Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Newbie who has been hijacked big!


  • This topic is locked This topic is locked
17 replies to this topic

#1 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 25 December 2005 - 09:21 PM

Hi,
I have WinXP SP2, and I got hijacked bad last week. I have used Spybot, AdAware, Pest Patrol, MS Anti Spyware, and Norton System Works. Anti Virus and all programs are up to date. I have eradicated over a hundred (!) spywares, but still get a mid screen popup on a regular basis when connected to internet. I also get a new browser window to pop up randomly, with an unknown URL in it, when IE is open. I have also noted that my computer will instantly shut off after about a half hour of use, then upon reboot, will go for hours. I have not ruled out hardware problems, but this started at the same time.

Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 8:48:46 PM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Grand Master HooHa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fredoneverything.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124561307953
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\mvp8l97u1.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Any help is greatly appreciated.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 25 December 2005 - 09:42 PM

Hello Timcorny, welcome to the forum.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 25 December 2005 - 11:22 PM

OK, done as said. I noticed Ewido found something as soon as I rebooted normally, which it cleaned. I have also received a pop up browser screen.

Here is my Ewido log, followed by the new Hijack This log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:09:38 PM, 12/25/2005
+ Report-Checksum: 3D124F69

+ Scan result:

HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
[656] C:\WINDOWS\system32\assldpc.dll -> Spyware.Look2Me : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Grand Master HooHa\Application Data\Mozilla\Firefox\Profiles\j6sc3o9q.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@coxhsi.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@e-2dj6wfkigiczadq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@e-2dj6wjkykkcjcfo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\Cookies\grand master hooha@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temp\E9E3CF.tmp/Quicklinks.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\4DUZ0H63\toolbar[1].txt -> Downloader.Adload.j : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\C5QN0LYF\tool1[1].txt -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\GL2Z8HQV\country[1].htm -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\GL2Z8HQV\hosts[1].txt -> Trojan.Qhost.el : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\IJYBC54Z\9400[1].cab/Quicklinks.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\K16V492N\ltndload[1].dll -> Adware.Sud : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\K16V492N\tool4[1].txt -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\KNS9ERMT\drsmartload[1].exe -> Downloader.Adload.l : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\Q5NW5G3Q\installerus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\Q9TY3E5O\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\RQ43BT4P\ltndmain[1].dll -> Adware.Sud : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\RQ43BT4P\tool5[1].txt -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\T4KVL5GL\inst_0004[1].exe -> Downloader.Small.cam : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\WDULKH6F\mir[1].exe -> Proxy.Wopla.n : Cleaned with backup
C:\Documents and Settings\Grand Master HooHa\Local Settings\Temporary Internet Files\Content.IE5\XBJ7TXO2\tool2[1].txt -> Hijacker.Spywad.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\146FCFE3-4119-455F-97FB-1885B3\08C3403D-9286-4944-976A-AA91F4 -> Downloader.Qoologic.az : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\146FCFE3-4119-455F-97FB-1885B3\240C7529-B1E6-446E-B596-6E71A1 -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9073CE2B-5A1E-4D35-A1E8-EB19EC\05C6F247-C3DF-419A-856A-024D4F -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9073CE2B-5A1E-4D35-A1E8-EB19EC\B7A79035-16C1-434E-8A37-2B6F8E -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9073CE2B-5A1E-4D35-A1E8-EB19EC\CF02721C-15E0-4F25-B6C1-38333F -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AA9F9FA0-AFF9-42CC-8387-9BF814\C5ED9549-CAA4-4E8E-9DF3-1BC7C6 -> Adware.Sud : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/Program Files/spysheriff/heur002.dll -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/Program Files/spysheriff/IESecurity.dll -> Spyware.SpywareNo : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/Program Files/spysheriff/ProcMon.dll -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/Program Files/spysheriff/Uninstall.exe -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/WINDOWS/system32/child.dll -> Downloader.Small.bug : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/WINDOWS/VGltIENvcm5lbGl1cw/command.exe -> Adware.CommAd : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/WINDOWS/VGltIENvcm5lbGl1cw/asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/Documents and Settings/Grand Master HooHa/Application Data/Sun/Java/Deployment/cache/javapi/v1.0/file/Dummy.class-451cae74-7ffe8ca6.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/WINDOWS/desktop.html -> Hijacker.Generic : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051218133630.zip/WINDOWS/inet20002/alg.exe -> Worm.Delf.i : Cleaned with backup
C:\RECYCLER\NPROTECT\00000000.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00000019.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-861567501-1383384898-725345543-500\Dc1.exe -> Logger.Small.dg : Cleaned with backup
C:\RECYCLER\S-1-5-21-861567501-1383384898-725345543-500\Dc2.exe -> Downloader.PassAlert.e : Cleaned with backup
C:\WINDOWS\system32\0wsogti2.dll -> Adware.Sud : Cleaned with backup
C:\WINDOWS\system32\assldpc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\casetacl.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\chmdlg32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cRtsrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\en64l1jq1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\enn6l15s1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g6402ghmg64a2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gp00l3dm1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gp0ql3d51.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\GSFSPidGen.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\h60q0gd5e60.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hagbccla.exe -> Proxy.Wopla.n : Cleaned with backup
C:\WINDOWS\system32\hr8m05l1e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\i4jqle151h.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\irakeng.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jt0207doe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jt6207joe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l00ulad91d0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l6n40g5qe6.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\maieftp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mericons.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mkencode.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\msc71.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\msrddm.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvnql9551.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\o2ro0c93ef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\o4840elqehqe0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\r26ulcj91fo.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\r46ulej91ho.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sbripto.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\smellstyle.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sxeio.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\vgactl.cpl -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\wdaservc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\tool2.exe -> Hijacker.Spywad.n : Cleaned with backup
C:\winstall.exe -> Hijacker.Spywad.n : Cleaned with backup
G:\Documents and Settings\fff\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup
G:\Documents and Settings\fff\Local Settings\Temp\__unin__.exe -> Spyware.Altnet : Cleaned with backup
G:\WINNT\Temp\Altnet\adm25.dll -> Spyware.Altnet : Cleaned with backup
G:\WINNT\Temp\Altnet\admdloader.dll -> Spyware.Altnet : Cleaned with backup
G:\WINNT\Temp\Altnet\admfdi.dll -> Spyware.Altnet : Cleaned with backup
G:\WINNT\Temp\Altnet\admprog.dll -> Adware.Altnet : Cleaned with backup


::Report End


Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:14:28 PM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Grand Master HooHa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fredoneverything.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124561307953
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\dnr2019oe.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for your help.

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 26 December 2005 - 07:40 AM

Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL



Next, launch Notepad (Start>All Programs>Accessories), and copy/paste all the

blue REGEDIT below to it (include the REGEDIT4 )
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\MCD]






Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\dnr2019oe.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - (no file)


Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\WINDOWS\system32\dnr2019oe.dll




1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove.
Check all boxes except compress old files (If listed)
7. Click OK and windows will comply.

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 26 December 2005 - 09:42 PM

OK, followed your instructions. Here's the log file:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:19 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Grand Master HooHa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fredoneverything.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124561307953
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\p86s0ij7e8o.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Noticed 16 and 20 are still there. I repeated your instructions, thinking I missed something. Same results.
The file Windows\system32\dnr2019oe.dll was not there.
Upon boot, I get a message "An exception occured while trying to run "'C:\windows\system32\pgpusd.dll", DllGetVersion"
Ewido finds spyware.look2me in file guard.tmp. I clean it. Should I delete .tmp files?
I have gotten a new browser window open up with advertising, and Ihave also gotten a popup graphic.

Thanks for the help.

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 26 December 2005 - 09:46 PM

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 28 December 2005 - 05:33 PM

L2MFIX find log 122705 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\fp4603hse.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{FC83C4D4-5680-EB51-7C30-CE2F86CEC4D2}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW" "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{7D5C4BDD-B015-4401-8731-1507B87DE297}"="QBVersionTool" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice Property Sheet Handler" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes" "{12656CAB-9220-4990-915E-8AD3DCFDFDF1}"="" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{D72B98B2-B328-4F1B-951D-285A9C9D251E}"="" "{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}"="" "{0D82A745-A9F3-4437-AEB3-55FC86358178}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}] @="" [HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}\InprocServer32] @="C:\\WINDOWS\\system32\\dgnetlib.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}] @="" [HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}\InprocServer32] @="C:\\WINDOWS\\system32\\smellstyle.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}] @="" [HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}] @="" [HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}\InprocServer32] @="C:\\WINDOWS\\system32\\assldpc.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ archi.dll Mon Dec 19 2005 4:59:44p A.... 12,800 12.50 K bassmod.dll Sun Nov 20 2005 9:54:26p A.... 34,308 33.50 K browseui.dll Wed Nov 23 2005 7:06:34p A.... 1,022,464 998.50 K cdfview.dll Thu Oct 20 2005 9:39:26p A.... 151,040 147.50 K danim.dll Fri Nov 4 2005 9:16:24p A.... 1,054,208 1.00 M dgnetlib.dll Wed Dec 28 2005 4:28:56p ..... 235,442 229.92 K dxtrans.dll Thu Oct 20 2005 9:39:28p A.... 205,312 200.50 K esent.dll Thu Oct 20 2005 4:20:04p A.... 1,082,368 1.03 M extmgr.dll Thu Oct 20 2005 9:39:28p ..... 55,808 54.50 K fp4603~1.dll Mon Dec 26 2005 9:28:08p ..S.R 235,442 229.92 K gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K gdi32.dll Wed Oct 5 2005 9:09:36p A.... 280,064 273.50 K gp00l3~1.dll Wed Dec 28 2005 4:28:54p ..S.R 236,445 230.90 K hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K iepeers.dll Thu Oct 20 2005 9:39:28p A.... 251,392 245.50 K inseng.dll Thu Oct 20 2005 9:39:28p A.... 96,256 94.00 K mshtml.dll Wed Nov 23 2005 7:06:34p A.... 3,015,680 2.88 M mshtmled.dll Thu Oct 20 2005 9:39:30p A.... 448,512 438.00 K msrating.dll Thu Oct 20 2005 9:39:30p A.... 146,432 143.00 K mstime.dll Thu Oct 20 2005 9:39:30p A.... 530,944 518.50 K pngfilt.dll Thu Oct 20 2005 9:39:30p A.... 39,424 38.50 K shdocvw.dll Wed Nov 30 2005 9:59:30p A.... 1,492,480 1.42 M shlwapi.dll Thu Oct 20 2005 9:39:30p A.... 473,600 462.50 K sock5.dll Mon Dec 19 2005 5:24:58p A.... 6,144 6.00 K spmsg.dll Wed Oct 12 2005 5:12:26p ..... 14,048 13.72 K urlmon.dll Fri Nov 4 2005 9:16:28p A.... 609,280 595.00 K wininet.dll Thu Oct 20 2005 9:39:30p A.... 658,432 643.00 K 28 items found: 28 files (2 H/S), 0 directories. Total of file sizes: 12,728,429 bytes 12.14 M Locate .tmp files: C:\WINDOWS\SYSTEM32\ __dele~1.tmp Wed Dec 28 2005 4:30:56p A.... 235,442 229.92 K 1 item found: 1 file, 0 directories. Total of file sizes: 235,442 bytes 229.92 K ********************************************************************************** Directory Listing of system files: Volume in drive C is Jekyl Volume Serial Number is 89BE-D240 Directory of C:\WINDOWS\System32 12/28/2005 04:28 PM 236,445 gp00l3dm1.dll 12/26/2005 09:28 PM 235,442 fp4603hse.dll 12/19/2005 04:31 PM 2,828 KGyGaAvL.sys 11/29/2005 09:09 PM <DIR> dllcache 10/27/2004 05:30 AM <DIR> Microsoft 3 File(s) 474,715 bytes 2 Dir(s) 120,068,546,560 bytes free

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 28 December 2005 - 05:48 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 28 December 2005 - 06:16 PM

Thanks for all your help, LDTate.

l2mfix log:

L2mfix Beta 122705
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 660 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'winlogon.exe'
Killing PID 772 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'
Killing PID 1836 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2864 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
moving: C:\WINDOWS\system32\dgnetlib.dll
Successfully Moved: C:\WINDOWS\system32\dgnetlib.dll
moving: C:\WINDOWS\system32\fp4603hse.dll
Successfully Moved: C:\WINDOWS\system32\fp4603hse.dll
moving: C:\WINDOWS\system32\gp00l3dm1.dll
Successfully Moved: C:\WINDOWS\system32\gp00l3dm1.dll
moving: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp
Successfully Moved: C:\WINDOWS\system32\__delete_on_reboot__guard.tmp




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\fp4603hse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dgnetlib.dll
C:\WINDOWS\system32\fp4603hse.dll
C:\WINDOWS\system32\gp00l3dm1.dll
C:\WINDOWS\system32\__delete_on_reboot__guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}\InprocServer32]
@="C:\\WINDOWS\\system32\\dgnetlib.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}\InprocServer32]
@="C:\\WINDOWS\\system32\\smellstyle.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}\InprocServer32]
@="C:\\WINDOWS\\system32\\assldpc.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{12656CAB-9220-4990-915E-8AD3DCFDFDF1}"=-
"{D72B98B2-B328-4F1B-951D-285A9C9D251E}"=-
"{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}"=-
"{0D82A745-A9F3-4437-AEB3-55FC86358178}"=-
[-HKEY_CLASSES_ROOT\CLSID\{12656CAB-9220-4990-915E-8AD3DCFDFDF1}]
[-HKEY_CLASSES_ROOT\CLSID\{D72B98B2-B328-4F1B-951D-285A9C9D251E}]
[-HKEY_CLASSES_ROOT\CLSID\{8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15}]
[-HKEY_CLASSES_ROOT\CLSID\{0D82A745-A9F3-4437-AEB3-55FC86358178}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/dgnetlib.dll (148 bytes security) (deflated 5%)
adding: dlls/fp4603hse.dll (148 bytes security) (deflated 5%)
adding: dlls/gp00l3dm1.dll (148 bytes security) (deflated 5%)
adding: dlls/__delete_on_reboot__guard.tmp (148 bytes security) (deflated 5%)
adding: backregs/0D82A745-A9F3-4437-AEB3-55FC86358178.reg (212 bytes security) (deflated 70%)
adding: backregs/12656CAB-9220-4990-915E-8AD3DCFDFDF1.reg (212 bytes security) (deflated 70%)
adding: backregs/8D6C5D9E-E73D-4E8F-9E8E-2FC178782A15.reg (212 bytes security) (deflated 70%)
adding: backregs/D72B98B2-B328-4F1B-951D-285A9C9D251E.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 63%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)



Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:28 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Documents and Settings\Grand Master HooHa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fredoneverything.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124561307953
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\fp4603hse.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 28 December 2005 - 06:27 PM

I suggest you do this:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\fp4603hse.dll (file missing)


Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\system32\fp4603hse.dll
C:\WINDOWS\\system32\assldpc.dll



1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove.
Check all boxes except compress old files (If listed)
7. Click OK and windows will comply.

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 28 December 2005 - 06:47 PM

OK, LDTate, Here's the current log. I will monitor for a while for popups also.

A couple questions:
1. How is the best way to learn more about this? i.e. seems I need to know more about registries and what some of these utilities actually do.
2. What are your thoughts on other OS's such as Linux, from a spyware point of view?

And now, the log

Logfile of HijackThis v1.99.1
Scan saved at 6:39:49 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Documents and Settings\Grand Master HooHa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fredoneverything.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124561307953
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.co...NetOpPlugin.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 28 December 2005 - 06:50 PM

PS- Everything seems to be okay for now. Gimme a half hour, and I will know for sure on the popups. Should I run all the other utilities now, for good measure? Thanks again, from your neighbor to the west (Kansas)

#13 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 28 December 2005 - 07:21 PM

A couple questions:
1. How is the best way to learn more about this? i.e. seems I need to know more about registries and what some of these utilities actually do.
2. What are your thoughts on other OS's such as Linux, from a spyware point of view?

1. As for the tools, you can usually go to their web sites and read. As for learning what and how we do this, you can request to join our classroom. http://forums.tomcoy...?showtopic=1421

2. I don't know of any spyware that attacks Linux. There might be, but I haven't heard of any at this point.

Do some surfing around and let me know how it goes.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 Guest_Timcorny_*

Guest_Timcorny_*
  • Guests

Posted 28 December 2005 - 07:39 PM

LDTate, you are my hero. I have been on with IE open for over 45 minutes, with no popups of any kind. I believe my system is fixed. Thank you is not enough, but thank you anyway.

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 28 December 2005 - 07:40 PM

Good Job :thumbup:


Log looks good :D

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users