Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Major Problems! [CLOSED]


  • This topic is locked This topic is locked

#1
JakeTao

JakeTao

    New Member

  • Member
  • Pip
  • 2 posts
Got problem with aurora ive searched google and yahoo and msn search pages for some decent help pages but i must post my own log to actually get somthing done so heres my works and i hope i have more problems... (Sarcasm) can anyone run a check on my problems and see if its not just nail but the SVC thing... thanks

>>* Log goes here *<<

Logfile of HijackThis v1.99.1
Scan saved at 12:57:42 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\uupvar.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mandy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol....mes/default.jsp
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll
O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMEBAR\gamebar.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: (no name) - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMEBAR\gamebar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [activex monitor] wputxp.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Windows Desktop Controler] windesktop.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [USB Drivers1] msfierwall.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [4hre23v1] C:\Program Files\4hre23v1\4hre23v1.exe
O4 - HKLM\..\Run: [686559a7d273] C:\WINDOWS\System32\adsmsext.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [ORWPDLL] C:\WINDOWS\ORWPDLL.EXE
O4 - HKLM\..\Run: [ORWPENC] C:\WINDOWS\ORWPENC.EXE
O4 - HKLM\..\Run: [wposxi] c:\windows\system32\wposxi.exe
O4 - HKLM\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Warning: do not remove it! (system)] cfpsys.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitexay32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [EasyMessage] "C:\Program Files\Zango Messenger\em2.exe" -wait
O4 - HKLM\..\Run: [Fdmph] c:\Program Files\Fiyhgp\Fajmm.exe
O4 - HKLM\..\Run: [yE3a] C:\WINDOWS\vlpxc.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\12900a5b.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Ycdwdh.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SECURITY.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [hpmszxs] c:\windows\system32\wnmoinv.exe
O4 - HKLM\..\Run: [BadSubtract] C:\Program Files\InterMute\BadSubtract\BadSub.exe -run
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uupvar.exe reg_run
O4 - HKLM\..\Run: [racscay] c:\windows\system32\rcmbpg.exe r
O4 - HKLM\..\RunServices: [activex monitor] wputxp.exe
O4 - HKLM\..\RunServices: [Windows Desktop Controler] windesktop.exe
O4 - HKLM\..\RunServices: [USB Drivers1] msfierwall.exe
O4 - HKLM\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunOnce: [8vrolo.exe] C:\WINDOWS\System32\8vrolo.exe /k
O4 - HKLM\..\RunOnce: [Trojan Remover] C:\Program Files\Trojan Remover\uev1.exe TRLOG.TXT
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Desktop Controler] windesktop.exe
O4 - HKCU\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
O4 - HKCU\..\RunServices: [Windows Desktop Controler] windesktop.exe
O4 - HKCU\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by9fd.bay9.ho...es/MsnPUpld.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures04.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108793591831
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {8F9D2276-C29C-4122-A7B6-B323773B385B} (e-games.installer) - http://dreamville.e-.../axDown2003.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll
O23 - Service: BadSubtract Content Filter (BadSubtract) - InterMute, Inc. - C:\Program Files\InterMute\BadSubtract\BdSubSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FlowProtectorService - Unknown owner - C:\Program Files\CheckFlow\FlowProtector\4.0.0.10\FlowService.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Log from another thing

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"Windows Desktop Controler" = "windesktop.exe" [null data]
"Windows Service Drivers" = "mswin32.exe" [null data]
"PCShield" = "regsvr32 /s "C:\WINDOWS\System32\sfg.dll"" [MS]
"xp_system" = "C:\WINDOWS\inet20057\winlogon.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"activex monitor" = "wputxp.exe" [file not found]
"Microsoft Internet Explorer" = "C:\WINDOWS\System32\iexplore.exe" [file not found]
"Winamp Agent" = "C:\WINDOWS\System32\winamp.exe" [file not found]
"Windows Desktop Controler" = "windesktop.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s" ["Panda Software International"]
"USB Drivers1" = "msfierwall.exe" [file not found]
"winupdtl" = "C:\WINDOWS\System32\winupdt.exe" [file not found]
"AUNPS2" = "RUNDLL32 AUNPS2.DLL,_Run@16" [MS]
"4hre23v1" = "C:\Program Files\4hre23v1\4hre23v1.exe" [empty string]
"686559a7d273" = "C:\WINDOWS\System32\adsmsext.exe" [file not found]
"BMan" = "C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe" [file not found]
"ORWPDLL" = "C:\WINDOWS\ORWPDLL.EXE" ["UpdateMonitor"]
"ORWPENC" = "C:\WINDOWS\ORWPENC.EXE" ["System Service"]
"wposxi" = "c:\windows\system32\wposxi.exe" [file not found]
"Windows Service Drivers" = "mswin32.exe" [null data]
"Windows Processe Manager" = "mspn32.exe" [file not found]
"System CSRSS Patch" = "scrtkfg.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Warning: do not remove it! (system)" = "cfpsys.exe" ["©2002-2004, Password Protect Software. All Rights Reserved."]
"checkrun" = "c:\windows\system32\elitexay32.exe" [file not found]
"cfgmgr51" = "RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun" [MS]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [file not found]
"EasyMessage" = ""C:\Program Files\Zango Messenger\em2.exe" -wait" [file not found]
"Fdmph" = "c:\Program Files\Fiyhgp\Fajmm.exe" [file not found]
"yE3a" = "C:\WINDOWS\vlpxc.exe" [file not found]
"System backup" = "C:\WINDOWS\System32\12900a5b.exe" [null data]
"Uninstall_WinTools" = "C:\WINDOWS\Temp\WTuninst.exe /remove" [file not found]
"PS1" = "C:\WINDOWS\System32\ps1.exe" [file not found]
"secure" = "C:\WINDOWS\System32\Ycdwdh.exe" [file not found]
"PCShield" = "regsvr32 /s "C:\WINDOWS\System32\sfg.dll"" [MS]
"Service Host" = "C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SVCHOST.EXE" [file not found]
"Disk Keeper" = "C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SECURITY.EXE" [file not found]
"Win Server Updt" = "C:\WINDOWS\wupdt.exe" [file not found]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"hpmszxs" = "c:\windows\system32\wnmoinv.exe" [file not found]
"BadSubtract" = "C:\Program Files\InterMute\BadSubtract\BadSub.exe -run" ["InterMute, Inc."]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"KavSvc" = "C:\WINDOWS\System32\uupvar.exe reg_run" [null data]
"racscay" = "c:\windows\system32\rcmbpg.exe r" [null data]
"xp_system" = "C:\WINDOWS\inet20057\winlogon.exe" [null data]
"Microsoft standard protector" = "C:\WINDOWS\winsocks5.exe" [null data]
"ControlPanel" = "C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile" [null data]
"PSGuard" = "C:\Program Files\PSGuard\PSGuard.exe" ["Shuddex Global Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"8vrolo.exe" = "C:\WINDOWS\System32\8vrolo.exe /k" [null data]
"Trojan Remover" = "C:\Program Files\Trojan Remover\uev1.exe TRLOG.TXT" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{01F44A8A-8C97-4325-A378-76E68DC4AB2E}\(Default) = "Band Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll" ["Yahoo! Inc."]
{0519A9C9-064A-4cbc-BC47-D0EACD581477}\(Default) = "ICOOExternal Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICOO Loader\addons\icooue.dll" ["ICOO Soft, LTD."]
{2E246FAE-8420-11D9-870D-000C2917DE7F}\(Default) = "Loader Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Loader.dll" [empty string]
{465A59EC-20E5-4fca-A38A-E5EC3C480218}\(Default) = "ICOODManager Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICOO Loader\addons\icoou.dll" ["ICOO Soft, LTD."]
{4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D}\(Default) = "Game Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GAMEBAR\gamebar.dll" [empty string]
{5321E378-FFAD-4999-8C62-03CA8155F0B3}\(Default) = "HBO Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\inet20057\3.00.05.dll" [empty string]
{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A}\(Default) = "SafeGuard Protect PCShield"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\sfg.dll" ["SafeGuard Corporation"]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = "AOL Toolbar Launcher"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
{A44B961C-8C36-470f-8555-EDA0EFC1E710}\(Default) = "CEngine Object" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\ShellTit.DLL" ["Panda Software International"]
"{A2E92CCB-B810-4FCF-BC8A-651D1806D71D}" = "EEShredFolder"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\EE\3.1\EEShell.dll" ["Baltsoft"]
"{D25111DA-EB0A-4EAC-887B-3CF72DF7A390}" = "EEShredFile"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\EE\3.1\EEShell.dll" ["Baltsoft"]
"{2B83810F-F4F3-4673-A08B-6E2FBA711ED1}" = "EEShell"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\EE\3.1\EEShell.dll" ["Baltsoft"]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" [null data]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\InterMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\InterMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "run" = "C:\WINDOWS\inet20057\winlogon.exe" [null data]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
[prevents changes to Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]

HIJACK WARNING! "NoDispBackgroundPage"=dword:00000001
[removes Display Properties, Desktop (tab)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\System32\wp.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "mandy" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"SpySubtract" -> shortcut to: "C:\Program Files\InterMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavlsp.dll ["Panda Software "], 01 - 02, 18
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D}" = "Game Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GAMEBAR\gamebar.dll" [empty string]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll" ["Yahoo! Inc."]

"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]

HKLM\Software\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = "AOL Search"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
BadSubtract Content Filter, BadSubtract, "C:\Program Files\InterMute\BadSubtract\BdSubSvc.exe" ["InterMute, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
FlowProtectorService, FlowProtectorService, "C:\Program Files\CheckFlow\FlowProtector\4.0.0.10\FlowService.exe" [file not found]
Hardware Clock Driver, hwclock, "C:\WINDOWS\System32\hwclock.exe" [file not found]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Panda anti-virus service, PAVSRV, ""C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe"" ["Panda Software"]
StyleXPService, StyleXPService, ""C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"" [file not found]
WebSeach Toolbar support NT service, TBPSSvc, "C:\PROGRA~1\Toolbar\TBPSSvc.exe" [file not found]
WinTools for IE service, WinToolsSvc, "C:\Program Files\Common Files\WinTools\WToolsS.exe" [file not found]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Enjoy
  • 0

Advertisements


#2
JakeTao

JakeTao

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
:\
  • 0

#3
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP