Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't tackle loadingwebsite.com, spotresults.com.


  • This topic is locked This topic is locked

#16
Petrus

Petrus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry I was gone for two weeks :tazz:

Here my new log

C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1428 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ajwav.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\azaolgj316o.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\cfmmdlg.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\cvetcfg.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\dkprpres.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\dSdxof.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\en6ol1j31.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\enjml1111.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\enjql1151.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\exentprf.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\g622lgfo162c.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\g6jolg1316.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\hr2405fqe.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\hrju0519e.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\hrls0537e.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\hrru0599e.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\i0nmla511d.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\k0080adued080.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\k644lghq164e.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\kddtuf.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\kgdinben.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\ktlsl7371.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\l66olgj316o.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\l6p2lg7o16.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\ltj0271mg.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\lv0209doe.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\lv4009hme.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\lvj0091me.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\lvj2091oe.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\lvn2095oe.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\lvp2097oe.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\m0280afued280.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\MbPMSNSv.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\oaesvr32.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\oamanage.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\p68qlgl516q.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\padrv.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\rNschap.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\scnike.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\sxdpsrv.dll
1 Datei(en) kopiert.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 Datei(en) kopiert.
deleting: C:\WINDOWS\system32\ajwav.dll
Successfully Deleted: C:\WINDOWS\system32\ajwav.dll
deleting: C:\WINDOWS\system32\azaolgj316o.dll
Successfully Deleted: C:\WINDOWS\system32\azaolgj316o.dll
deleting: C:\WINDOWS\system32\cfmmdlg.dll
Successfully Deleted: C:\WINDOWS\system32\cfmmdlg.dll
deleting: C:\WINDOWS\system32\cvetcfg.dll
Successfully Deleted: C:\WINDOWS\system32\cvetcfg.dll
deleting: C:\WINDOWS\system32\dkprpres.dll
Successfully Deleted: C:\WINDOWS\system32\dkprpres.dll
deleting: C:\WINDOWS\system32\dSdxof.dll
Successfully Deleted: C:\WINDOWS\system32\dSdxof.dll
deleting: C:\WINDOWS\system32\en6ol1j31.dll
Successfully Deleted: C:\WINDOWS\system32\en6ol1j31.dll
deleting: C:\WINDOWS\system32\enjml1111.dll
Successfully Deleted: C:\WINDOWS\system32\enjml1111.dll
deleting: C:\WINDOWS\system32\enjql1151.dll
Successfully Deleted: C:\WINDOWS\system32\enjql1151.dll
deleting: C:\WINDOWS\system32\exentprf.dll
Successfully Deleted: C:\WINDOWS\system32\exentprf.dll
deleting: C:\WINDOWS\system32\g622lgfo162c.dll
Successfully Deleted: C:\WINDOWS\system32\g622lgfo162c.dll
deleting: C:\WINDOWS\system32\g6jolg1316.dll
Successfully Deleted: C:\WINDOWS\system32\g6jolg1316.dll
deleting: C:\WINDOWS\system32\hr2405fqe.dll
Successfully Deleted: C:\WINDOWS\system32\hr2405fqe.dll
deleting: C:\WINDOWS\system32\hrju0519e.dll
Successfully Deleted: C:\WINDOWS\system32\hrju0519e.dll
deleting: C:\WINDOWS\system32\hrls0537e.dll
Successfully Deleted: C:\WINDOWS\system32\hrls0537e.dll
deleting: C:\WINDOWS\system32\hrru0599e.dll
Successfully Deleted: C:\WINDOWS\system32\hrru0599e.dll
deleting: C:\WINDOWS\system32\i0nmla511d.dll
Successfully Deleted: C:\WINDOWS\system32\i0nmla511d.dll
deleting: C:\WINDOWS\system32\k0080adued080.dll
Successfully Deleted: C:\WINDOWS\system32\k0080adued080.dll
deleting: C:\WINDOWS\system32\k644lghq164e.dll
Successfully Deleted: C:\WINDOWS\system32\k644lghq164e.dll
deleting: C:\WINDOWS\system32\kddtuf.dll
Successfully Deleted: C:\WINDOWS\system32\kddtuf.dll
deleting: C:\WINDOWS\system32\kgdinben.dll
Successfully Deleted: C:\WINDOWS\system32\kgdinben.dll
deleting: C:\WINDOWS\system32\ktlsl7371.dll
Successfully Deleted: C:\WINDOWS\system32\ktlsl7371.dll
deleting: C:\WINDOWS\system32\l66olgj316o.dll
Successfully Deleted: C:\WINDOWS\system32\l66olgj316o.dll
deleting: C:\WINDOWS\system32\l6p2lg7o16.dll
Successfully Deleted: C:\WINDOWS\system32\l6p2lg7o16.dll
deleting: C:\WINDOWS\system32\ltj0271mg.dll
Successfully Deleted: C:\WINDOWS\system32\ltj0271mg.dll
deleting: C:\WINDOWS\system32\lv0209doe.dll
Successfully Deleted: C:\WINDOWS\system32\lv0209doe.dll
deleting: C:\WINDOWS\system32\lv4009hme.dll
Successfully Deleted: C:\WINDOWS\system32\lv4009hme.dll
deleting: C:\WINDOWS\system32\lvj0091me.dll
Successfully Deleted: C:\WINDOWS\system32\lvj0091me.dll
deleting: C:\WINDOWS\system32\lvj2091oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvj2091oe.dll
deleting: C:\WINDOWS\system32\lvn2095oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvn2095oe.dll
deleting: C:\WINDOWS\system32\lvp2097oe.dll
Successfully Deleted: C:\WINDOWS\system32\lvp2097oe.dll
deleting: C:\WINDOWS\system32\m0280afued280.dll
Successfully Deleted: C:\WINDOWS\system32\m0280afued280.dll
deleting: C:\WINDOWS\system32\MbPMSNSv.dll
Successfully Deleted: C:\WINDOWS\system32\MbPMSNSv.dll
deleting: C:\WINDOWS\system32\oaesvr32.dll
Successfully Deleted: C:\WINDOWS\system32\oaesvr32.dll
deleting: C:\WINDOWS\system32\oamanage.dll
Successfully Deleted: C:\WINDOWS\system32\oamanage.dll
deleting: C:\WINDOWS\system32\p68qlgl516q.dll
Successfully Deleted: C:\WINDOWS\system32\p68qlgl516q.dll
deleting: C:\WINDOWS\system32\padrv.dll
Successfully Deleted: C:\WINDOWS\system32\padrv.dll
deleting: C:\WINDOWS\system32\rNschap.dll
Successfully Deleted: C:\WINDOWS\system32\rNschap.dll
deleting: C:\WINDOWS\system32\scnike.dll
Successfully Deleted: C:\WINDOWS\system32\scnike.dll
deleting: C:\WINDOWS\system32\sxdpsrv.dll
Successfully Deleted: C:\WINDOWS\system32\sxdpsrv.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: ajwav.dll (188 bytes security) (deflated 5%)
adding: azaolgj316o.dll (188 bytes security) (deflated 5%)
adding: cfmmdlg.dll (188 bytes security) (deflated 4%)
adding: cvetcfg.dll (188 bytes security) (deflated 4%)
adding: dkprpres.dll (188 bytes security) (deflated 5%)
adding: dSdxof.dll (188 bytes security) (deflated 4%)
adding: en6ol1j31.dll (188 bytes security) (deflated 4%)
adding: enjml1111.dll (188 bytes security) (deflated 5%)
adding: enjql1151.dll (188 bytes security) (deflated 4%)
adding: exentprf.dll (188 bytes security) (deflated 4%)
adding: g622lgfo162c.dll (188 bytes security) (deflated 4%)
adding: g6jolg1316.dll (188 bytes security) (deflated 5%)
adding: hr2405fqe.dll (188 bytes security) (deflated 5%)
adding: hrju0519e.dll (188 bytes security) (deflated 4%)
adding: hrls0537e.dll (188 bytes security) (deflated 4%)
adding: hrru0599e.dll (188 bytes security) (deflated 5%)
adding: i0nmla511d.dll (188 bytes security) (deflated 5%)
adding: k0080adued080.dll (188 bytes security) (deflated 6%)
adding: k644lghq164e.dll (188 bytes security) (deflated 5%)
adding: kddtuf.dll (188 bytes security) (deflated 4%)
adding: kgdinben.dll (188 bytes security) (deflated 4%)
adding: ktlsl7371.dll (188 bytes security) (deflated 4%)
adding: l66olgj316o.dll (188 bytes security) (deflated 4%)
adding: l6p2lg7o16.dll (188 bytes security) (deflated 4%)
adding: ltj0271mg.dll (188 bytes security) (deflated 4%)
adding: lv0209doe.dll (188 bytes security) (deflated 4%)
adding: lv4009hme.dll (188 bytes security) (deflated 5%)
adding: lvj0091me.dll (188 bytes security) (deflated 5%)
adding: lvj2091oe.dll (188 bytes security) (deflated 5%)
adding: lvn2095oe.dll (188 bytes security) (deflated 4%)
adding: lvp2097oe.dll (188 bytes security) (deflated 4%)
adding: m0280afued280.dll (188 bytes security) (deflated 5%)
adding: MbPMSNSv.dll (188 bytes security) (deflated 5%)
adding: oaesvr32.dll (188 bytes security) (deflated 5%)
adding: oamanage.dll (188 bytes security) (deflated 5%)
adding: p68qlgl516q.dll (188 bytes security) (deflated 4%)
adding: padrv.dll (188 bytes security) (deflated 4%)
adding: rNschap.dll (188 bytes security) (deflated 4%)
adding: scnike.dll (188 bytes security) (deflated 4%)
adding: sxdpsrv.dll (188 bytes security) (deflated 5%)
adding: guard.tmp (188 bytes security) (deflated 4%)
adding: clear.reg (188 bytes security) (deflated 61%)
adding: lo2.txt (188 bytes security) (deflated 88%)
adding: test.txt (188 bytes security) (deflated 82%)
adding: test2.txt (188 bytes security) (deflated 42%)
adding: test3.txt (188 bytes security) (deflated 42%)
adding: test5.txt (188 bytes security) (deflated 42%)
adding: uhuhuhu.txt (188 bytes security) (stored 0%)
adding: xfind.txt (188 bytes security) (deflated 77%)
adding: Zima_Info.txt (188 bytes security) (deflated 58%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-AUTORITéT\SYSTEM
(IO) ALLOW Full access NT-AUTORITéT\SYSTEM
(NI) ALLOW Full access NT-AUTORITéT\SYSTEM
(IO) ALLOW Full access NT-AUTORITéT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITéT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITéT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: ajwav.dll
deleting local copy: azaolgj316o.dll
deleting local copy: cfmmdlg.dll
deleting local copy: cvetcfg.dll
deleting local copy: dkprpres.dll
deleting local copy: dSdxof.dll
deleting local copy: en6ol1j31.dll
deleting local copy: enjml1111.dll
deleting local copy: enjql1151.dll
deleting local copy: exentprf.dll
deleting local copy: g622lgfo162c.dll
deleting local copy: g6jolg1316.dll
deleting local copy: hr2405fqe.dll
deleting local copy: hrju0519e.dll
deleting local copy: hrls0537e.dll
deleting local copy: hrru0599e.dll
deleting local copy: i0nmla511d.dll
deleting local copy: k0080adued080.dll
deleting local copy: k644lghq164e.dll
deleting local copy: kddtuf.dll
deleting local copy: kgdinben.dll
deleting local copy: ktlsl7371.dll
deleting local copy: l66olgj316o.dll
deleting local copy: l6p2lg7o16.dll
deleting local copy: ltj0271mg.dll
deleting local copy: lv0209doe.dll
deleting local copy: lv4009hme.dll
deleting local copy: lvj0091me.dll
deleting local copy: lvj2091oe.dll
deleting local copy: lvn2095oe.dll
deleting local copy: lvp2097oe.dll
deleting local copy: m0280afued280.dll
deleting local copy: MbPMSNSv.dll
deleting local copy: oaesvr32.dll
deleting local copy: oamanage.dll
deleting local copy: p68qlgl516q.dll
deleting local copy: padrv.dll
deleting local copy: rNschap.dll
deleting local copy: scnike.dll
deleting local copy: sxdpsrv.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ajwav.dll
C:\WINDOWS\system32\azaolgj316o.dll
C:\WINDOWS\system32\cfmmdlg.dll
C:\WINDOWS\system32\cvetcfg.dll
C:\WINDOWS\system32\dkprpres.dll
C:\WINDOWS\system32\dSdxof.dll
C:\WINDOWS\system32\en6ol1j31.dll
C:\WINDOWS\system32\enjml1111.dll
C:\WINDOWS\system32\enjql1151.dll
C:\WINDOWS\system32\exentprf.dll
C:\WINDOWS\system32\g622lgfo162c.dll
C:\WINDOWS\system32\g6jolg1316.dll
C:\WINDOWS\system32\hr2405fqe.dll
C:\WINDOWS\system32\hrju0519e.dll
C:\WINDOWS\system32\hrls0537e.dll
C:\WINDOWS\system32\hrru0599e.dll
C:\WINDOWS\system32\i0nmla511d.dll
C:\WINDOWS\system32\k0080adued080.dll
C:\WINDOWS\system32\k644lghq164e.dll
C:\WINDOWS\system32\kddtuf.dll
C:\WINDOWS\system32\kgdinben.dll
C:\WINDOWS\system32\ktlsl7371.dll
C:\WINDOWS\system32\l66olgj316o.dll
C:\WINDOWS\system32\l6p2lg7o16.dll
C:\WINDOWS\system32\ltj0271mg.dll
C:\WINDOWS\system32\lv0209doe.dll
C:\WINDOWS\system32\lv4009hme.dll
C:\WINDOWS\system32\lvj0091me.dll
C:\WINDOWS\system32\lvj2091oe.dll
C:\WINDOWS\system32\lvn2095oe.dll
C:\WINDOWS\system32\lvp2097oe.dll
C:\WINDOWS\system32\m0280afued280.dll
C:\WINDOWS\system32\MbPMSNSv.dll
C:\WINDOWS\system32\oaesvr32.dll
C:\WINDOWS\system32\oamanage.dll
C:\WINDOWS\system32\p68qlgl516q.dll
C:\WINDOWS\system32\padrv.dll
C:\WINDOWS\system32\rNschap.dll
C:\WINDOWS\system32\scnike.dll
C:\WINDOWS\system32\sxdpsrv.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B26C33C1-07AA-49CA-8FC1-5B98860FA237}"=-
"{FBDCE8CE-4D0A-4C9A-867D-3D00AF354588}"=-
"{235F819A-15F2-4696-AB5A-B12CF2332BF2}"=-
"{EDDE26B7-A882-4F60-8FD4-73601735FE76}"=-
"{B97E32D2-5B34-43A2-B708-5B5148D17DAD}"=-
"{93178539-E7D8-4B69-BA63-9958CBEBD5A9}"=-
"{8A8D5BF0-EFFA-4079-80EB-0880C4335504}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B26C33C1-07AA-49CA-8FC1-5B98860FA237}]
[-HKEY_CLASSES_ROOT\CLSID\{FBDCE8CE-4D0A-4C9A-867D-3D00AF354588}]
[-HKEY_CLASSES_ROOT\CLSID\{235F819A-15F2-4696-AB5A-B12CF2332BF2}]
[-HKEY_CLASSES_ROOT\CLSID\{EDDE26B7-A882-4F60-8FD4-73601735FE76}]
[-HKEY_CLASSES_ROOT\CLSID\{B97E32D2-5B34-43A2-B708-5B5148D17DAD}]
[-HKEY_CLASSES_ROOT\CLSID\{93178539-E7D8-4B69-BA63-9958CBEBD5A9}]
[-HKEY_CLASSES_ROOT\CLSID\{8A8D5BF0-EFFA-4079-80EB-0880C4335504}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

  • 0

Advertisements


#17
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please post a hijack this log. Thanks. :tazz:
  • 0

#18
Petrus

Petrus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thank you. Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 00:39:29, on 13.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\Java\j2re1.4.2_06\bin\jucheck.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\derc\scsh.exe
C:\WINDOWS\system32\??crosoft.NET\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programme\Mozilla Firefox\firefox.exe
E:\Albums\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.154.122.106:8080
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programme\180searchassistant\sachook.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Desksite CMA] C:\Programme\desksite\bin\cma.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccRegVfy] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Programme\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AIM] C:\Programme\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Rlre] C:\Programme\derc\scsh.exe
O4 - HKCU\..\Run: [Khdo] C:\WINDOWS\system32\??crosoft.NET\iexplore.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4714
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt03.com/d...onale_ver11.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{768588D3-0ED4-4282-BFB5-1E8CEDF82348}: NameServer = 192.168.2.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE (file missing)
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Unknown owner - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
  • 0

#19
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please set your system to show
all hidden files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\Programme\derc\scsh.exe
C:\WINDOWS\system32\??crosoft.NET\iexplore.exe

Exit the Task Manager when finished.

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check narj against each of the following, making sure you get each one and not any others by mistake:

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programme\180searchassistant\sachook.dll (file missing)
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Programme\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Khdo] C:\WINDOWS\system32\??crosoft.NET\iexplore.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office10\OSA.EXE

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4714
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt03.com/d...onale_ver11.CAB
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\??crosoft.NET\iexplore.exe<<be careful when deleting these
c:\programme\180searchassistant\sachook.dll
C:\Programme\VBouncer<<entire folder

Exit Explorer, and reboot as normal afterwards.


If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Please reboot and post a fresh HijackThis log and we will take another look to see how we did.
  • 0

#20
Petrus

Petrus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
My system is startin to get much better thanks :tazz:

My new log:

Logfile of HijackThis v1.99.1
Scan saved at 23:59:22, on 21.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\derc\scsh.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Albums\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.154.122.106:8080
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Desksite CMA] C:\Programme\desksite\bin\cma.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AIM] C:\Programme\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Rlre] C:\Programme\derc\scsh.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonu...key/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{768588D3-0ED4-4282-BFB5-1E8CEDF82348}: NameServer = 192.168.2.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Unknown owner - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
  • 0

#21
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
How is it running?
  • 0

#22
Petrus

Petrus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Pretty good no problems yet. Thanks very much :tazz:
  • 0

#23
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)

This topic is closed. If it needs to be re-opened, please PM a staff member.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP