Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

spywares


  • This topic is locked This topic is locked
19 replies to this topic

#1 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 11 January 2006 - 02:37 PM

hey,
first I'm glad that such forum exist, :thumbup: thanks you for that :).

second, I'm sorry for my spell errors,English is not my primary language.

third, the problem:
recently i have spywares problem on my pc. I'm using ff most of the time, but sometimes I have to use ie, and when I open it the problems begins. i got pop up open, i have unwanted toolbar and another toolbar at bottom of window(not regullar toobar). sometimes i get unwanted links to casionos site apears on my desktop, and main problem is that most of my ram is used by some program. also when I look at task manger, I see iexploare.exe's and I can't close them(in progres). and when my pc slows and almost stops I can see that some program called curbname.exe run in progress in my task manger.
my norton and adware can't find anything. norton find some spywares and trojans but don't want to delete them

here is my hijack:

Logfile of HijackThis v1.99.1
Scan saved at 22:09:37, on 11/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
J:\Apache2\bin\Apache.exe
J:\Apache2\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
J:\Apache2\bin\Apache.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ybzawnvtb...xDeCH51rs6.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.havhwkrkt...whO4tdE8Kc.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AEB81EAF-B97E-37B3-9B27-F61AF88FBF29} - C:\DOCUME~1\David\APPLIC~1\ElseSend\helppart.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &???? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
O4 - HKLM\..\Run: [Pixie] C:\Program Files\Nattyware\Pixie\pixie.exe
O4 - HKLM\..\Run: [One store junk iso] C:\Documents and Settings\All Users\Application Data\lockslogoonestore\CREATIVE32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Chic Default] C:\DOCUME~1\David\APPLIC~1\SITEWE~1\up grim info.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - AppInit_DLLs: msgplusloader.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\IconPackager\iprepair.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - J:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - J:\Apache2\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks in advance!

    Advertisements

Register to Remove


#2 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 13 January 2006 - 12:34 PM

Bump :(

#3 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 15 January 2006 - 02:15 PM

Sorry, but I have to bump it again :(

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 16 January 2006 - 05:29 PM

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

#5 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 17 January 2006 - 10:23 AM

Thanks for the reply!

Here is the log I got:

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="????? ???????? ?? ???? ?????????"
"{176d6597-26d3-11d1-b350-080036a75b03}"="????? ???? ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="???? ????? ?? NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="???? ???????? ?? ???? ???? OLE"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="?????? ????? ??????"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="????? ??? ????? ?????? ?????"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="????? ??? ????? ???"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="????? ??? ????? ?????? ???????"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="???? ????? ?? ?????? ??????"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="?? ??????"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="????? ?????? ????"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="?????? ????? ????????? ??? ?? Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="????? ?? ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="????? ????? ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="?????? ????? ?????? ?????"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="????? ????? ?? ????? ???"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="????? ???? ?????"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="?????? ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="???? ????? ?? ??????"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="?????? ????? ??????"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="????? PKO ?? Crypto"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="????? ????? ?? Crypto"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="?????? ???"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="?????? ???"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&?????? ???????"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&?????? ???????"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&?????? ???????"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&?????? ???????"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&?????? ???????"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="????? ?? ?????? ????????? ?? ??????? ?????????"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="?????? ????? ???? Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="?????? ????????"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="???? ??????? ?????? ?????"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="?????"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="???? ??????"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="???? ??????"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="?????..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="???????"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="???? ????????"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="??? ?????"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="???? ????? ??????? ?? Microsoft"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="??? ?????"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="?????? ????? ??????"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="?????? ????? ?????? 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="????? ?????? ?? Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="????? ??????"
"{32683183-48a0-441b-a342-7c2a440a9478}"="????? ????"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="????? ???? ???????"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="????? ????????"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="??? ????? ????????? ??? ??????"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&?????"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="???? ????? ?????"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="????? ???????? ?? Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="????? ????? ???????? ?? MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="????? ????? ???????? ?????? ????? ?? MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="????"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="???? ???? ?????"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="???? ???? ??????"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="????? ?????? ????????? ?? ????????? ?? Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="????? ?????? ????????? ?? ?????? ?????? ?? Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="??? ?????? ?? ?????? ?????? ????????? ??????? ?? Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="????? ???? ????? ??????"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="???? ??????"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="?????? ?????? ??????"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="????? ????????? ?????? URL ?? Microsoft"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="??? ????? ?????? URL ?? Microsoft"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="??? ????? ?? ????? IE4"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="????????"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="?????? ????? ?? ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="?????? ??????"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="?????? ?????? ??????"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="???? ???????? ????????"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="????? ?????? ??????"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="??? ?????? ????????"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="????? ?????? ????????"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="??????? ????? ?? ??? ??????"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="??? ???? Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="??????? ???????"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="???? ????"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="????? ??? ?????"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="??????? ???? ?????"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="?????? ????? ?? ???????"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="???? &?????..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{DFA0CC7F-D36B-47D1-8EF5-415C1DA53F57}"="EmEditor"
"{611AD258-4138-4348-A534-9856FA6BA398}"="IconPackager Icon Handler"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{8073266F-DC43-417A-9835-D7C1204C48B5}"="FantomCDShellEx"
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"="OpenOffice.org Column Handler"
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}"="OpenOffice.org Infotip Handler"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice.org Property Sheet Handler"
"{3B092F0C-7696-40E3-A80F-68D74DA84210}"="OpenOffice.org Thumbnail Viewer"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bassmod.dll Mon Dec 5 2005 1:19:12a A.... 34,308 33.50 K
h@tkey~1.dll Mon Nov 7 2005 3:56:16p A.... 20,480 20.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 54,788 bytes 53.50 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is WINDOWS
Volume Serial Number is B0ED-633E

Directory of C:\WINDOWS\System32

09/09/2005 18:20 <DIR> Microsoft
09/09/2005 17:50 <DIR> dllcache
30/09/1999 19:21 166,672 mstext35.dll
28/09/1999 21:42 1,050,896 msjet35.dll
09/09/1999 22:06 168,720 msltus35.dll
09/09/1999 22:06 252,688 msexcl35.dll
25/08/1999 14:57 415,504 msrepl35.dll
10/06/1999 09:34 24,848 msjter35.dll
10/06/1999 09:34 123,664 msjint35.dll
07/06/1999 18:59 250,128 mspdox35.dll
25/04/1999 17:00 368,912 Vbar332.dll
25/04/1999 17:00 252,176 Msrd2x35.dll
25/04/1999 17:00 287,504 Msxbse35.dll
11 File(s) 3,361,712 bytes
2 Dir(s) 4,077,305,856 bytes free



#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 January 2006 - 01:06 PM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

#7 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 17 January 2006 - 01:56 PM

New hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 21:50:23, on 17/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
J:\Apache2\bin\Apache.exe
J:\Apache2\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
J:\Apache2\bin\Apache.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EmEditor\EMEDITOR.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ybzawnvtb...xDeCH51rs6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AEB81EAF-B97E-37B3-9B27-F61AF88FBF29} - C:\DOCUME~1\David\APPLIC~1\ElseSend\helppart.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &???? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
O4 - HKLM\..\Run: [Pixie] C:\Program Files\Nattyware\Pixie\pixie.exe
O4 - HKLM\..\Run: [One store junk iso] C:\Documents and Settings\All Users\Application Data\lockslogoonestore\CREATIVE32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Chic Default] C:\DOCUME~1\David\APPLIC~1\SITEWE~1\up grim info.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\IconPackager\iprepair.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - J:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - J:\Apache2\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


And new l2mfix log:

#8 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 17 January 2006 - 02:00 PM

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 664 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'
Killing PID 760 'winlogon.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 4276 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (deflated 87%)
adding: backregs/shell.reg (deflated 72%)


I removed like 3000 lines saying "Killing PID 760 'winlogon.exe'" because it was too long for one post...

Thanks in advance!

#9 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 17 January 2006 - 02:01 PM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

#10 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 19 January 2006 - 12:43 PM

Dear Siggyx,
I did as you said, installed Ewido, and tryed to run it in safe mod. The scan was long, and I left it for night. At the morning my computer hasn't responded. I did new try for scan, and after long scan it was done, but when I pressed view report or save it I recieved error, that it can't show it. I have tryed new scan, and my computer hang uped. I haven't tryed anymore scans. But every scan it found like 17000 threats and it typed that it removed them.
I did new hijackthis scan, and here is it log:

Logfile of HijackThis v1.99.1
Scan saved at 20:35:48, on 19/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
J:\Apache2\bin\Apache.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\Apache2\mysql\bin\mysqld-nt.exe
J:\Apache2\bin\Apache.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ybzawnvtb...xDeCH51rs6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AEB81EAF-B97E-37B3-9B27-F61AF88FBF29} - C:\DOCUME~1\David\APPLIC~1\ElseSend\helppart.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &???? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
O4 - HKLM\..\Run: [Pixie] C:\Program Files\Nattyware\Pixie\pixie.exe
O4 - HKLM\..\Run: [One store junk iso] C:\Documents and Settings\All Users\Application Data\lockslogoonestore\CREATIVE32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Chic Default] C:\DOCUME~1\David\APPLIC~1\SITEWE~1\up grim info.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\IconPackager\iprepair.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - J:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - J:\Apache2\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    Advertisements

Register to Remove


#11 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 19 January 2006 - 02:16 PM

One more thing(can't edit my posts), I have looked at the l2mfix log I have posted. All the question marks in the files/folders names are just hebrow words. My XP is in hebrow, and the program may not read it...

#12 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 19 January 2006 - 04:47 PM

Click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report along with a new HijackThis Log in your next reply.

#13 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 20 January 2006 - 04:30 AM

Ok, here's Panda scan:

Incident Status Location

Adware:Adware/Lop Not disinfected c:\docume~1\david\applic~1\sitewe~1\upgrim~1.exe
Adware:Adware/Lop Not disinfected C:\DOCUME~1\David\APPLIC~1\ElseSend\helppart.exe
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/lop Not disinfected C:\PROGRAM FILES\C2Media
Potentially unwanted tool:application/need2find Not disinfected HKEY_CURRENT_USER\SOFTWARE\NEED2FIND
Spyware:spyware/rxtoolbar Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\David\Cookies\david@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\David\Cookies\david@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@belnk[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\David\Cookies\david@rn11[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@dist.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@ath.belnk[1].txt
Spyware:Cookie/Sandboxer Not disinfected C:\Documents and Settings\David\Cookies\david@0[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David\Cookies\david@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\David\Cookies\david@yadro[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\David\Cookies\david@offeroptimizer[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\David\Cookies\david@cliks[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David\Cookies\david@adultfriendfinder[2].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\David\Cookies\david@btg.btgrab[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\David\Cookies\david@desktop.kazaa[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Cookies\david@statcounter[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David\Cookies\david@server.iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.zedo.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.c2.gostats.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.did-it.com/]
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.linkexchange.ru/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.xmts.net/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.xiti.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.go.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[hc2.humanclick.com/]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\lockslogoonestore\curb name.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\lockslogoonestore\CREATIVE32.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\I925218N\newpass2[2].htm
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\David\Cookies\david@888[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\David\Cookies\david@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@belnk[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\David\Cookies\david@rn11[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@dist.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\David\Cookies\david@ath.belnk[1].txt
Spyware:Cookie/Sandboxer Not disinfected C:\Documents and Settings\David\Cookies\david@0[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David\Cookies\david@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\David\Cookies\david@yadro[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\David\Cookies\david@offeroptimizer[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\David\Cookies\david@cliks[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\David\Cookies\david@adultfriendfinder[2].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\David\Cookies\david@btg.btgrab[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\David\Cookies\david@desktop.kazaa[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Cookies\david@statcounter[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David\Cookies\david@server.iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\udj27iyz.default\cookies.txt[]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\David\Application Data\Site Web Keep\up grim info.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\David\Application Data\ElseSend\helppart.exe
Spyware:Cookie/Belnk Not disinfected C:\FOUND.001\FILE0003.CHK[]
Spyware:Cookie/Humanclick Not disinfected C:\FOUND.001\FILE0003.CHK[6728784]
Potentially unwanted tool:Application/Processor Not disinfected C:\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\l2mfix\Process.exe


And new HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:35, on 20/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
J:\Apache2\bin\Apache.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\Apache2\mysql\bin\mysqld-nt.exe
J:\Apache2\bin\Apache.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Avant Browser\avant.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ybzawnvtb...xDeCH51rs6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {AEB81EAF-B97E-37B3-9B27-F61AF88FBF29} - C:\DOCUME~1\David\APPLIC~1\ElseSend\helppart.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &???? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
O4 - HKLM\..\Run: [Pixie] C:\Program Files\Nattyware\Pixie\pixie.exe
O4 - HKLM\..\Run: [One store junk iso] C:\Documents and Settings\All Users\Application Data\lockslogoonestore\CREATIVE32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Chic Default] C:\DOCUME~1\David\APPLIC~1\SITEWE~1\up grim info.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\IconPackager\iprepair.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - J:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - J:\Apache2\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



#14 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 20 January 2006 - 10:30 PM

Go to add/remove programs and remove messenger plus 3 , follow all the steps to remove ut.

Then scan with hijackthis and put a check beside these lines and choose FIX

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ybzawnvtb...xDeCH51rs6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer


O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)

O2 - BHO: (no name) - {AEB81EAF-B97E-37B3-9B27-F61AF88FBF29} - C:\DOCUME~1\David\APPLIC~1\ElseSend\helppart.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [One store junk iso] C:\Documents and Settings\All Users\Application Data\lockslogoonestore\CREATIVE32.exe
O4 - HKCU\..\Run: [Chic Default] C:\DOCUME~1\David\APPLIC~1\SITEWE~1\up grim info.exe

O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL

O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

NEXT

Download ccleaner from the link below, save it to your desktop. Open ccleaner and click on run ccleaner at the bottom right.

http://www.majorgeek...wnload4191.html

Next download Regseeker from the link below. Save it to your destop. Open Regseeker and click on clean registry, next click ok. Once the scan is complete make sure the make backups is checked and then select all and delete it.

http://www.majorgeek...wnload2579.html

REboot to safe mode (tap f8 while bios loads) then look for and delete these files folders if present

C:\DOCUME~1\David\APPLIC~1\ElseSend\helppart.exe

C:\Program Files\MessengerPlus! 3 <<<folder
C:\Documents and Settings\All Users\Application Data\lockslogoonestore <<<folder
O4 - HKCU\..\Run: [Chic Default] C:\DOCUME~1\David\APPLIC~1\SITEWE~1 <<<fodler, look for the first 6 letters.

Then while still in safe mode scan with ewido and have it remove what it finds.

Then reboot to safe mode post the ewido log and a new hijackthis log please.

#15 DesrtHawk

DesrtHawk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 21 January 2006 - 07:10 AM

I did what you asked.
I deleted Messenger plus and made new scan with HijackThis. I couldn't fix this lines, becouse they weren't there:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ybzawnvtb...xDeCH51rs6.html

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

Next steps I did without any problems.
But when I run Ewido it doesn't want to respond. I tryed to reinstall it, but still not working.
I made new HijackThis log, and here is the result:

Logfile of HijackThis v1.99.1
Scan saved at 15:00:34, on 21/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
J:\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\ctfmon.exe
J:\Apache2\mysql\bin\mysqld-nt.exe
C:\Program Files\Messenger\msmsgs.exe
J:\Apache2\bin\Apache.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &???? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
O4 - HKLM\..\Run: [Pixie] C:\Program Files\Nattyware\Pixie\pixie.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Chic Default] C:\DOCUME~1\David\APPLIC~1\SITEWE~1\up grim info.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: הורד באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: הורד הכל באמצעות פלאש-גט - C:\PROGRA~1\FLASHGET\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\IconPackager\iprepair.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - J:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - J:\Apache2\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


I also wonder if Messenger plus make problems and you suggest not to use it?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users