Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help

Started by crich , Feb 04 2006 12:59 AM

  • This topic is locked This topic is locked
21 replies to this topic

#1 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 04 February 2006 - 12:59 AM

Need some help on a computer that is running slower than ever.

Logfile of HijackThis v1.99.1
Scan saved at 12:58:58 AM, on 2/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\SmFjayBSaWNo\command.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\winsmx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\winsysban5.exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rfxwslooadmij...LpiwOBe4Glh.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: om
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban5.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972994.dll
O20 - Winlogon Notify: RunOnce_Disabled - C:\WINDOWS\system32\uuerenv.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\enj2l11o1.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFjayBSaWNo\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe

Thanks

    Advertisements

Register to Remove

#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 04 February 2006 - 09:42 PM

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

#3 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 February 2006 - 12:31 AM

L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\s4pu0e79eh.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\uuerenv.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{993B66D3-50D8-ACB0-C414-4C45184B2D19}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension" "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip" "{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}"="MediaFace extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}"="" "{CE1E35D8-CB06-47FC-9413-22A9875262B8}"="" "{EC56A3A7-7E86-4FE2-B997-8E871576BC16}"="" "{271FC952-16C7-4B3D-AF1B-3D09CC611507}"="" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}] @="" "IDEx"="ADDR" [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}\InprocServer32] @="C:\\WINDOWS\\system32\\IWXPROMN.DLL" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}] @="" [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}\InprocServer32] @="C:\\WINDOWS\\system32\\sUmsrv.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}] @="" [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}\InprocServer32] @="C:\\WINDOWS\\system32\\nlrsptb.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}] @="" [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}\InprocServer32] @="C:\\WINDOWS\\system32\\uuerenv.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ atmtd.dll Fri Feb 3 2006 10:06:10p A.... 687,592 671.48 K browseui.dll Wed Nov 23 2005 7:06:34p A.... 1,022,464 998.50 K f2j20c~1.dll Fri Feb 3 2006 11:47:24p ..S.R 234,272 228.78 K f62m0g~1.dll Fri Feb 3 2006 9:02:16p ..S.R 234,398 228.90 K gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K gdi32.dll Wed Dec 28 2005 8:54:36p A.... 280,064 273.50 K hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K hr2205~1.dll Fri Feb 3 2006 10:10:24p ..S.R 235,483 229.96 K j06m0a~1.dll Fri Feb 3 2006 10:04:10p ..S.R 234,272 228.78 K mshtml.dll Wed Nov 23 2005 7:06:34p A.... 3,015,680 2.88 M nlrsptb.dll Sat Feb 4 2006 11:05:40a ..... 236,457 230.91 K repair~1.dll Fri Feb 3 2006 4:13:18a A.... 85,504 83.50 K s4pu0e~1.dll Fri Feb 3 2006 11:46:28p ..S.R 236,457 230.91 K shdocvw.dll Wed Nov 30 2005 9:59:30p A.... 1,492,480 1.42 M sporder.dll Fri Feb 3 2006 4:13:04a A.... 8,464 8.27 K ssqrq.dll Fri Dec 30 2005 6:21:10p ..SH. 557,108 544.05 K sstqr.dll Thu Dec 29 2005 3:34:36p ..SH. 36,877 36.01 K sumsrv.dll Fri Feb 3 2006 9:02:18p ..S.R 234,272 228.78 K vtutu.dll Fri Dec 30 2005 5:05:10p ..SH. 557,108 544.05 K 20 items found: 20 files (9 H/S), 0 directories. Total of file sizes: 9,729,056 bytes 9.28 M Locate .tmp files: C:\WINDOWS\SYSTEM32\ guard.tmp Sat Feb 4 2006 11:06:40a ..S.R 236,457 230.91 K 1 item found: 1 file (1 H/S), 0 directories. Total of file sizes: 236,457 bytes 230.91 K ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 1C6A-1D39 Directory of C:\WINDOWS\System32 02/04/2006 11:06 AM 236,457 guard.tmp 02/04/2006 12:38 AM <DIR> DLLCACHE 02/03/2006 11:47 PM 234,272 f2j20c1oef.dll 02/03/2006 11:46 PM 236,457 s4pu0e79eh.dll 02/03/2006 10:10 PM 235,483 hr2205foe.dll 02/03/2006 10:04 PM 234,272 j06m0aj1edo.dll 02/03/2006 09:02 PM 234,272 sUmsrv.dll 02/03/2006 09:02 PM 234,398 f62m0gf1e62.dll 12/30/2005 06:21 PM 557,108 ssqrq.dll 12/30/2005 05:05 PM 557,108 vtutu.dll 12/29/2005 03:34 PM 36,877 sstqr.dll 09/17/2002 09:41 PM <DIR> Microsoft 01/05/2002 04:40 AM 487,424 msvcp70.dll 11 File(s) 3,284,128 bytes 2 Dir(s) 12,333,838,336 bytes free

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 05 February 2006 - 01:06 AM

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!
If after the reboot the log does not open double click on it in the l2mfix folder.

#5 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 February 2006 - 09:20 AM

L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 448 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 520 'winlogon.exe' Killing PID 520 'winlogon.exe' Killing PID 520 'winlogon.exe' Killing PID 520 'winlogon.exe' Killing PID 2924 'winlogon.exe' Killing PID 2924 'winlogon.exe' Killing PID 2924 'winlogon.exe' Killing PID 2924 'winlogon.exe' Killing PID 2924 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 1076 'explorer.exe' Killing PID 904 'explorer.exe' Killing PID 904 'explorer.exe' Killing PID 904 'explorer.exe' Killing PID 904 'explorer.exe' Killing PID 904 'explorer.exe' Killing PID 904 'explorer.exe' Killing PID 904 'explorer.exe' Killing PID 904 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Killing PID 3312 'rundll32.exe' Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. Deleting: C:\WINDOWS\system32\f2j20c1oef.dll Successfully Deleted: C:\WINDOWS\system32\f2j20c1oef.dll Deleting: C:\WINDOWS\system32\f62m0gf1e62.dll Successfully Deleted: C:\WINDOWS\system32\f62m0gf1e62.dll Deleting: C:\WINDOWS\system32\hr2205foe.dll Successfully Deleted: C:\WINDOWS\system32\hr2205foe.dll Deleting: C:\WINDOWS\system32\j06m0aj1edo.dll Successfully Deleted: C:\WINDOWS\system32\j06m0aj1edo.dll Deleting: C:\WINDOWS\system32\nlrsptb.dll Successfully Deleted: C:\WINDOWS\system32\nlrsptb.dll Deleting: C:\WINDOWS\system32\s4pu0e79eh.dll Successfully Deleted: C:\WINDOWS\system32\s4pu0e79eh.dll Deleting: C:\WINDOWS\system32\sUmsrv.dll Successfully Deleted: C:\WINDOWS\system32\sUmsrv.dll Deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp msg11?.dll 0 file(s) copied. Desktop.ini sucessfully removed Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\s4pu0e79eh.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\uuerenv.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** C:\WINDOWS\system32\f2j20c1oef.dll C:\WINDOWS\system32\f62m0gf1e62.dll C:\WINDOWS\system32\hr2205foe.dll C:\WINDOWS\system32\j06m0aj1edo.dll C:\WINDOWS\system32\nlrsptb.dll C:\WINDOWS\system32\s4pu0e79eh.dll C:\WINDOWS\system32\sUmsrv.dll C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}] @="" "IDEx"="ADDR" [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}\InprocServer32] @="C:\\WINDOWS\\system32\\IWXPROMN.DLL" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}] @="" [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}\InprocServer32] @="C:\\WINDOWS\\system32\\sUmsrv.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}] @="" [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}\InprocServer32] @="C:\\WINDOWS\\system32\\nlrsptb.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}] @="" [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}\InprocServer32] @="C:\\WINDOWS\\system32\\uuerenv.dll" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}"=- "{CE1E35D8-CB06-47FC-9413-22A9875262B8}"=- "{EC56A3A7-7E86-4FE2-B997-8E871576BC16}"=- "{271FC952-16C7-4B3D-AF1B-3D09CC611507}"=- [-HKEY_CLASSES_ROOT\CLSID\{6AEC6BB7-DA5F-451D-A637-60DEAD2FA342}] [-HKEY_CLASSES_ROOT\CLSID\{CE1E35D8-CB06-47FC-9413-22A9875262B8}] [-HKEY_CLASSES_ROOT\CLSID\{EC56A3A7-7E86-4FE2-B997-8E871576BC16}] [-HKEY_CLASSES_ROOT\CLSID\{271FC952-16C7-4B3D-AF1B-3D09CC611507}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: adding: dlls/f2j20c1oef.dll (184 bytes security) (deflated 4%) adding: dlls/f62m0gf1e62.dll (184 bytes security) (deflated 4%) adding: dlls/guard.tmp (184 bytes security) (deflated 5%) adding: dlls/hr2205foe.dll (184 bytes security) (deflated 5%) adding: dlls/j06m0aj1edo.dll (184 bytes security) (deflated 4%) adding: dlls/nlrsptb.dll (184 bytes security) (deflated 5%) adding: dlls/s4pu0e79eh.dll (184 bytes security) (deflated 5%) adding: dlls/sUmsrv.dll (184 bytes security) (deflated 4%) adding: backregs/271FC952-16C7-4B3D-AF1B-3D09CC611507.reg (188 bytes security) (deflated 70%) adding: backregs/6AEC6BB7-DA5F-451D-A637-60DEAD2FA342.reg (188 bytes security) (deflated 69%) adding: backregs/CE1E35D8-CB06-47FC-9413-22A9875262B8.reg (188 bytes security) (deflated 70%) adding: backregs/EC56A3A7-7E86-4FE2-B997-8E871576BC16.reg (188 bytes security) (deflated 70%) adding: backregs/notibac.reg (184 bytes security) (deflated 88%) adding: backregs/shell.reg (184 bytes security) (deflated 73%)

#6 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 February 2006 - 09:21 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:21:05 AM, on 2/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\winsmx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\wgse.exe
C:\winsysban5.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
c:\ucmoreiex.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rfxwslooadmij...LpiwOBe4Glh.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 127h.com
O1 - Hosts: om
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: ds19.focalink.com
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban5.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972994.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\s4pu0e79eh.dll (file missing)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\uuerenv.dll (file missing)
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFjayBSaWNo\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:21:05 AM, on 2/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\winsmx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\wgse.exe
C:\winsysban5.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
c:\ucmoreiex.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rfxwslooadmij...LpiwOBe4Glh.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 127h.com
O1 - Hosts: om
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: ds19.focalink.com
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban5.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972994.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\s4pu0e79eh.dll (file missing)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\uuerenv.dll (file missing)
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFjayBSaWNo\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe

#7 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 05 February 2006 - 11:00 AM

First, enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK



NEXT

Please download Vx2 Finder and safe it to its own folder. http://downloads.sub...Finder(126).exe
Run VX2Finder(126).exe
Select: Click to Find VX2.Betterinternet
When the scan is done, select the Make Log
Copy the log and post it.

NEXT

Download Find_It.zip:
http://computercops....It NT-2K-XP.zip
Unzip its contents to its own folder
Open the folder and double click on Find.bat (File with a gear symbol)
Ignore any File not found messages
It runs for a minute, and produces a log
Please copy and paste the log on your next response.

NEXT

Also, download KillBox.zip from the link below.
http://www.subratam.org/?page=removal
Place it in a folder on your Desktop.
Do not run it yet.

NEXT

Please look in your sytem32 folder and let me know if the below file is preset.

C:/Windoews/system32/guard.tmp

NEXT

Post all the logs and DO NOT REBOOT please.

#8 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 February 2006 - 01:46 PM

Log for VX2.BetterInternet File Finder (msg126) Files Found--- Additional Files--- Keys Under Notify--- crypt32chain cryptnet cscdll Explorer MS-DOS Emulation ScCertProp Schedule sclgntfy SensLogn termsrv wlballoon Guardian Key--- is called: User Agent String--- SV1 Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\Documents and Settings\Jack\Desktop\Find It ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 1C6A-1D39 Directory of C:\WINDOWS\System32 02/04/2006 12:38 AM <DIR> DLLCACHE 12/30/2005 06:21 PM 557,108 ssqrq.dll 12/30/2005 05:05 PM 557,108 vtutu.dll 12/29/2005 03:34 PM 36,877 sstqr.dll 09/17/2002 09:41 PM <DIR> Microsoft 01/05/2002 04:40 AM 487,424 msvcp70.dll 4 File(s) 1,638,517 bytes 2 Dir(s) 12,285,251,584 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 1C6A-1D39 Directory of C:\WINDOWS\System32 02/04/2006 12:38 AM <DIR> DLLCACHE 12/30/2005 06:21 PM 557,108 ssqrq.dll 12/30/2005 05:05 PM 557,108 vtutu.dll 12/29/2005 03:34 PM 36,877 sstqr.dll 11/15/2001 06:29 AM 488 WindowsLogon.manifest 11/15/2001 06:29 AM 488 logonui.exe.manifest 11/15/2001 06:29 AM 749 ncpa.cpl.manifest 11/15/2001 06:29 AM 749 nwc.cpl.manifest 11/15/2001 06:29 AM 749 sapi.cpl.manifest 11/15/2001 06:29 AM 749 cdplayer.exe.manifest 11/15/2001 06:29 AM 749 wuaucpl.cpl.manifest 10 File(s) 1,155,814 bytes 1 Dir(s) 12,285,247,488 bytes free ------------ Files Named "Guard" --------------- Volume in drive C has no label. Volume Serial Number is 1C6A-1D39 Directory of C:\WINDOWS\System32 ------ Temp Files in System32 Directory ------ Volume in drive C has no label. Volume Serial Number is 1C6A-1D39 Directory of C:\WINDOWS\System32 01/28/2005 01:44 PM 5,525,504 setb0.tmp 1 File(s) 5,525,504 bytes 0 Dir(s) 12,285,247,488 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\s4pu0e79eh.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\uuerenv.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ------------- Locate.com Results ------------- C:\WINDOWS\SYSTEM32\ ssqrq.dll Fri Dec 30 2005 6:21:10p ..SH. 557,108 544.05 K sstqr.dll Thu Dec 29 2005 3:34:36p ..SH. 36,877 36.01 K vtutu.dll Fri Dec 30 2005 5:05:10p ..SH. 557,108 544.05 K 3 items found: 3 files, 0 directories. Total of file sizes: 1,151,093 bytes 1.10 M -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results --------- C:\WINDOWS\SYSTEM32\Incinerator.dll: .aspack C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack) C:\WINDOWS\SYSTEM32\MRT.exe: (AsPack2k) C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 1.00b) C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.1) C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.12) C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11) C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.000) C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.001) C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11x) C:\WINDOWS\SYSTEM32\MRT.exe: ASPack2000 C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61 C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084 C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083 C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02 C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK C:\WINDOWS\SYSTEM32\MRT.exe: aspACK C:\WINDOWS\SYSTEM32\MRT.exe: aspACK C:\WINDOWS\SYSTEM32\MRT.exe: aspACK C:\WINDOWS\SYSTEM32\MRT.exe: aspACK C:\WINDOWS\SYSTEM32\MRT.exe: aspACK C:\WINDOWS\SYSTEM32\MRT.exe: aspACK C:\WINDOWS\SYSTEM32\MRT.exe: aspACK C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" "susse"="\"C:\\WINDOWS\\system32\\hpsw.exe\"" "gimmygames"="C:\\\\gimmygames.exe" "winsysban"="C:\\\\winsysban5.exe" "SurfSideKick 3"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe" "New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1"  I also did not find the guard.tmp in System32

#9 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 05 February 2006 - 02:10 PM

STEP 1.
======
SpySweeper
Please download http://www.webroot.c...ode=af1&rc=3597
(It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
STEP 2.
======
Download Ewido
  • Download and install Ewido Security Suite It is a free trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
STEP 3.
======
Update Ewido
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates

STEP 4.
======
Ewido Scan
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    o You will need to step through the process of cleaning files one-by-one.
    o If ewido detects a file you KNOW to be legitimate, select none as the action.
    o DO NOT select "Perform action on all infections"
    o If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


STEP 5.
======
CWShredder

Please download and run CWShredder
Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

STEP 6.
======

Please do an onlione scan here http://housecall.trendmicro.com/ and allow it to clean/remove what it finds.


Please post the results from SpySweeper, ewido and a new hijackthis log.

#10 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 February 2006 - 04:21 PM

Here is the Spy Sweep Log. More logs to follow ******** 2:39 PM: | Start of Session, Sunday, February 05, 2006 | 2:39 PM: Spy Sweeper started 2:39 PM: Sweep initiated using definitions version 611 2:39 PM: Found Adware: surfsidekick 2:39 PM: HKLM\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 1055336) 2:39 PM: Ssk.exe (ID = 1055336) 2:39 PM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\inprocserver32\ (2 subtraces) (ID = 1055337) 2:39 PM: SskBho.dll (ID = 1055337) 2:39 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 1055335) 2:39 PM: Ssk.exe (ID = 1055335) 2:39 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 1055335) 2:39 PM: Ssk.exe (ID = 1055335) 2:39 PM: Starting Memory Sweep 2:39 PM: Found Adware: quicklink search toolbar 2:39 PM: Detected running threat: C:\PROGRA~1\Jalmp\jalmp.dll (ID = 238167) 2:43 PM: Detected running threat: C:\Program Files\Jalmp\jalmp.dll (ID = 238167) 2:46 PM: Detected running threat: C:\WINDOWS\SYSTEM32\wgse.exe (ID = 238240) 2:46 PM: Detected running threat: C:\WINDOWS\SYSTEM32\hpsw.exe (ID = 238236) 2:48 PM: Found Adware: command 2:48 PM: Detected running threat: C:\Program Files\Network Monitor\netmon.exe (ID = 231443) 2:50 PM: Found Adware: effective-i toolbar 2:50 PM: Detected running threat: c:\ucmoreiex.exe (ID = 59853) 2:53 PM: Detected running threat: C:\WINDOWS\SYSTEM32\wgse.exe (ID = 238240) 2:53 PM: Detected running threat: C:\WINDOWS\SYSTEM32\hpsw.exe (ID = 238236) 2:53 PM: Memory Sweep Complete, Elapsed Time: 00:14:25 2:53 PM: Starting Registry Sweep 2:53 PM: Found Adware: clkoptimizer 2:53 PM: HKCR\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106021) 2:53 PM: HKLM\software\classes\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106116) 2:54 PM: Found Adware: findthewebsiteyouneed hijack 2:54 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 125241) 2:54 PM: Found Trojan Horse: downloadul 2:54 PM: HKCR\clsid\{fa790a6c-5c23-d631-08dd-a5b20efd4a02}\ (14 subtraces) (ID = 125304) 2:54 PM: HKLM\software\classes\clsid\{fa790a6c-5c23-d631-08dd-a5b20efd4a02}\ (14 subtraces) (ID = 125339) 2:54 PM: HKU\.default\software\maxthon\plugin\toolbar\{44be0690-5429-47f0-85bb-3ffd8020233e}\ (1 subtraces) (ID = 125650) 2:54 PM: HKLM\software\effective-i\ (ID = 125658) 2:54 PM: Found Adware: linkmaker 2:54 PM: HKLM\software\classes\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129743) 2:54 PM: HKCR\typelib\{423550e9-2f83-4678-9929-c1774088b180}\ (9 subtraces) (ID = 129750) 2:54 PM: Found System Monitor: sc-keylog 2:54 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\explorer\ (6 subtraces) (ID = 140468) 2:54 PM: HKU\.default\software\surfsidekick3\ (2 subtraces) (ID = 143387) 2:54 PM: HKCR\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143389) 2:54 PM: HKLM\software\classes\clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9}\ (3 subtraces) (ID = 143392) 2:54 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400) 2:54 PM: HKLM\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143406) 2:54 PM: HKLM\software\microsoft\windows\currentversion\uninstall\surf sidekick\ (2 subtraces) (ID = 143408) 2:54 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413) 2:54 PM: HKLM\software\ql\ (3 subtraces) (ID = 359458) 2:54 PM: Found Adware: winad 2:54 PM: HKCR\appid\mediagateway.exe\ (1 subtraces) (ID = 359541) 2:54 PM: HKLM\software\classes\appid\mediagateway.exe\ (1 subtraces) (ID = 359543) 2:54 PM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438) 2:54 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771) 2:54 PM: Found Adware: 180search assistant/zango 2:54 PM: HKCR\clsid\{d676f999-4608-4dc5-a135-4f51f4212739}\ (1 subtraces) (ID = 792270) 2:54 PM: HKLM\software\classes\clsid\{d676f999-4608-4dc5-a135-4f51f4212739}\ (1 subtraces) (ID = 792320) 2:54 PM: HKLM\software\microsoft\windows nt\currentversion\windows\ || appinit_dlls (ID = 819064) 2:54 PM: HKLM\software\qstat\ || brr (ID = 877670) 2:54 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558) 2:54 PM: Found Adware: dollarrevenue 2:54 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795) 2:54 PM: HKLM\system\currentcontrolset\services\cmdservice\ (12 subtraces) (ID = 958670) 2:54 PM: HKLM\software\microsoft\windows\currentversion\uninstall\webnexus\ (2 subtraces) (ID = 1006191) 2:54 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064) 2:54 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072) 2:54 PM: Found Trojan Horse: trojan-downloader-dh 2:54 PM: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035) 2:54 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756) 2:54 PM: Found Adware: findthewebsiteyouneed hijacker 2:54 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsysban (ID = 1121712) 2:54 PM: HKCR\permeation.permeater\ (3 subtraces) (ID = 1133968) 2:54 PM: HKCR\permeation.permeater.1\ (3 subtraces) (ID = 1133972) 2:54 PM: HKCR\permeation.trecker\ (3 subtraces) (ID = 1133976) 2:54 PM: HKCR\permeation.trecker.1\ (3 subtraces) (ID = 1133980) 2:54 PM: HKCR\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1133998) 2:54 PM: HKCR\clsid\{39c78b50-7e98-4aa0-b007-d83114ea6e0f}\ (8 subtraces) (ID = 1134010) 2:54 PM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134093) 2:54 PM: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137) 2:54 PM: HKLM\software\classes\permeation.permeater\ (3 subtraces) (ID = 1134157) 2:54 PM: HKLM\software\classes\permeation.permeater.1\ (3 subtraces) (ID = 1134161) 2:54 PM: HKLM\software\classes\permeation.trecker\ (3 subtraces) (ID = 1134165) 2:54 PM: HKLM\software\classes\permeation.trecker.1\ (3 subtraces) (ID = 1134169) 2:54 PM: HKLM\software\classes\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1134187) 2:54 PM: HKLM\software\classes\clsid\{39c78b50-7e98-4aa0-b007-d83114ea6e0f}\ (8 subtraces) (ID = 1134199) 2:54 PM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134251) 2:54 PM: HKCR\clsid\{39c78b50-7e98-4aa0-b007-d83114ea6e0f}\inprocserver32\ (ID = 1135242) 2:54 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{39c78b50-7e98-4aa0-b007-d83114ea6e0f}\ (ID = 1135362) 2:54 PM: HKLM\software\microsoft\windows\currentversion\run\ || susse (ID = 1135364) 2:54 PM: Found Adware: lopdotcom 2:54 PM: HKU\WRSS_Profile_S-1-5-21-1608279117-3833581854-4065617495-1008\software\microsoft\internet explorer\new windows\allow\ || lop.com (ID = 130287) 2:54 PM: HKU\WRSS_Profile_S-1-5-21-1608279117-3833581854-4065617495-1008\software\microsoft\internet explorer\new windows\allow\ || www.lop.com (ID = 130289) 2:54 PM: Found Adware: search200.com hijacker 2:54 PM: HKU\WRSS_Profile_S-1-5-21-1608279117-3833581854-4065617495-1008\software\microsoft\internet explorer\new windows\allow\ || search200.com (ID = 134078) 2:54 PM: HKU\WRSS_Profile_S-1-5-21-1608279117-3833581854-4065617495-1008\software\microsoft\internet explorer\new windows\allow\ || www.search200.com (ID = 134079) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\new windows\allow\ || lop.com (ID = 130287) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\new windows\allow\ || www.lop.com (ID = 130289) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\new windows\allow\ || search200.com (ID = 134078) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\new windows\allow\ || www.search200.com (ID = 134079) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\surfsidekick3\ (2 subtraces) (ID = 143412) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1007\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\effective-i\ (7 subtraces) (ID = 125657) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\maxthon\plugin\toolbar\{44be0690-5429-47f0-85bb-3ffd8020233e}\ (1 subtraces) (ID = 125661) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {44be0690-5429-47f0-85bb-3ffd8020233e} (ID = 125668) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\internet explorer\new windows\allow\ || lop.com (ID = 130287) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\internet explorer\new windows\allow\ || www.lop.com (ID = 130289) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\internet explorer\new windows\allow\ || search200.com (ID = 134078) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\internet explorer\new windows\allow\ || www.search200.com (ID = 134079) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\surfsidekick3\ (3 subtraces) (ID = 143412) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965) 2:54 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966) 2:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236) 2:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 125238) 2:54 PM: HKU\S-1-5-18\software\effective-i\ (7 subtraces) (ID = 125657) 2:54 PM: HKU\S-1-5-18\software\maxthon\plugin\toolbar\{44be0690-5429-47f0-85bb-3ffd8020233e}\ (1 subtraces) (ID = 125661) 2:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\ || {44be0690-5429-47f0-85bb-3ffd8020233e} (ID = 125662) 2:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {44be0690-5429-47f0-85bb-3ffd8020233e} (ID = 125668) 2:54 PM: HKU\S-1-5-18\software\surfsidekick3\ (2 subtraces) (ID = 143412) 2:54 PM: HKU\S-1-5-18\software\zango\ (14 subtraces) (ID = 147919) 2:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437) 2:54 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269) 2:54 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965) 2:54 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966) 2:54 PM: Registry Sweep Complete, Elapsed Time:00:00:54 2:54 PM: Starting Cookie Sweep 2:54 PM: Found Spy Cookie: 64.62.232 cookie 2:54 PM: backup administrator@64.62.232[2].txt (ID = 1987) 2:54 PM: Found Spy Cookie: 66.220.17 cookie 2:54 PM: backup administrator@66.220.17[1].txt (ID = 1991) 2:54 PM: Found Spy Cookie: 7search cookie 2:54 PM: backup administrator@7search[2].txt (ID = 2011) 2:54 PM: Found Spy Cookie: yieldmanager cookie 2:54 PM: backup administrator@ad.yieldmanager[2].txt (ID = 3751) 2:54 PM: Found Spy Cookie: adrevolver cookie 2:54 PM: backup administrator@adrevolver[2].txt (ID = 2088) 2:54 PM: backup administrator@adrevolver[3].txt (ID = 2088) 2:54 PM: Found Spy Cookie: cc214142 cookie 2:54 PM: backup administrator@ads.cc214142[1].txt (ID = 2367) 2:54 PM: Found Spy Cookie: azjmp cookie 2:54 PM: backup administrator@azjmp[2].txt (ID = 2270) 2:54 PM: Found Spy Cookie: banner cookie 2:54 PM: backup administrator@banner[1].txt (ID = 2276) 2:54 PM: Found Spy Cookie: reliablestats cookie 2:54 PM: backup administrator@stats1.reliablestats[1].txt (ID = 3254) 2:54 PM: Found Spy Cookie: xiti cookie 2:54 PM: backup administrator@xiti[1].txt (ID = 3717) 2:54 PM: Found Spy Cookie: 365 cookie 2:54 PM: julie@365[1].txt (ID = 1963) 2:54 PM: Found Spy Cookie: qsrch cookie 2:54 PM: julie@newnet.qsrch[2].txt (ID = 3216) 2:54 PM: Found Spy Cookie: nextag cookie 2:54 PM: julie@nextag[2].txt (ID = 5014) 2:54 PM: Found Spy Cookie: pub cookie 2:54 PM: julie@pub[1].txt (ID = 3205) 2:54 PM: Found Spy Cookie: search200 cookie 2:54 PM: julie@search200[2].txt (ID = 3309) 2:54 PM: Found Spy Cookie: tickle cookie 2:54 PM: julie@tickle[1].txt (ID = 3529) 2:54 PM: julie@web.tickle[2].txt (ID = 3530) 2:54 PM: Found Spy Cookie: xzoomy cookie 2:54 PM: julie@www.xzoomy[1].txt (ID = 3742) 2:54 PM: Found Spy Cookie: yadro cookie 2:54 PM: julie@yadro[1].txt (ID = 3743) 2:54 PM: Found Spy Cookie: 2o7.net cookie 2:54 PM: katie@2o7[2].txt (ID = 1957) 2:54 PM: katie@365[2].txt (ID = 1963) 2:54 PM: katie@64.62.232[1].txt (ID = 1987) 2:54 PM: katie@66.220.17[1].txt (ID = 1991) 2:54 PM: katie@66.220.17[3].txt (ID = 1991) 2:54 PM: katie@ad.yieldmanager[1].txt (ID = 3751) 2:54 PM: katie@adrevolver[1].txt (ID = 2088) 2:54 PM: katie@adrevolver[2].txt (ID = 2088) 2:54 PM: katie@adrevolver[3].txt (ID = 2088) 2:54 PM: katie@adrevolver[4].txt (ID = 2088) 2:54 PM: katie@adrevolver[5].txt (ID = 2088) 2:54 PM: katie@ads.cc214142[1].txt (ID = 2367) 2:54 PM: Found Spy Cookie: advertising cookie 2:54 PM: katie@advertising[2].txt (ID = 2175) 2:54 PM: Found Spy Cookie: directtrack cookie 2:54 PM: katie@arrowmags.directtrack[1].txt (ID = 2528) 2:54 PM: Found Spy Cookie: ask cookie 2:54 PM: katie@ask[2].txt (ID = 2245) 2:54 PM: Found Spy Cookie: atlas dmt cookie 2:54 PM: katie@atdmt[2].txt (ID = 2253) 2:54 PM: Found Spy Cookie: belnk cookie 2:54 PM: katie@ath.belnk[2].txt (ID = 2293) 2:54 PM: Found Spy Cookie: atwola cookie 2:54 PM: katie@atwola[1].txt (ID = 2255) 2:54 PM: katie@azjmp[2].txt (ID = 2270) 2:54 PM: Found Spy Cookie: a cookie 2:54 PM: katie@a[2].txt (ID = 2027) 2:54 PM: katie@banner[1].txt (ID = 2276) 2:54 PM: katie@belnk[1].txt (ID = 2292) 2:54 PM: Found Spy Cookie: enhance cookie 2:54 PM: katie@c.enhance[1].txt (ID = 2614) 2:54 PM: Found Spy Cookie: gostats cookie 2:54 PM: katie@c3.gostats[2].txt (ID = 2748) 2:54 PM: Found Spy Cookie: casalemedia cookie 2:54 PM: katie@casalemedia[1].txt (ID = 2354) 2:54 PM: katie@cookie.tickle[1].txt (ID = 3530) 2:54 PM: Found Spy Cookie: coremetrics cookie 2:54 PM: katie@data.coremetrics[1].txt (ID = 2472) 2:54 PM: Found Spy Cookie: did-it cookie 2:54 PM: katie@did-it[2].txt (ID = 2523) 2:54 PM: katie@directtrack[1].txt (ID = 2527) 2:54 PM: katie@dist.belnk[2].txt (ID = 2293) 2:54 PM: Found Spy Cookie: ru4 cookie 2:54 PM: katie@edge.ru4[2].txt (ID = 3269) 2:54 PM: Found Spy Cookie: euniverseads cookie 2:54 PM: katie@euniverseads[1].txt (ID = 2629) 2:54 PM: Found Spy Cookie: gorillanation cookie 2:54 PM: katie@gorillanation[1].txt (ID = 2746) 2:54 PM: Found Spy Cookie: gotoast cookie 2:54 PM: katie@gotoast[1].txt (ID = 2751) 2:54 PM: Found Spy Cookie: maxserving cookie 2:54 PM: katie@maxserving[1].txt (ID = 2966) 2:54 PM: Found Spy Cookie: mediaplex cookie 2:54 PM: katie@mediaplex[1].txt (ID = 6442) 2:54 PM: katie@newnet.qsrch[2].txt (ID = 3216) 2:54 PM: katie@nextag[2].txt (ID = 5014) 2:54 PM: Found Spy Cookie: offeroptimizer cookie 2:54 PM: katie@offeroptimizer[2].txt (ID = 3087) 2:54 PM: Found Spy Cookie: matchmaker cookie 2:54 PM: katie@oreo.matchmaker[1].txt (ID = 2956) 2:54 PM: Found Spy Cookie: overture cookie 2:54 PM: katie@overture[2].txt (ID = 3105) 2:54 PM: Found Spy Cookie: passion cookie 2:54 PM: katie@passion[1].txt (ID = 3113) 2:54 PM: Found Spy Cookie: reunion cookie 2:54 PM: katie@reunion[1].txt (ID = 3255) 2:54 PM: Found Spy Cookie: revenue.net cookie 2:54 PM: katie@revenue[2].txt (ID = 3257) 2:54 PM: Found Spy Cookie: rightmedia cookie 2:54 PM: katie@rightmedia[1].txt (ID = 3259) 2:54 PM: Found Spy Cookie: rn11 cookie 2:54 PM: katie@rn11[2].txt (ID = 3261) 2:54 PM: katie@search200[1].txt (ID = 3309) 2:54 PM: Found Spy Cookie: seeq cookie 2:54 PM: katie@seeq[1].txt (ID = 3331) 2:54 PM: Found Spy Cookie: server.iad.liveperson cookie 2:54 PM: katie@server.iad.liveperson[2].txt (ID = 3341) 2:54 PM: Found Spy Cookie: servlet cookie 2:54 PM: katie@servlet[1].txt (ID = 3345) 2:54 PM: katie@servlet[2].txt (ID = 3345) 2:54 PM: Found Spy Cookie: lopdotcom cookie 2:54 PM: katie@srch.lop[2].txt (ID = 2937) 2:54 PM: Found Spy Cookie: clicktracks cookie 2:54 PM: katie@stats2.clicktracks[1].txt (ID = 2407) 2:54 PM: katie@tickle[2].txt (ID = 3529) 2:54 PM: Found Spy Cookie: tracking cookie 2:54 PM: katie@tracking[1].txt (ID = 3571) 2:54 PM: katie@twci.coremetrics[1].txt (ID = 2472) 2:54 PM: Found Spy Cookie: uproar cookie 2:54 PM: katie@uproar[2].txt (ID = 3612) 2:54 PM: katie@www.ask[2].txt (ID = 2246) 2:54 PM: Found Spy Cookie: myfunstart cookie 2:54 PM: katie@www.myfunstart[2].txt (ID = 3040) 2:54 PM: katie@www.nextag[1].txt (ID = 5015) 2:54 PM: katie@www.uproar[1].txt (ID = 3613) 2:54 PM: katie@www.xzoomy[1].txt (ID = 3742) 2:54 PM: katie@xiti[1].txt (ID = 3717) 2:54 PM: Found Spy Cookie: xuppa cookie 2:54 PM: katie@xuppa[2].txt (ID = 3729) 2:54 PM: Found Spy Cookie: zedo cookie 2:54 PM: katie@zedo[1].txt (ID = 3762) 2:54 PM: Found Spy Cookie: 216.221.138 cookie 2:55 PM: jack@216.221.138[2].txt (ID = 1947) 2:55 PM: Found Spy Cookie: 3 cookie 2:55 PM: jack@3[2].txt (ID = 1959) 2:55 PM: Found Spy Cookie: 412 cookie 2:55 PM: jack@412[2].txt (ID = 1969) 2:55 PM: jack@66.220.17[1].txt (ID = 1991) 2:55 PM: jack@66.220.17[2].txt (ID = 1991) 2:55 PM: jack@66.220.17[3].txt (ID = 1991) 2:55 PM: Found Spy Cookie: 888 cookie 2:55 PM: jack@888[2].txt (ID = 2019) 2:55 PM: jack@ad.reunion[1].txt (ID = 3256) 2:55 PM: jack@ad.yieldmanager[1].txt (ID = 3751) 2:55 PM: jack@adrevolver[2].txt (ID = 2088) 2:55 PM: jack@adrevolver[3].txt (ID = 2088) 2:55 PM: jack@ads.cc214142[1].txt (ID = 2367) 2:55 PM: Found Spy Cookie: adultfriendfinder cookie 2:55 PM: jack@adultfriendfinder[2].txt (ID = 2165) 2:55 PM: Found Spy Cookie: apmebf cookie 2:55 PM: jack@apmebf[2].txt (ID = 2229) 2:55 PM: jack@ask[2].txt (ID = 2245) 2:55 PM: jack@ath.belnk[2].txt (ID = 2293) 2:55 PM: Found Spy Cookie: searchingbooth cookie 2:55 PM: jack@banners.searchingbooth[1].txt (ID = 3322) 2:55 PM: jack@banner[2].txt (ID = 2276) 2:55 PM: jack@belnk[1].txt (ID = 2292) 2:55 PM: jack@c2.gostats[2].txt (ID = 2748) 2:55 PM: Found Spy Cookie: callwave cookie 2:55 PM: jack@callwave[2].txt (ID = 2342) 2:55 PM: jack@cookie.tickle[1].txt (ID = 3530) 2:55 PM: Found Spy Cookie: 360i cookie 2:55 PM: jack@ct.360i[2].txt (ID = 1962) 2:55 PM: jack@did-it[2].txt (ID = 2523) 2:55 PM: jack@directtrack[1].txt (ID = 2527) 2:55 PM: jack@dist.belnk[2].txt (ID = 2293) 2:55 PM: jack@gotoast[1].txt (ID = 2751) 2:55 PM: Found Spy Cookie: ic-live cookie 2:55 PM: jack@ic-live[1].txt (ID = 2821) 2:55 PM: Found Spy Cookie: infospace cookie 2:55 PM: jack@infospace[1].txt (ID = 2865) 2:55 PM: Found Spy Cookie: kmpads cookie 2:55 PM: jack@kmpads[2].txt (ID = 2909) 2:55 PM: jack@microsofteup.112.2o7[1].txt (ID = 1958) 2:55 PM: jack@offersquest.directtrack[1].txt (ID = 2528) 2:55 PM: Found Spy Cookie: partypoker cookie 2:55 PM: jack@partypoker[2].txt (ID = 3111) 2:55 PM: jack@passion[1].txt (ID = 3113) 2:55 PM: jack@pub[1].txt (ID = 3205) 2:55 PM: jack@reunion[1].txt (ID = 3255) 2:55 PM: jack@rightmedia[1].txt (ID = 3259) 2:55 PM: jack@search200[1].txt (ID = 3309) 2:55 PM: jack@seeq[1].txt (ID = 3331) 2:55 PM: jack@servlet[2].txt (ID = 3345) 2:55 PM: Found Spy Cookie: spywarestormer cookie 2:55 PM: jack@spywarestormer[1].txt (ID = 3417) 2:55 PM: Found Spy Cookie: statcounter cookie 2:55 PM: jack@statcounter[1].txt (ID = 3447) 2:55 PM: Found Spy Cookie: stlyrics cookie 2:55 PM: jack@stlyrics[2].txt (ID = 3461) 2:55 PM: jack@tickle[1].txt (ID = 3529) 2:55 PM: Found Spy Cookie: trb.com cookie 2:55 PM: jack@trb[1].txt (ID = 3587) 2:55 PM: Found Spy Cookie: videodome cookie 2:55 PM: jack@videodome[1].txt (ID = 3638) 2:55 PM: jack@www.ask[1].txt (ID = 2246) 2:55 PM: Found Spy Cookie: starpulse cookie 2:55 PM: jack@www.starpulse[1].txt (ID = 3440) 2:55 PM: jack@www.stlyrics[1].txt (ID = 3462) 2:55 PM: Found Spy Cookie: stopzilla cookie 2:55 PM: jack@www.stopzilla[1].txt (ID = 3466) 2:55 PM: Found Spy Cookie: upspiral cookie 2:55 PM: jack@www.upspiral[1].txt (ID = 3615) 2:55 PM: Found Spy Cookie: web-stat cookie 2:55 PM: jack@www.web-stat[2].txt (ID = 3649) 2:55 PM: jack@www.xzoomy[2].txt (ID = 3742) 2:55 PM: jack@xiti[1].txt (ID = 3717) 2:55 PM: jack@xuppa[1].txt (ID = 3729) 2:55 PM: jack@yieldmanager[1].txt (ID = 3749) 2:55 PM: system@2o7[2].txt (ID = 1957) 2:55 PM: Found Spy Cookie: classmates cookie 2:55 PM: system@classmates[2].txt (ID = 2384) 2:55 PM: system@lop[1].txt (ID = 2936) 2:55 PM: Cookie Sweep Complete, Elapsed Time: 00:00:36 2:55 PM: Starting File Sweep 2:55 PM: Found Adware: apropos 2:55 PM: c:\documents and settings\katie\local settings\temp\atf (ID = -2147481416) 2:55 PM: c:\documents and settings\katie\local settings\temp\~compoundinst0 (ID = -2147481413) 2:55 PM: c:\program files\surfsidekick 3 (3 subtraces) (ID = -2147480186) 2:55 PM: c:\documents and settings\localservice\start menu\programs\ucmore - the search accelerator (3 subtraces) (ID = -2147481062) 2:55 PM: c:\program files\common files\vcclient (10 subtraces) (ID = -2147461290) 2:55 PM: c:\program files\ql (2 subtraces) (ID = -2147463315) 2:55 PM: c:\program files\jalmp (3 subtraces) (ID = -2147459072) 2:55 PM: c:\program files\network monitor (1 subtraces) (ID = -2147459771) 2:56 PM: mlgbqoft.exe (ID = 121) 2:56 PM: installer[1].exe (ID = 231664) 2:56 PM: Found Adware: look2me 2:56 PM: bw2.com (ID = 65721) 2:56 PM: cmdinst.exe (ID = 231664) 2:56 PM: 780bd51d-abba-49e5-ada1-a816d3 (ID = 59843) 2:56 PM: installer[1].exe (ID = 168558) 2:56 PM: mte3ndi6odoxng.exe (ID = 185985) 2:57 PM: aadf5515-d0c3-4131-a4e9-95257e (ID = 59843) 2:57 PM: sskknwrd.dll (ID = 77733) 2:57 PM: liteheartchinknob.exe (ID = 121) 2:57 PM: inside program.exe (ID = 121) 2:57 PM: uninstall_nmon.vbs (ID = 231442) 2:58 PM: 9400[1].cab (ID = 214364) 2:58 PM: e7b1.tmp (ID = 214364) 2:58 PM: icont.exe (ID = 65739) 2:58 PM: ibycgt[1].cab (ID = 238243) 2:58 PM: d8a1.tmp (ID = 238243) 2:59 PM: dh9013[1].exe (ID = 208497) 2:59 PM: dh9013.exe (ID = 208497) 2:59 PM: ping dog.exe (ID = 91) 2:59 PM: upayb[1].int (ID = 121) 2:59 PM: Found Adware: wfgtech 2:59 PM: inst_0004[1].exe (ID = 203674) 2:59 PM: installerus[1].exe (ID = 208542) 2:59 PM: inside program.exe (ID = 121) 2:59 PM: Found Adware: targetsaver 2:59 PM: stub_113_4_0_4_0[1].exe (ID = 193995) 2:59 PM: ss1001.exe (ID = 216718) 2:59 PM: upayb[1].int (ID = 121) 2:59 PM: 1174bb04-fa80-4a39-a7b1-ba83c6 (ID = 233482) 2:59 PM: cf7e9bb3-819a-49a2-abcc-350a73 (ID = 233481) 2:59 PM: sta4.exe (ID = 162) 3:00 PM: liteheartchinknob.exe (ID = 121) 3:00 PM: f5b135ef-d002-489b-8b93-9702cf (ID = 214398) 3:01 PM: enc bird.exe (ID = 91) 3:01 PM: 658654a9-720c-4b61-8a81-3476b1 (ID = 200314) 3:01 PM: zjeaheev.exe (ID = 95) 3:02 PM: wuauclt.dll (ID = 188706) 3:02 PM: Found Adware: zquest 3:02 PM: z00096[1].exe (ID = 208993) 3:02 PM: 53c65bf4-a8a5-4650-977f-9b0a5d (ID = 212814) 3:03 PM: dra[1].exe (ID = 216564) 3:04 PM: cygwid.exe (ID = 238239) 3:04 PM: d9601657-e437-4ef0-b365-dcbfc3 (ID = 212814) 3:05 PM: liteheartchinknob.exe (ID = 121) 3:06 PM: liteheartchinknob.exe (ID = 121) 3:06 PM: HKU\WRSS_Profile_S-1-5-21-1608279117-3833581854-4065617495-1008\Software\Microsoft\Windows\CurrentVersion\RunOnce || upd573114451 (ID = 0) 3:06 PM: a7b4c6d4-d7eb-4272-accc-e456ba (ID = 212814) 3:07 PM: d9160a2d-99b4-49db-9bed-92437b (ID = 212814) 3:07 PM: vcmain.exe (ID = 212830) 3:07 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\Software\Microsoft\Windows\CurrentVersion\Run || CU2 (ID = 0) 3:07 PM: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run || CU2 (ID = 0) 3:07 PM: vcupdate.exe (ID = 212831) 3:07 PM: a6e2d5ed.exe (ID = 121) 3:07 PM: zspokfnw.exe (ID = 95) 3:08 PM: 23f106f2-c234-41c8-8901-7facfc (ID = 216718) 3:08 PM: hpsw.exe (ID = 238236) 3:08 PM: atmtd.dll._ (ID = 166754) 3:08 PM: f82e30e4-6095-4a3a-bed0-2b9a20 (ID = 144946) 3:09 PM: installerus.exe (ID = 208542) 3:09 PM: ujjldfzs.exe (ID = 122) 3:09 PM: vcclient.exe (ID = 212828) 3:09 PM: HKU\S-1-5-21-1608279117-3833581854-4065617495-1006\Software\Microsoft\Windows\CurrentVersion\Run || CU1 (ID = 0) 3:09 PM: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run || CU1 (ID = 0) 3:09 PM: 257c2788-8b0e-4d32-b930-847009 (ID = 188701) 3:10 PM: uninstall.exe (ID = 237448) 3:10 PM: keywords[1].txt (ID = 210662) 3:10 PM: gmnmjmyq.exe (ID = 122) 3:10 PM: dh9013[1].exe (ID = 208497) 3:10 PM: inst_0004[1].exe (ID = 203674) 3:10 PM: installerus[1].exe (ID = 208542) 3:10 PM: stub_113_4_0_4_0[1].exe (ID = 193995) 3:10 PM: cygwid[1].exe (ID = 238239) 3:10 PM: ibycgt[1].cab (ID = 238243) 3:10 PM: e5c3b6.tmp (ID = 238243) 3:10 PM: ss1001[1].exe (ID = 216718) 3:10 PM: arpf.cfg (ID = 208796) 3:11 PM: a6f42.tmp (ID = 214364) 3:11 PM: 58dae9d9-6a02-454f-8d0c-8c6628 (ID = 188701) 3:11 PM: ucmoreiex[1].exe (ID = 59853) 3:11 PM: qldf.bin (ID = 208796) 3:11 PM: myupdates[1].exe (ID = 238586) 3:11 PM: installer.exe (ID = 168558) 3:11 PM: ss1001[1].exe (ID = 216718) 3:11 PM: ucmoreiex.exe (ID = 59853) 3:11 PM: nlrsptb.dll (ID = 159) 3:11 PM: j06m0aj1edo.dll (ID = 163672) 3:11 PM: 8dc00b9f-ef4c-47a4-a5f5-024521 (ID = 212814) 3:11 PM: 00cb0364-bc9f-4916-b7f4-b27b2c (ID = 144945) 3:11 PM: 2f6949d4-0e57-4c4b-9a46-83d5e8 (ID = 215896) 3:12 PM: qvdkqrte.exe (ID = 95) 3:12 PM: a6b3fa7d-c37a-4ceb-a8af-aed67a (ID = 106574) 3:12 PM: f542972203.exe (ID = 188701) 3:12 PM: gfxouvgf.exe (ID = 122) 3:12 PM: sta315.exe (ID = 162) 3:12 PM: f62m0gf1e62.dll (ID = 159) 3:12 PM: ucmoreiex[1].exe (ID = 59853) 3:12 PM: class-barrel (ID = 78229) 3:13 PM: vocabulary (ID = 78283) 3:13 PM: b98bc43a-8663-4310-a6ac-acacb0 (ID = 238167) 3:13 PM: be743632-7c11-4d42-b42d-bfe7e2 (ID = 238167) 3:13 PM: f2j20c1oef.dll (ID = 163672) 3:13 PM: Found Trojan Horse: trojan-downloader-avatar 3:13 PM: ast_4_mm.exe (ID = 80240) 3:13 PM: gxsxzmkb.exe (ID = 95) 3:13 PM: b1eea178-0499-4c75-9fc1-95d48f (ID = 212830) 3:13 PM: 8b5af325-3929-476d-b0b2-d44067 (ID = 212831) 3:13 PM: 54494602-9288-4405-90a5-71d14d (ID = 188701) 3:13 PM: e477f47c-7485-4963-b571-c5f6a4 (ID = 144945) 3:13 PM: e5658eae-2837-4106-ad9f-2495de (ID = 144945) 3:13 PM: 705c1e80-faa4-46be-8785-3eae6e (ID = 144946) 3:13 PM: 14fce803-f523-42a3-81a3-7c1e5e (ID = 144946) 3:14 PM: pch198.exe (ID = 67714) 3:14 PM: ss1001.exe (ID = 215896) 3:14 PM: 83f36be3-92ea-4a72-8dc7-73d4a7 (ID = 238167) 3:14 PM: ijhj.exe.bak (ID = 188701) 3:14 PM: jalmp.dll (ID = 238167) 3:14 PM: atmtd.dll (ID = 166754) 3:14 PM: hr2205foe.dll (ID = 159) 3:14 PM: s4pu0e79eh.dll (ID = 159) 3:14 PM: nmpzypgc.exe (ID = 122) 3:14 PM: cygwid[1].exe (ID = 238239) 3:14 PM: sumsrv.dll (ID = 163672) 3:14 PM: guard.tmp (ID = 159) 3:14 PM: c95a17d4-d2e8-4516-b054-9980a2 (ID = 212828) 3:14 PM: f108375.exe (ID = 188701) 3:14 PM: 014eceba-8fe1-45ce-bf97-78d265 (ID = 106574) 3:15 PM: dr.exe (ID = 216564) 3:15 PM: dra.exe (ID = 216564) 3:15 PM: dra2[1].exe (ID = 216564) 3:15 PM: dra[1].exe (ID = 216564) 3:15 PM: dsj8m[1].jpg (ID = 216564) 3:15 PM: netmon.exe (ID = 231443) 3:15 PM: d2.exe (ID = 216564) 3:15 PM: Found Adware: adtech 3:15 PM: d9f95652-8ba4-4187-8bb2-a41d27 (ID = 209133) 3:16 PM: enc bird.exe (ID = 91) 3:16 PM: wgse.exe (ID = 238240) 3:16 PM: sskbho.dll (ID = 189) 3:16 PM: tsupdate2[1].ini (ID = 193498) 3:16 PM: tsupdate2[1].ini (ID = 193498) 3:16 PM: z00096[1].ini (ID = 209432) 3:16 PM: mte3ndi6odoxng[1].exe (ID = 185985) 3:16 PM: a77aa149-c9ff-46bd-a798-2e3fd6 (ID = 144945) 3:16 PM: Found Adware: mediamotor - popuppers 3:16 PM: mimgzqnw.exe (ID = 80861) 3:16 PM: uninstall.exe (ID = 212815) 3:16 PM: 2188f89d-7881-424c-879f-084a07 (ID = 91) 3:16 PM: dra[2].exe (ID = 216564) 3:16 PM: dra[1].exe (ID = 216564) 3:17 PM: startmediawipe.exe (ID = 90) 3:17 PM: trfxqgvt.exe (ID = 95) 3:17 PM: startmediawipe.exe (ID = 90) 3:17 PM: startmediawipe.exe (ID = 90) 3:17 PM: uahmnfxg.exe (ID = 95) 3:17 PM: 990086ac.exe (ID = 121) 3:18 PM: e2594716-237c-4a2a-a28e-1fe944 (ID = 91) 3:18 PM: moohphlo.dll (ID = 59247) 3:18 PM: list safe.exe (ID = 122) 3:18 PM: jhjqflek.exe (ID = 95) 3:18 PM: remotebat.exe (ID = 122) 3:19 PM: npclntax.dll (ID = 207057) 3:19 PM: ball boob.exe (ID = 122) 3:19 PM: uorzffdo.exe (ID = 95) 3:19 PM: uuhupbra.exe (ID = 95) 3:20 PM: fxm1.exe (ID = 67231) 3:20 PM: pch39.exe (ID = 67714) 3:20 PM: stub_113_4_0_4_0.exe (ID = 193995) 3:20 PM: 0a36ddad-a7f0-4e53-a096-14dfb4 (ID = 144946) 3:23 PM: 73967d76-9166-4f36-a02e-62203b (ID = 188706) 3:23 PM: bat sect.exe (ID = 122) 3:23 PM: Found Trojan Horse: trojan-downloader-conhook 3:23 PM: sstqr.dll (ID = 238904) 3:23 PM: drsmartloadb.exe (ID = 216717) 3:24 PM: vgactl.cpl (ID = 189954) 3:24 PM: b3ed06b2.exe (ID = 121) 3:24 PM: iconu.exe (ID = 65721) 3:24 PM: z00096.exe (ID = 208993) 3:25 PM: npclntax.xpt (ID = 146238) 3:25 PM: setup[1].ini (ID = 225352) 3:25 PM: donotdelete[1].htm (ID = 198788) 3:25 PM: drsmartload.dat (ID = 198788) 3:25 PM: moohphlo.inf (ID = 59248) 3:25 PM: dh.ini (ID = 225352) 3:25 PM: ucmore tour.lnk (ID = 59855) 3:25 PM: how to uninstall.lnk (ID = 59838) 3:25 PM: e13ee3ec-5eb7-4f31-b31e-e72cc3 (ID = 59855) 3:25 PM: bff59263-652b-40b1-ba2d-a4f4b3 (ID = 59838) 3:25 PM: File Sweep Complete, Elapsed Time: 00:29:54 3:25 PM: Full Sweep has completed. Elapsed time 00:46:06 3:25 PM: Traces Found: 699 3:30 PM: Removal process initiated 3:31 PM: Quarantining All Traces: 180search assistant/zango 3:31 PM: Quarantining All Traces: clkoptimizer 3:31 PM: Quarantining All Traces: look2me 3:32 PM: Quarantining All Traces: lopdotcom 3:32 PM: Quarantining All Traces: sc-keylog 3:32 PM: Quarantining All Traces: apropos 3:32 PM: Quarantining All Traces: dollarrevenue 3:33 PM: Quarantining All Traces: downloadul 3:33 PM: Quarantining All Traces: quicklink search toolbar 3:34 PM: quicklink search toolbar is in use. It will be removed on reboot. 3:34 PM: C:\PROGRA~1\Jalmp\jalmp.dll is in use. It will be removed on reboot. 3:34 PM: C:\Program Files\Jalmp\jalmp.dll is in use. It will be removed on reboot. 3:34 PM: C:\WINDOWS\SYSTEM32\wgse.exe is in use. It will be removed on reboot. 3:34 PM: C:\WINDOWS\SYSTEM32\hpsw.exe is in use. It will be removed on reboot. 3:34 PM: C:\WINDOWS\SYSTEM32\wgse.exe is in use. It will be removed on reboot. 3:34 PM: C:\WINDOWS\SYSTEM32\hpsw.exe is in use. It will be removed on reboot. 3:34 PM: Quarantining All Traces: surfsidekick 3:35 PM: surfsidekick is in use. It will be removed on reboot. 3:35 PM: Ssk.exe is in use. It will be removed on reboot. 3:35 PM: SskBho.dll is in use. It will be removed on reboot. 3:35 PM: Ssk.exe is in use. It will be removed on reboot. 3:35 PM: Ssk.exe is in use. It will be removed on reboot. 3:35 PM: c:\program files\surfsidekick 3 is in use. It will be removed on reboot. 3:35 PM: sskbho.dll is in use. It will be removed on reboot. 3:35 PM: Quarantining All Traces: trojan-downloader-avatar 3:35 PM: Quarantining All Traces: trojan-downloader-conhook 3:35 PM: Quarantining All Traces: trojan-downloader-dh 3:35 PM: Quarantining All Traces: winad 3:35 PM: Quarantining All Traces: zquest 3:35 PM: Quarantining All Traces: adtech 3:35 PM: Quarantining All Traces: command 3:36 PM: command is in use. It will be removed on reboot. 3:36 PM: c:\program files\network monitor is in use. It will be removed on reboot. 3:36 PM: netmon.exe is in use. It will be removed on reboot. 3:36 PM: C:\Program Files\Network Monitor\netmon.exe is in use. It will be removed on reboot. 3:36 PM: Quarantining All Traces: effective-i toolbar 3:37 PM: Quarantining All Traces: findthewebsiteyouneed hijacker 3:37 PM: Quarantining All Traces: findthewebsiteyouneed hijack 3:37 PM: Quarantining All Traces: linkmaker 3:37 PM: Quarantining All Traces: mediamotor - popuppers 3:37 PM: Quarantining All Traces: search200.com hijacker 3:37 PM: Quarantining All Traces: targetsaver 3:38 PM: Quarantining All Traces: wfgtech 3:38 PM: Quarantining All Traces: 216.221.138 cookie 3:38 PM: Quarantining All Traces: 2o7.net cookie 3:38 PM: Quarantining All Traces: 3 cookie 3:38 PM: Quarantining All Traces: 360i cookie 3:38 PM: Quarantining All Traces: 365 cookie 3:38 PM: Quarantining All Traces: 412 cookie 3:38 PM: Quarantining All Traces: 64.62.232 cookie 3:38 PM: Quarantining All Traces: 66.220.17 cookie 3:38 PM: Quarantining All Traces: 7search cookie 3:38 PM: Quarantining All Traces: 888 cookie 3:38 PM: Quarantining All Traces: a cookie 3:38 PM: Quarantining All Traces: adrevolver cookie 3:38 PM: Quarantining All Traces: adultfriendfinder cookie 3:38 PM: Quarantining All Traces: advertising cookie 3:38 PM: Quarantining All Traces: apmebf cookie 3:38 PM: Quarantining All Traces: ask cookie 3:38 PM: Quarantining All Traces: atlas dmt cookie 3:38 PM: Quarantining All Traces: atwola cookie 3:38 PM: Quarantining All Traces: azjmp cookie 3:38 PM: Quarantining All Traces: banner cookie 3:38 PM: Quarantining All Traces: belnk cookie 3:38 PM: Quarantining All Traces: callwave cookie 3:38 PM: Quarantining All Traces: casalemedia cookie 3:38 PM: Quarantining All Traces: cc214142 cookie 3:38 PM: Quarantining All Traces: classmates cookie 3:38 PM: Quarantining All Traces: clicktracks cookie 3:38 PM: Quarantining All Traces: coremetrics cookie 3:38 PM: Quarantining All Traces: did-it cookie 3:38 PM: Quarantining All Traces: directtrack cookie 3:38 PM: Quarantining All Traces: enhance cookie 3:38 PM: Quarantining All Traces: euniverseads cookie 3:38 PM: Quarantining All Traces: gorillanation cookie 3:38 PM: Quarantining All Traces: gostats cookie 3:38 PM: Quarantining All Traces: gotoast cookie 3:38 PM: Quarantining All Traces: ic-live cookie 3:38 PM: Quarantining All Traces: infospace cookie 3:38 PM: Quarantining All Traces: kmpads cookie 3:38 PM: Quarantining All Traces: lopdotcom cookie 3:38 PM: Quarantining All Traces: matchmaker cookie 3:38 PM: Quarantining All Traces: maxserving cookie 3:38 PM: Quarantining All Traces: mediaplex cookie 3:38 PM: Quarantining All Traces: myfunstart cookie 3:38 PM: Quarantining All Traces: nextag cookie 3:38 PM: Quarantining All Traces: offeroptimizer cookie 3:38 PM: Quarantining All Traces: overture cookie 3:38 PM: Quarantining All Traces: partypoker cookie 3:38 PM: Quarantining All Traces: passion cookie 3:38 PM: Quarantining All Traces: pub cookie 3:38 PM: Quarantining All Traces: qsrch cookie 3:38 PM: Quarantining All Traces: reliablestats cookie 3:38 PM: Quarantining All Traces: reunion cookie 3:38 PM: Quarantining All Traces: revenue.net cookie 3:38 PM: Quarantining All Traces: rightmedia cookie 3:38 PM: Quarantining All Traces: rn11 cookie 3:38 PM: Quarantining All Traces: ru4 cookie 3:38 PM: Quarantining All Traces: search200 cookie 3:38 PM: Quarantining All Traces: searchingbooth cookie 3:38 PM: Quarantining All Traces: seeq cookie 3:38 PM: Quarantining All Traces: server.iad.liveperson cookie 3:38 PM: Quarantining All Traces: servlet cookie 3:38 PM: Quarantining All Traces: spywarestormer cookie 3:38 PM: Quarantining All Traces: starpulse cookie 3:38 PM: Quarantining All Traces: statcounter cookie 3:38 PM: Quarantining All Traces: stlyrics cookie 3:38 PM: Quarantining All Traces: stopzilla cookie 3:38 PM: Quarantining All Traces: tickle cookie 3:38 PM: Quarantining All Traces: tracking cookie 3:38 PM: Quarantining All Traces: trb.com cookie 3:38 PM: Quarantining All Traces: uproar cookie 3:38 PM: Quarantining All Traces: upspiral cookie 3:38 PM: Quarantining All Traces: videodome cookie 3:38 PM: Quarantining All Traces: web-stat cookie 3:38 PM: Quarantining All Traces: xiti cookie 3:38 PM: Quarantining All Traces: xuppa cookie 3:38 PM: Quarantining All Traces: xzoomy cookie 3:38 PM: Quarantining All Traces: yadro cookie 3:38 PM: Quarantining All Traces: yieldmanager cookie 3:38 PM: Quarantining All Traces: zedo cookie 3:39 PM: Removal process completed. Elapsed time 00:08:42 ******** 2:36 PM: | Start of Session, Sunday, February 05, 2006 | 2:36 PM: Spy Sweeper started 2:38 PM: Hosts file is too large. 2:38 PM: Hosts file is too large. 2:38 PM: Your spyware definitions have been updated. 2:39 PM: | End of Session, Sunday, February 05, 2006 |

    Advertisements

Register to Remove

#11 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 05 February 2006 - 08:16 PM

New hijackthis log please.

#12 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 06 February 2006 - 07:41 PM

Seem to be having trouble finishing the Ewido process, gets stuck trying to clean an item...

Here is the latest Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 7:28:01 PM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\winsmx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 127h.com
O1 - Hosts: om
O1 - Hosts: ds19.focalink.com
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\uuerenv.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe

#13 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 06 February 2006 - 10:13 PM

Start > Run

In the box, type in services.msc then hit <enter> (or click OK)

In the Name column, look for Windows SMX

<Double-click> it.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled, then click Apply then OK.

NEXT

Please download hoster from the link below.

http://www.funkytoad...load/hoster.zip

Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

Next scan with hijckthis and put a check beside these lines and choose FIX

R3 - Default URLSearchHook is missing

O1 - Hosts: 127h.com
O1 - Hosts: om
O1 - Hosts: ds19.focalink.com

O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\uuerenv.dll (file missing)

O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe

Then reboot and post a new log please.

#14 crich

crich

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 07 February 2006 - 12:02 AM

Latest Hijack This Log



Logfile of HijackThis v1.99.1
Scan saved at 11:37:12 PM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

#15 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 07 February 2006 - 12:16 AM

I assume that you did not install this >>>>> gimmygames.exe If not please do a search for it and post the full path back in your next post i.e c:/XXXXX/XXXX etc....

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·