 AM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#7 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 14 February 2006 - 06:32 PM

L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 432 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 504 'winlogon.exe' Killing PID 504 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1444 'explorer.exe' Killing PID 1444 'explorer.exe' Killing PID 1444 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1560 'rundll32.exe' Killing PID 1560 'rundll32.exe' Killing PID 2096 'rundll32.exe' Killing PID 2364 'rundll32.exe' Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. Deleting: C:\WINDOWS\system32\ahrsvc.dll Successfully Deleted: C:\WINDOWS\system32\ahrsvc.dll Deleting: C:\WINDOWS\system32\aurace.dll Successfully Deleted: C:\WINDOWS\system32\aurace.dll Deleting: C:\WINDOWS\system32\ctgmgr32.dll Successfully Deleted: C:\WINDOWS\system32\ctgmgr32.dll Deleting: C:\WINDOWS\system32\en8ql1l51.dll Successfully Deleted: C:\WINDOWS\system32\en8ql1l51.dll Deleting: C:\WINDOWS\system32\iDsacct.dll Successfully Deleted: C:\WINDOWS\system32\iDsacct.dll Deleting: C:\WINDOWS\system32\iymontr.dll Successfully Deleted: C:\WINDOWS\system32\iymontr.dll Deleting: C:\WINDOWS\system32\kkdlt1.dll Successfully Deleted: C:\WINDOWS\system32\kkdlt1.dll Deleting: C:\WINDOWS\system32\l28mlcl11fq.dll Successfully Deleted: C:\WINDOWS\system32\l28mlcl11fq.dll Deleting: C:\WINDOWS\system32\mmjter40.dll Successfully Deleted: C:\WINDOWS\system32\mmjter40.dll Deleting: C:\WINDOWS\system32\r0p80a7ued.dll Successfully Deleted: C:\WINDOWS\system32\r0p80a7ued.dll Deleting: C:\WINDOWS\system32\s488lelu1hq8.dll Successfully Deleted: C:\WINDOWS\system32\s488lelu1hq8.dll Deleting: C:\WINDOWS\system32\tgaffic.dll Successfully Deleted: C:\WINDOWS\system32\tgaffic.dll Deleting: C:\WINDOWS\system32\upbui.dll Successfully Deleted: C:\WINDOWS\system32\upbui.dll Deleting: C:\WINDOWS\system32\wraueng1.dll Successfully Deleted: C:\WINDOWS\system32\wraueng1.dll Deleting: C:\WINDOWS\system32\wrnetmgr.dll Successfully Deleted: C:\WINDOWS\system32\wrnetmgr.dll msg11?.dll 0 file(s) copied. Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] "DllName"="C:\\WINDOWS\\system32\\NavLogon.dll" "StartShell"="NavStartShellEvent" "Logoff"="NavLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmkhh] "Asynchronous"=dword:00000001 "DllName"="pmkhh.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\l28mlcl11fq.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjjq32] "Asynchronous"=dword:00000001 "DllName"="winjjq32.dll" "Impersonate"=dword:00000000 "Startup"="EvtStartup" "Shutdown"="EvtShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** C:\WINDOWS\system32\ahrsvc.dll C:\WINDOWS\system32\aurace.dll C:\WINDOWS\system32\ctgmgr32.dll C:\WINDOWS\system32\en8ql1l51.dll C:\WINDOWS\system32\iDsacct.dll C:\WINDOWS\system32\iymontr.dll C:\WINDOWS\system32\kkdlt1.dll C:\WINDOWS\system32\l28mlcl11fq.dll C:\WINDOWS\system32\mmjter40.dll C:\WINDOWS\system32\r0p80a7ued.dll C:\WINDOWS\system32\s488lelu1hq8.dll C:\WINDOWS\system32\tgaffic.dll C:\WINDOWS\system32\upbui.dll C:\WINDOWS\system32\wraueng1.dll C:\WINDOWS\system32\wrnetmgr.dll Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}] @="" [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}\InprocServer32] @="C:\\WINDOWS\\system32\\wrnetmgr.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}] @="" [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}\InprocServer32] @="C:\\WINDOWS\\system32\\ahrsvc.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}] @="" [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}\InprocServer32] @="C:\\WINDOWS\\system32\\kxdit.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}] @="" [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}\InprocServer32] @="C:\\WINDOWS\\system32\\upbui.dll" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{CC7AAB97-852A-460D-94BE-DF24897EBE4C}"=- "{240246AE-70EB-4CE3-86EC-25300A8A5009}"=- "{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}"=- "{05DBA331-9A00-4969-8057-D94F1F48D407}"=- [-HKEY_CLASSES_ROOT\CLSID\{CC7AAB97-852A-460D-94BE-DF24897EBE4C}] [-HKEY_CLASSES_ROOT\CLSID\{240246AE-70EB-4CE3-86EC-25300A8A5009}] [-HKEY_CLASSES_ROOT\CLSID\{EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6}] [-HKEY_CLASSES_ROOT\CLSID\{05DBA331-9A00-4969-8057-D94F1F48D407}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: adding: dlls/ahrsvc.dll (164 bytes security) (deflated 6%) adding: dlls/aurace.dll (164 bytes security) (deflated 4%) adding: dlls/ctgmgr32.dll (164 bytes security) (deflated 4%) adding: dlls/en8ql1l51.dll (164 bytes security) (deflated 5%) adding: dlls/iDsacct.dll (164 bytes security) (deflated 4%) adding: dlls/iymontr.dll (164 bytes security) (deflated 5%) adding: dlls/kkdlt1.dll (164 bytes security) (deflated 5%) adding: dlls/l28mlcl11fq.dll (164 bytes security) (deflated 5%) adding: dlls/mmjter40.dll (164 bytes security) (deflated 5%) adding: dlls/r0p80a7ued.dll (164 bytes security) (deflated 4%) adding: dlls/s488lelu1hq8.dll (164 bytes security) (deflated 5%) adding: dlls/tgaffic.dll (164 bytes security) (deflated 5%) adding: dlls/upbui.dll (164 bytes security) (deflated 5%) adding: dlls/wraueng1.dll (164 bytes security) (deflated 4%) adding: dlls/wrnetmgr.dll (164 bytes security) (deflated 5%) adding: backregs/05DBA331-9A00-4969-8057-D94F1F48D407.reg (212 bytes security) (deflated 70%) adding: backregs/240246AE-70EB-4CE3-86EC-25300A8A5009.reg (212 bytes security) (deflated 70%) adding: backregs/CC7AAB97-852A-460D-94BE-DF24897EBE4C.reg (212 bytes security) (deflated 70%) adding: backregs/EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6.reg (212 bytes security) (deflated 70%) adding: backregs/notibac.reg (164 bytes security) (deflated 88%) adding: backregs/shell.reg (164 bytes security) (deflated 73%)

#8 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 14 February 2006 - 08:13 PM

Hi sawjai;
Please post a fresh Hijack This log into this topic.

To post please use the Add Reply feature, so I will be notified.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#9 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 14 February 2006 - 08:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:17:49 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VXNlcg\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\winsysban8.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\windows\system32\rldsregj.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\PROGRA~1\COMMON~1\uruo\uruom.exe
C:\Program Files\tiar\caat.exe
C:\WINDOWS\system32\?ttrib.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\owinmsap.exe
C:\PROGRA~1\COMMON~1\uruo\uruoa.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\owinmsap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020searc...884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsdFF.dll
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmbxjc.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsw13F.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {EE597FB2-E02E-E7D3-75E6-C09EFD3556C8} - C:\WINDOWS\system32\qlqo.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban8.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe
O4 - HKLM\..\Run: [0ce80unc.dll] RUNDLL32.EXE 0ce80unc.dll,b 60875
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [{5F-F4-4C-C7-ZN}] C:\windows\system32\rldsregj.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinmsap.exe CORN001
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [uruo] C:\PROGRA~1\COMMON~1\uruo\uruom.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Lapt] "C:\Program Files\tiar\caat.exe" -vt yax
O4 - HKCU\..\Run: [Tknpdji] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinmsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload192a.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c32.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972994.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\SYSTEM32\pmkhh.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

#10 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 15 February 2006 - 09:55 AM

Hi sawjai;

Sorry, I neglected an important step, for users of Nortons.

Turning off Script Blocking in Norton AntiVirus

Situation:
You want to turn off (disable) the script blocking feature when using Norton AntiVirus.
Solution:
To disable Norton AntiVirus Script Blocking

1. Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
2. Click Options.
If you see a menu, click Norton AntiVirus.
3. In the left pane, click Script Blocking.
4. In the right pane, uncheck Enable Script Blocking (recommended).
5. Click OK.

Please leave Script Blocking off, until we have completely finished, as turning it back on before that may nullify our efforts.

Then,
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
Please be sure the entire contents of the L2M log has posted to this topic.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

    Advertisements

Register to Remove


#11 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 15 February 2006 - 06:57 PM

Hi Piatan, I don't have Norton Antivirus but I do have Symantec Antivirus. I disabled it's File System Realtime Protection since I couldn't find a Script Blocking feature in it. Hopefully disabling that did the job. -sawjai L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 432 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 504 'winlogon.exe' Killing PID 504 'winlogon.exe' Killing PID 504 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1452 'explorer.exe' Killing PID 1452 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1788 'rundll32.exe' Killing PID 1872 'rundll32.exe' Killing PID 1872 'rundll32.exe' Killing PID 1872 'rundll32.exe' Killing PID 1872 'rundll32.exe' Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] "DllName"="C:\\WINDOWS\\system32\\NavLogon.dll" "StartShell"="NavStartShellEvent" "Logoff"="NavLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmkjk] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\system32\\pmkjk.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\l28mlcl11fq.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjjq32] "Asynchronous"=dword:00000001 "DllName"="winjjq32.dll" "Impersonate"=dword:00000000 "Startup"="EvtStartup" "Shutdown"="EvtShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: adding: dlls/ahrsvc.dll (164 bytes security) (deflated 6%) adding: dlls/aurace.dll (164 bytes security) (deflated 4%) adding: dlls/ctgmgr32.dll (164 bytes security) (deflated 4%) adding: dlls/en8ql1l51.dll (164 bytes security) (deflated 5%) adding: dlls/iDsacct.dll (164 bytes security) (deflated 4%) adding: dlls/iymontr.dll (164 bytes security) (deflated 5%) adding: dlls/kkdlt1.dll (164 bytes security) (deflated 5%) adding: dlls/l28mlcl11fq.dll (164 bytes security) (deflated 5%) adding: dlls/mmjter40.dll (164 bytes security) (deflated 5%) adding: dlls/r0p80a7ued.dll (164 bytes security) (deflated 4%) adding: dlls/s488lelu1hq8.dll (164 bytes security) (deflated 5%) adding: dlls/tgaffic.dll (164 bytes security) (deflated 5%) adding: dlls/upbui.dll (164 bytes security) (deflated 5%) adding: dlls/wraueng1.dll (164 bytes security) (deflated 4%) adding: dlls/wrnetmgr.dll (164 bytes security) (deflated 5%) adding: backregs/05DBA331-9A00-4969-8057-D94F1F48D407.reg (212 bytes security) (deflated 70%) adding: backregs/240246AE-70EB-4CE3-86EC-25300A8A5009.reg (212 bytes security) (deflated 70%) adding: backregs/CC7AAB97-852A-460D-94BE-DF24897EBE4C.reg (212 bytes security) (deflated 70%) adding: backregs/EA0CB2CA-8474-4F60-96BB-97C4C41C6AD6.reg (212 bytes security) (deflated 70%) adding: backregs/notibac.reg (164 bytes security) (deflated 88%) adding: backregs/shell.reg (164 bytes security) (deflated 73%)

#12 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 16 February 2006 - 02:09 PM

Hi sawjai

Please run Hijack This again. Scan and copy the log, then paste it into this topic.

Please use the Add Reply feature to post, so I will be notified.

It should tell us if the L2m fix was any more effective.

Edited by Piatan, 16 February 2006 - 02:09 PM.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#13 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 16 February 2006 - 08:07 PM

I feel like the computer's getting worse. It took me 30 minutes to get this HijackThis log. Hope i'm getting closer to fixing this.

Logfile of HijackThis v1.99.1
Scan saved at 9:05:20 PM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\VXNlcg\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\windows\system32\rldsregj.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\PROGRA~1\COMMON~1\uruo\uruom.exe
C:\Program Files\tiar\caat.exe
C:\WINDOWS\system32\wgse.exe
C:\WINDOWS\system32\?ttrib.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\owinmsai.exe
c:\windows\winsysban9.exe
C:\WINDOWS\system32\inst_0006.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpyFalcon\spyfalcon.exe
C:\Program Files\SpyFalcon\spyfalcon.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020searc...884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpC66F.tmp
O2 - BHO: ADOUsefulNet Object - {7CB093AC-11DF-46D5-9343-CE4BD90C159C} - C:\WINDOWS\system32\pmkjk.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [winsysban] c:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] c:\windows\gimmygames9.exe
O4 - HKLM\..\Run: [0ce80unc.dll] RUNDLL32.EXE 0ce80unc.dll,b 60875
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [{5F-F4-4C-C7-ZN}] C:\windows\system32\rldsregj.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinmsai.exe CORN001
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [MTE2ODI6ODoxNg.exeTR] C:\WINDOWS\system32\MTE2ODI6ODoxNg.exeTR
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [uruo] C:\PROGRA~1\COMMON~1\uruo\uruom.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Lapt] "C:\Program Files\tiar\caat.exe" -vt yax
O4 - HKCU\..\Run: [Tknpdji] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinmsai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload192a.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c32.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972994.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

#14 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 17 February 2006 - 11:40 AM

Hi sawjai

As I said, there is a massive (no exageration) amount of Malware on your PC and that was only the first step in cleaning it. There will be additional steps that are required to remove additional Malware. Be patient and we will get it clean. Please take your time and follow all directions as closely as possible.

Please, copy and paste this text into a Notepad file and place it on your desktop to review as you work. Please read this text before beginning and proceed with the fix in the order given.

Optional - VIEWPOINT MANAGER Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...61546Additional info: http://vil.nai.com/v...t/v_137262.htmI suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Fix the items identified in the HijackThis log below. Your call.

Optional - NEW DOT NET I suggest you remove NewDotNet unless you deliberately installed it. It is extremely dubious and commercially sponsored.First, please, go to Start > Settings > Control Panel > Add/Remove Programs and remove New.Net or NewDotNet if listed. If not listed, follow these instructions:
  • From a computer that has Internet access, click on the following link:http://www.new.net/support/uninstall6_76.exe.
  • Download and save uninstall6_76.exe to Local Disc C
  • Click on Start.
  • Click on Run.
  • In the Open window type, C:\uninstall6_76.exe
  • Click on the OK button.
  • After removal, you may be prompted to reboot/restart.
  • Please Reboot/Restart if not prompted.
Optional - WILDTANGENT WildTangent's privacy policy used to state that they also collect and share individuals information but this is no longer the case, what they say. It's considered to be foistware even though it may not spy anymore. . Go to Start > Settings > Control Panel > Add/Remove Programs. Select if found Wildtangent entry and click ‘Remove’. I leave it to you to decide if you want to keep it.


Boot into Safe Mode: Please do not reboot into normal mode until advised to below, or the fix will not be successful.

Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Go to Control Panel--Add/Remove Programs and Uninstall/Remove all instances of the following program. There may be more than one entry for it:

webHancer

Next: While remaining in SAFE MODE:

To stop a service and set to 'disabled'
WXP ONLY

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service. Network Monitor

Click once on the service to highlight it.

Click Stop

Right-Click on the service. Network Monitor

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'


Then, repeat the above steps to Stop a Service and disable it. This time the Service is, Command Service (cmdService).

Then, please reboot into NORMAL MODE.

Next:
Please download CWShredder, from one of the following sites.
http://www.trendmicr.../cwshredder.exe
http://www.majorgeek...dder_d3019.html
http://intermute.com...r_download.html

First, be sure to update CWShredder.
Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.

Then, please reboot into NORMAL MODE.


Next:
Please download the inf Files by Winhelp from http://www.mvps.org/.../DelDomains.inf
This will open a text document. Click on File --> Save as....Save it to a conveniently reachable place as My Documents. Right-click on it and and select Install. This will remove all the entries in Trusted Zone.

Please note that if you use Spybot S&D, it will need to be re-imunized
and IE-Spyad will need to be re-installed, after using the INF file.
Please, do not fail to do so, without delay.

Next:
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please do not run a scan yet.

Next:
Please download, install, and update the free version of Ewido Security Suite:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
    Exit Ewido. DO NOT run a scan yet.

    Next:
    Please download and install Ad-Aware SE 1.06 , follow these download and setup instructions. Also check for updates:
    Ad-Aware SE Setup
    Again, do NOT run a scan yet.


    Next, please reboot your computer in Safe Mode again, by doing the following:[list=1]
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

    Now scan with Hijack This and place a checkmark next to each of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020searc...884/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
    O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpC66F.tmp
    O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
    O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
    O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
    O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd9.exe
    O4 - HKLM\..\Run: [winsysban] c:\windows\winsysban9.exe
    O4 - HKLM\..\Run: [gimmygames] c:\windows\gimmygames9.exe
    O4 - HKLM\..\Run: [0ce80unc.dll] RUNDLL32.EXE 0ce80unc.dll,b 60875
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
    O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [{5F-F4-4C-C7-ZN}] C:\windows\system32\rldsregj.exe CORN001
    O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinmsai.exe CORN001
    O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
    O4 - HKLM\..\Run: [MTE2ODI6ODoxNg.exeTR] C:\WINDOWS\system32\MTE2ODI6ODoxNg.exeTR
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
    O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
    O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [uruo] C:\PROGRA~1\COMMON~1\uruo\uruom.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [Lapt] "C:\Program Files\tiar\caat.exe" -vt yax
    O4 - HKCU\..\Run: [Tknpdji] C:\WINDOWS\system32\?ttrib.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinmsai.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.i-lookup.com
    O15 - Trusted Zone: *.offshoreclicks.com
    O15 - Trusted Zone: *.teensguru.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildt...iveLauncher.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload192a.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c32.cab
    O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


    The following are recommended fixes:

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe


    Click on Fix Checked when finished.

    While remaining in SAFE MODE:

    Please set your system to show all files; please see here if you're unsure how to do this.

    Using Windows Explorer, locate the following files/folders shown DARK and delete them:

    C:\WINDOWS\VXNlcg\command.exe
    c:\windows\winsysupd9.exe
    c:\windows\winsysban9.exe
    c:\windows\gimmygames9.exe


    C:\WINDOWS\system32\hpsw.exe
    C:\WINDOWS\system32\hpC66F.tmp
    C:\windows\system32\rldsregj.exe CORN001
    C:\WINDOWS\system32\owinmsai.exe CORN001
    C:\WINDOWS\system32\wintask.exe
    C:\WINDOWS\system32\mmxp2passion.exe
    C:\WINDOWS\system32\MTE2ODI6ODoxNg.exeTR
    C:\WINDOWS\system32\?ttrib.exe
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\system32\owinmsai.exe
    C:\WINDOWS\system32\dwdsregt.exe

    aim.exe

    Please note: The following are all programs, so must also be Uninstalled/Removed in Control Panel-->Add/Remove Programs.

    C:\Program Files\SurfSideKick 3\Ssk.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
    C:\Program Files\Toolbar888\ToolBar888.dll
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\SpyFalcon\SpyFalcon.exe /h
    C:\Program Files\tiar\caat.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\Program Files\Network\ipnetwork.exe
    C:\Program Files\webHancer\Programs\whagent.exe
    C:\Program Files\webHancer\Programs\whsurvey.exe

    C:\Program Files\Common Files\VCClient\VCClient.exe
    C:\Program Files\Common Files\VCClient\VCMain.exe
    C:\Program Files\Common Files\Windows\mc-110-12-0000228.exe

    C:\PROGRA~1\COMMON~1\uruo\uruom.exe

    C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    C:\PROGRA~1\Jalmp\jalmp.dll

    The following are OPTIONAL removals and are Programs, so must also be UNINSTALLED/REMOVED in Control Panel-->Add/Remove Programs.

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

    C:\Program Files\BitComet\BitComet.exe

    C:\Program Files\PartyPoker.net\partypokernet.exe




    Next: While remaining in SAFE MODE:

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
    Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

    Next, run Ad-aware and perform a full scan. Remove everything found.

    Now open Ewido Security Suite[list]
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop, I will need to see the report later.
  • Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoft.../activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.

Let us know if any problems persist.


Please use the Add Reply feature to post, so I will be notified.

Note: Please do not edit the new HJT log. We need to see the entire log, without revisions.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#15 sawjai

sawjai

    New Member

  • Authentic Member
  • Pip
  • 14 posts

Posted 17 February 2006 - 06:58 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:38:51 PM, on 2/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\?dobe\n?pdb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\My Documents\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - URLSearchHook: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {1C1D4303-D896-D63E-990D-AE98BD10F5CA} - C:\WINDOWS\system32\kdpi.dll (file missing)
O2 - BHO: ADOUsefulNet Object - {7CB093AC-11DF-46D5-9343-CE4BD90C159C} - C:\WINDOWS\system32\pmkjk.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134798177\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Lapt] "C:\DOCUME~1\Chris\APPLIC~1\STEM32~1\mshta.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqnarmb] C:\WINDOWS\?dobe\n?pdb.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\l28mlcl11fq.dll (file missing)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:40:57 PM, 2/17/2006
+ Report-Checksum: 18CF0569

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01EB5130-FC0C-4d75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004\Software\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
HKU\S-1-5-21-329068152-527237240-682003330-1004_Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
[216] C:\WINDOWS\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
[264] C:\WINDOWS\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
[276] C:\WINDOWS\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
[432] C:\WINDOWS\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
[496] C:\WINDOWS\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
[548] C:\WINDOWS\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
C:\cygwid.exe -> Downloader.Small.bmx : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\mdyreixl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@www.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@www3.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@www5.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/ahrsvc.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/aurace.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/ctgmgr32.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/en8ql1l51.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/iDsacct.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/iymontr.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/kkdlt1.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/l28mlcl11fq.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/mmjter40.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/r0p80a7ued.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/s488lelu1hq8.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/tgaffic.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/upbui.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/wraueng1.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\backup.zip/dlls/wrnetmgr.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\ahrsvc.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\aurace.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\ctgmgr32.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\en8ql1l51.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\iDsacct.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\iymontr.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\kkdlt1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\l28mlcl11fq.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\mmjter40.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\r0p80a7ued.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\s488lelu1hq8.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\tgaffic.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\upbui.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\wraueng1.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Chris\Desktop\l2mfix\dlls\wrnetmgr.dll -> Adware.Look2Me : Cleaned with backup
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\hfdk8yv9.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.11:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\hfdk8yv9.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.12:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\hfdk8yv9.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@bfast[1].txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@sprintnlc.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@www6.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\myiadmin\Cookies\myiadmin@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Cookies\myiadmin@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Temporary Internet Files\Content.IE5\6E6NUNYW\winsysban5[1].exe -> Hijacker.VB.kc : Cleaned with backup
C:\Documents and Settings\myiadmin\Local Settings\Temp\Temporary Internet Files\Content.IE5\6E6NUNYW\winsysupd5[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\fran-forever.exe -> Adware.EZula : Cleaned with backup
C:\gimmygames.exe -> Downloader.VB.vr : Cleaned with backup
C:\Installer.exe -> Adware.Look2Me : Cleaned with backup
C:\installerus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\inst_0004.exe -> Downloader.Small.cam : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Jalmp\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\release.exe -> Dropper.Agent.hl : Cleaned with backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\ucmoreiex_.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\ucmoreiex_.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\2010.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\mm63.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\mm83.ocx -> Downloader.VB.ov : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ei : Cleaned with backup
C:\WINDOWS\seli.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
C:\WINDOWS\system32\AdService.dll -> Downloader.Agent.aej : Cleaned with backup
C:\WINDOWS\system32\dcom_13.dll -> Trojan.Agent.nl : Cleaned with backup
C:\WINDOWS\system32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\owinmsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pre2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\system32\whCC-CLICK.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\VXNlcg\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\winsysban6.exe -> Hijacker.VB.ld : Cleaned with backup
C:\WINDOWS\winsysban7.exe -> Hijacker.VB.le : Cleaned with backup
C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
C:\WINDOWS\winsysupd6.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd7.exe -> Downloader.VB.wg : Cleaned with backup
C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\winsysban5.exe -> Hijacker.VB.kc : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End




smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 02/17/2006
The current time is: 17:35:15.25

Running from
C:\Documents and Settings\Chris\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_14.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}\InProcServer32]
@="C:\WINDOWS\system32\dxmpp.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

atmtd.dll
atmtd.dll._
1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 968 'explorer.exe'
Killing PID 968 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINDOWS\system32\dcom_14.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}\InProcServer32]
@="C:\WINDOWS\system32\dxmpp.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)




I can't thank you enough. The computer is performing much better now. I did get a pop-up before the last restart though, but I haven't had one yet. I followed your directions as closely as possible, but I didn't uninstall aim.exe since I need that. Unless there's something wront with it, let me know. Hope the logs show that I'm clean.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users