Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Web-Nexus and Random 6 Letter .exe


  • Please log in to reply

#1
Brines

Brines

    Member

  • Member
  • PipPip
  • 26 posts
I can't open Firefox. I think it's because I have some kind of infection that opens Firefox. Since you can't open two at a time or something, it won't let me open it. It only opens when it tries to load up stech.web-nexus.net. I tried everything online to get Firefox to work, but it doesn't. I think this would all be solved if I could get rid of this crap. Here's my log.

Logfile of HijackThis v1.99.1
Scan saved at 11:22:57 AM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\jlbqjn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program Files\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jlbqjn.exe reg_run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com...cpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn....v45/yacscom.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112891736921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\smrstr.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe




I'm concerned with this one:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jlbqjn.exe reg_run

Whenever I try to delete it, it comes back, even in safe mode. Same with trying to end it. Please help!
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Brines and Welcome to GeekstoGo!

Thats quite a pesky bug you have in there but I think I have just the thing for it if you can get me a few other logs together!


Download Process Explorer from here
http://www.sysintern...sExplorerNt.zip

Right Click the Zip file and Select "Extract All"

Next download Track Qoo from here
http://webpages.char...Track qoo 1.zip

Right Click the Zip file and Select "Extract All"

Double Click on "Track qoo.vbs"

If you Antivirus has Script Blocking,you will get a Pop Up Windows asking you what to do

Allow this Entire Script to Run,its harmless!

Wait a few seconds and a notepad page will pop up,Copy&Paste those results in the next post!


Now go to Process ExplorerNT folder-> Open it and double click on "procexp.exe"

Dont pay any attention to the box that just popped up,just click OK!

Once Process Explorer is Open,Scroll towards the bottom and look for this entry

jlbqjn.exe

Double Click jlbqjn.exe-> Now Click on Strings-> Put a tick by Memory and Click Save

Save it to the Desktop!

If you see another process in there thats all goobly gobbed looking like the one above,follow the same process to Save a strings log as well!

After this,please dont restart the PC!

Post both logs back here along with a fresh HijackThis log!

Edited by Cretemonster, 17 July 2005 - 07:06 AM.

  • 0

#3
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Sorry bout the delay on the reply, I just woke up, lol.

The Qoo one gives me this error when I try to run the script:

http://img.photobuck.../Brines/qoo.png


Here's the jlbqjn.exe.txt:

jjjj
jjjjjjj
@jjj
jjjj
Ajj
jjj
jjj
jjj
@jjj
(null)
!This program cannot be run in DOS mode.
Rich
.text
.rdata
.data
.rsrc
.coden
.adata
jdjdh
SQP
jeV
jgV
jdV
jeV
jfV
jgV
jiV
VWS
VWS
QSUV3
L$tR
QhT
QhX
RSh
PSh
QSh
PVj
QRPh
L$DjdQ
$VSW
SVW
RhP
jej
t/VVh
VVh
VVh
Rhx
u1hX
VVj
tsh
QjJ
UWhP
D$ Ph
hx!A
hx A
hx"A
hx#A
hx$A
SSS
SSj
RSh
D$0Ph
PPj
D$(PUWV
hx!A
ahx
hx!A
Shx
jeS
QjeS
jdht
jdhh
~Thx
~Thx
~Thx
~Thx A
~Thx!A
~Thx"A
FT@hx
@Phx
Shx
u+hx
Qhx
jgS
L$hQSSSSSSh
jgS
jeS
hx"A
hx"A
jhS
hx!A
Shx!A
hx!A
D$TP
L$HQ
T$HR
SSS
D$TP
VPQ
jcQ
SVW3
QPRW
PVQ
SVWt*
D$@PVh
PQh
PhH
PhT
\$@UVW~
L$XQS
PQj
VWh
PQj
VWh
PQj
VWh
PQj
VWh
PQj
VWh
PQj
VWh
Qjhj
~BVh
PVj
RWSV
8VWj
T$(RV
l$Lj
T$(RV
Qht
PQRV
tbf
tNf
SUV
t@Wh
VWj
SVW3
UWV
QUWV
BRj
QUWV
SVW3
T$8RS
PQj
VWh
QRP
VWj
PWVS
QSV
QSVW
T$ QGWR
hSUVW
D$|UP
jdQ
RPh
VWU
QWh
t-S@PV
RPWh
L$|VQ
PQW
SUVW3
Qh T@
VVh
VVh
HtMHt
D$0Pj
RVP
T$(Rj
Ht{H
T$pRh
QhPT@
t5jd
uPh
uOh
tBHt
tXj
QPj
PQj
UQP
fIf
L$ Qh
D$%VW3
9l$xSSu
USSShp
L$$QSSh
L$PQV
L$TQV
PhX
QhT
SVW
Pjh
Pjj
SVW
SUVW
SVW
Php
Phx
D$ SUV
SVW
tJU
PQRh
T$DR
L$HQ
T$@RP
Php
Phx
SVW
uEj
SVW
SVW
uxh
ulh
uTh
uHh
u$ht
VWh
uChL
u0hD
tfj=V
SVW
PQj
QSUVWh
SVW
SVW
SUVW
L$Hh\
D$PPj
L$DQ
L$|Qh
D$xPh
D$xPh
D$xPh
D$xPQ
Phx
Phx
hx!A
Phx
hx"A
hx!A
UVWh
D$ RVP
T$ Rh
jhj
PjdWh
tMU
xdPj
SUV
D$(Ph
RSj
D$ PUVh0
D$ PUVh
D$ PUVh
D$ PUVh
tCh
D$ PUVhp
D$(Ph
SUV
S0Rh
L$,Qh
L$,Qh
L$,Qh
L$,Qht
L$,QhP
L$,Qh(
L$,Qh
L$,Qh
L$,Qh
L$,Qh
L$,Qh
sPVh`
VhH
D$,Ph
T$$RV
D$,Ph
T$ RS
SWP
SVWUj
SVW
t.;t$$t(
VC20XC00U
SVWU
tEVU
u,hb
F95X5A
8MZu
YYu
YYu
VWu
t7VP
QQSVW3
SUVW
tyf9
SSS+
@PVSS
t#SSUP
t$$VSS
UVW
SVW
SVW
UWu
wHVSU
PSW
PSW
VSj
FVSj
VPV
VPV
u8SS3
FVh
E SS
SSV
t!SS9]
VSW
YVt
PPPPPPPP
SVW3
F;5 KA
Yu+Vj
VWj
YF;5 KA
VWumh
uiSj
NCu
GWh
WWS
6PWS
t WW
VSW
WWWWVSW
tCVj
t2WWVPVSW
HSVWj
WVS
WWQ
tGj
VWsr
YtD
VWsU
SUVW
tiW
YYt
dfgghh
masdfey
winsync
dl.web-nexus.net
open
adloc
cid
excl_urls
ProductId
Software\Microsoft\Windows\CurrentVersion
cn=%s|cpui=%s|cpuvi=%s|mac=%s|uid=%s|wid=%s
%02X:%02X:%02X:%02X:%02X:%02X
VendorIdentifier
Identifier
~MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
mut_data_check_njanja
%sf%d.exe
SendSomethingToHookLib
SetHook
CoolGetVersion
altavista.com
yahoo.com
google.com
Software\Microsoft\Windows\CurrentVersion\Run
%s.tmp
_mymeanmap_
unknown
startup
RegisterServiceProcess
kernel32.dll
_dll_mmap_shared_2o2o_z_v3.1.1
\unadbeh.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdBehavior
mtx_temp_app2_qool
NUL
[RENAME]
[RENAME]
\WININIT.INI
task_%s_exec
task_%s_id
task_
task_%s_executed
MozillaWindowClass
FRAMES2
IEFrame
Internet Explorer_Server
.exe
http\shell\open\command
firefox.exe
netscp.exe
mozilla.exe
opera.exe
iexplore.exe
mppd
pint
ntpint
pdisabled
uuid
exclurls_seq
mppd_nt
stech.web-nexus.net
chpop_srv
defcfg_srv
tntdelay
maxchpop
geoip
njapoarblqp
sdfkljghwa
.dll
ajdebonakr
abcdornmqx
upqwvbakyg
.dat
andrtpkicu
DllRegisterServer
StubPath
Software\Microsoft\Active Setup\Installed Components\
reg_run
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
\explorer.exe
\Start Menu\Programs\Startup
GetAllUsersProfileDirectoryA
Userenv.dll
klgfjmzqod
send
ws2_32.dll
%s%s=%s
www4.yesadvertising.com
bannerserver.gator.com
license.hotbar.com
web.icq.com
v4.windowsupdate.microsoft.com
windowsupdate.microsoft.com
ads.bidclix.com
oz.valueclick.com
odysseusmarketing.com
join1.winhundred.com
advert.runescape.com
sr.websearch.com
adserv.internetfuel.com
messenger.msn.com
top-banners.com
pops.browseraid.com
download.abetterinternet.com
tv.180solutions.com
banners.pennyweb.com
smileycentral.com
ww2.weatherbug.com
games.yahoo.com
rightmedia.net
counters.honesty.com
zone.msn.com
xlime.offeroptimizer.com
radio.launch.yahoo.com
sr.adwave.com
clickit.go2net.com
us.update.companion.yahoo.com
cdn-aimtoday.aol.com
kill-pop-ups.com
qksrv.net
xadsq.offeroptimizer.com
count.exitexchange.com
search200.com
servedby.adscpm.com
allaboutsearching.com
jnictech.cjt1.net
paypopup.com
adfarm.mediaplex.com
cdn-cf.aol.com
searcheffect.com
popuptraffic.com
akapp.whenu.com
amch.questionmarket.com
by.optimost.com
hotmail.msn.com
newupdates.lzio.com
ads.delfinproject.com
cfg.mywebsearch.com
insider.msg.yahoo.com
master.mx-targeting.com
hotmail.com
ctl.twain-tech.com
m2.doubleclick.net
mail.yahoo.com
focusin.ads.targetnet.com
jmnad1.com
e.rn11.com
topicks.com
ad.doubleclick.net
as.casalemedia.com
m3.doubleclick.net
webpdp.gator.com
ayb.lop.com
pgq.yahoo.com
xadso.offeroptimizer.com
c.qckjmp.com
media.fastclick.net
xzoomy.com
stopzilla.com
download.smileycentral.com
ads.clickagents.com
delfinproject.com
mm.delfinproject.com
jbns2.cydoor.com
bannerfarm.ace.advertising.com
popuppers.com
view.atdmt.com
as.adwave.com
ads.addynamix.com
look2me.com
ad.trafficmp.com
weatherbug.com
wisapidata.weatherbug.com
jicmedia.cjt1.net
ads1.revenue.net
servedby.advertising.com
aim-charts.pf.aol.com
sandboxer.com
ar.atwola.com
Microsoft Internet Explorer
Cannot find server
about:blank
iexplore
LoadLibraryA
VirtualAllocEx
file://%s
<html><head><title></title><meta http-equiv="refresh" content="1;URL=%s"></head></html>
load.html
-url %s
http://
\\.\PhysicalDrive0
\\.\SMARTVSD
pclie_wm_clear_popups
pclie_wm_setforeground
pclie_wm_remove_from_taskbar
pclie_wm_fire_big_popup
pclie_wm_nacrtaj_traku
pclie_wm_gen_exception
pclie_wm_check_hook
pclie_wm_report_task_exec
pclie_wm_fire_popup
pclie_wm_debug_dump_status
pcli_wm_report_uninstall
pcli_wm_uninstall
pcli_wm_get_excl_urls
pcli_wm_exec_tasks
pcli_wm_check_popup
pcli_wm_get_update_file
pcli_wm_check_for_updates
pcli_wm_myhook_wm_lbuttondown
pcli_wm_myhook_wm_char
ppids_t
ppids_nt
%d:%d:%d
mutt_sync_fired_popups
traka_url
traka_height
validity
scroll
nomppd
pid
title
height
width
style
size
show
type
url
.com
.biz
.org
.net
www.
HOST:
.jif
.swf
.css
.doc
.ico
.avi
.mov
.pdf
.jpe
.sgi
.psd
.wmf
.tga
.dib
.pic
.dcx
.pcd
.txt
.pcx
.emf
.tif
.png
.cab
.ace
.tar
.tbz
.tgz
.rar
.zip
.bmp
.gif
.jpeg
.jpg
HTTP
GET
mmap_sniping_rules
mutex_sync_mmap_sniping_rules
CLSID\%s
CLSID\%s\InProcServer32
CLSID\%s\ProgId
*\shellex\ContextMenuHandlers\%s
yfgmqtnxks
xeroiuerjf
.class
Cool
Clr Class
\unq32.dat
CLSID\{46E0807E-D421-4D67-BA84-E13E187AE3DA}
Software\Microsoft\Active Setup\Installed Components\%s
</popup>
<attrib>
</attrib>
<url>
</url>
<popup>
<seq>
</seq>
<param_value>
</param_value>
<param_name>
</param_name>
<action>
</action>
<type>
</type>
<snipe>
</snipe>
<sniping>
</sniping>
<search_engine>
</search_engine>
</execUrl>
<execUrl>
<task>
<geoip>
</geoip>
<defcfgsvr>
</defcfgsvr>
<chpopsvr>
</chpopsvr>
<eus>
</eus>
<disabled>
</disabled>
<maxchpopup>
</maxchpopup>
<urlinterval>
</urlinterval>
<tntpopupdelay>
</tntpopupdelay>
<ntpopupinterval>
</ntpopupinterval>
<tpopupinterval>
</tpopupinterval>
<queryinterval>
</queryinterval>
<mppd_nt>
</mppd_nt>
<mppd>
</mppd>
<loc>
</loc>
<clientid>
</clientid>
CorExitProcess
mscoree.dll
EEE
ppxxxx
(null)
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
Program:
A buffer overrun has been detected which has corrupted the program's
internal state. The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program's internal state. The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
StrToIntA
StrChrA
wnsprintfA
StrStrA
StrStrIA
StrNCatA
StrCmpNIA
SHLWAPI.dll
InternetGetConnectedState
WININET.dll
RPCRT4.dll
GetAdaptersInfo
iphlpapi.dll
Sleep
GetModuleFileNameA
lstrcmpA
lstrlenA
GetVolumeInformationA
HeapFree
lstrcpyA
HeapAlloc
GetProcessHeap
HeapReAlloc
GetComputerNameA
lstrcpynA
CloseHandle
OpenMutexA
GetLastError
CreateProcessA
SetLastError
GetTempPathA
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetTickCount
GetLocalTime
GetCurrentProcessId
ExitProcess
FreeLibrary
GetProcAddress
LoadLibraryA
InitializeCriticalSection
SetEndOfFile
SetFilePointer
ReadFile
GetFileSize
CreateFileA
CopyFileA
TerminateProcess
OpenProcess
MapViewOfFile
CreateFileMappingA
lstrcmpiA
GetModuleHandleA
IsBadWritePtr
DeleteFileA
lstrcatA
GetWindowsDirectoryA
SetUnhandledExceptionFilter
CreateMutexA
Process32Next
Process32First
CreateToolhelp32Snapshot
WriteFile
GetShortPathNameA
MoveFileExA
GetSystemDirectoryA
LockResource
SizeofResource
LoadResource
FindResourceA
SetFileAttributesA
SetFileTime
GetFileTime
VirtualQuery
WideCharToMultiByte
GetVersionExA
FindClose
FindFirstFileA
WaitForSingleObject
CreateRemoteThread
ResumeThread
WriteProcessMemory
DeviceIoControl
ReleaseMutex
GetCurrentThreadId
UnmapViewOfFile
KERNEL32.dll
CreateWindowExA
PostMessageA
SetTimer
KillTimer
wsprintfA
DefWindowProcA
PostQuitMessage
DestroyWindow
RegisterClassExA
DispatchMessageA
TranslateMessage
GetMessageA
SendMessageA
FindWindowA
GetClassNameA
GetWindowThreadProcessId
EnumWindows
IsWindowVisible
GetWindowTextA
SetForegroundWindow
SetWindowPos
ShowWindow
EnumThreadWindows
EnumChildWindows
GetForegroundWindow
RegisterWindowMessageA
USER32.dll
RegDeleteKeyA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyA
RegDeleteValueA
RegOpenKeyA
xxxx
My Host Name
ValueExA
RegQueryValueA
RegSetValueA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
RtlUnwind
GetCurrentProcess
GetStartupInfoA
GetCommandLineA
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapSize
GetACP
GetOEMCP
GetCPInfo
LCMapStringA
MultiByteToWideChar
LCMapStringW
QueryPerformanceCounter
GetSystemTimeAsFileTime
VirtualAlloc
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
VirtualProtect
GetSystemInfo
FlushFileBuffers
SetStdHandle
DDE Server
SysOleClass
reg_run
PST
PDT
C:\WINDOWS\system32\jlbqjn.exe
C:\WINDOWS\system32\dwhadsg.dll
C:\WINDOWS\system32\jlbqjn.exe
C:\WINDOWS\system32\bqmxban.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nciu.exe
C:\WINDOWS\loqdl.dll
C:\WINDOWS\system32\pykgp.dat
C:\WINDOWS\system32\jkarj.dll
01ad;7000e2fd
55277-OEM-0046031-03759
C:\WINDOWS\system32\dwhadsg.dll
0429J1FT300641
RQ01-070ASSMNU GVS0840 H
C:\WINDOWS\system32\jlbqjn.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
!This program cannot be run in DOS mode.
RichC
.text
.rdata
.data
.coden
.adata
Bhm
nFF8
suj
ux:h
YqGW
hNj
zQJ
ius
dVp
ixm
Cur
If2z
zLG!
tXi
Ies"
YoPEo
vBo
5PBO
fLc
Grl
xstt
<`LQR
Tun
mbH
Mxry
+-dHQ
VHQ
zjX
GZ-F
EKm
<YMk
YmR\
FdKB
}xSu9l
ZAd
Jap
RjW
|YQFn
mjH
ZSI3
Dihd
rPu
'Ftx
bIx[?
sB>py#
g{~nE
MixS
w.zlC
&FpX
uYF
Eh)_H
lBd
TqY
TPS
RlXC
Jerq
vJm
/xa/v
oqx
Xpe
7*.Zw6i7'
HWB}
g41Rc<
gHR_
C`bO
obRi:
ZLR
JRi
N"sG
d?VJOw9
v`NN
FofOb
W<CE
MkKt
95iCCU
JhU==
0VZG=
B(tE
Bmak
cBTQ
gCg
eBCr
>X?ot
Ktr
EO7jLP
eW-l
`Y@sw
YsH
oMM
/Go3fgo*8
kt#X
NpV
HS(Qw
lifK
AIt
c#bY=k
Vg4~E
He@&u&
qpC
YLV(
bxH
TKb
LB*J
ydOX
DeX
fOL!9xt
GLm7I
XH[lP
FaQ!v
nOV-
T@q2I
pKe
NLQmA
bv~r
nNz
zrz
;wOL
5gMF
bzqi
Ev,B
pLc
zTL
pz\n
`n0<ab
hGa
g,ANe
WdT
pvE
/kHug
VEa
eF1ew
EhA
ZMY
dfgghh
masdfey
winsync
dl.web-nexus.net
Internet Explorer
mut_wm_report_task_exec_nja
mut_wm_fire_popup_sync
gtaskmgr.exe
_dll_mmap_shared_2o2o_z_v3.1.1
explorer.exe
firefox
iexplore
gcasServ.exe
task_%d_exec
MozillaWindowClass
FRAMES2
IEFrame
Internet Explorer_Server
.exe
http\shell\open\command
firefox.exe
netscp.exe
mozilla.exe
opera.exe
iexplore.exe
adloc
exclurls_seq
defcfg_srv
geoip
njapoarblqp
sdfkljghwa
.dll
ajdebonakr
abcdornmqx
upqwvbakyg
.dat
andrtpkicu
DllRegisterServer
Software\Microsoft\Windows\CurrentVersion\Run
reg_run
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
\Start Menu\Programs\Startup
GetAllUsersProfileDirectoryA
Userenv.dll
klgfjmzqod
send
ws2_32.dll
application/*
text/*
GET
</config>
<config>
my_thr_mut_%d
g%s?loc=%s&cid=%s&eus=%d&pe=%d&is=%d&hash=%s&app_src=%s&crc=%s&app_run=%s&cc=%s
/cconfig.php
update
Qool-Uptime: %d
Win-Version: %s
QoolIE-Version: %s
unknown
gQoolShown-Popups: %s
QoolShown-Popups-nt: %s
%s?loc=%s&cid=%s&u=%s&en=%s&pt=%d&app_src=%s&app_run=%s&crc=%s&cc=%s
/checkpopup.php
g%s?loc=%s&cid=%s&eus=%d
/exclurls.php
g%s?loc=%s&cid=%s&uuid=%s
/uninstall.php
%s?loc=%s&cid=%s&uuid=%s&tid=%d&ret=%d
/getfile_status.php
poptraka
gTB
g - Microsoft Internet Explorer
- Mozilla
- Mozilla Firefox
- Netscape
IFRAME
fcp_bg_map_please_work
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
NtQueryDirectoryFile
ntdll.dll
LoadLibraryA
kernel32.dll
msctls_statusbar32
Edit
ComboBox
ComboBoxEx32
ReBarWindow32
WorkerW
TEST
gpclie_wm_clear_popups
pclie_wm_setforeground
pclie_wm_remove_from_taskbar
pclie_wm_fire_big_popup
pclie_wm_nacrtaj_traku
pclie_wm_gen_exception
pclie_wm_check_hook
pclie_wm_report_task_exec
pclie_wm_fire_popup
pclie_wm_debug_dump_status
pcli_wm_report_uninstall
pcli_wm_uninstall
pcli_wm_get_excl_urls
pcli_wm_exec_tasks
pcli_wm_check_popup
pcli_wm_get_update_file
pcli_wm_check_for_updates
pcli_wm_myhook_wm_lbuttondown
pcli_wm_myhook_wm_char
NtQuerySystemInformation
SysOleClass
DDE Server
Process32Next
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyA
RegCreateKeyW
RegCreateKeyA
RegCreateKeyExW
RegCreateKeyExA
RegQueryInfoKeyW
RegQueryInfoKeyA
RegEnumValueW
advapi32.dll
RegEnumValueA
FindNextFileW
FindNextFileA
LoadLibraryExW
LoadLibraryExA
LoadLibraryW
NtEnumerateValueKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Internet Explorer\Extensions
Software\Microsoft\Internet Explorer\Toolbar
mmap_sniping_rules
mutex_sync_mmap_sniping_rules
SMTP Email Address
Software\Microsoft\Internet Account Manager\Accounts
Default Mail Account
Software\Microsoft\Internet Account Manager
%s %d.%d
Windows 3x
Windows 9x
Windows NT
Unknown
Version
Software\Microsoft\Internet Explorer
wsock32.dll
GET %s
GET %s%s
HTTP/1.
www.
Host:
StrStrIA
wnsprintfA
StrStrA
StrToIntA
StrNCatA
StrChrA
StrCmpNA
SHLWAPI.dll
ImageDirectoryEntryToData
IMAGEHLP.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA
WININET.dll
WS2_32.dll
RPCRT4.dll
GetModuleFileNameA
CloseHandle
ReleaseMutex
WaitForSingleObject
CreateMutexA
lstrcpynA
GetCurrentProcessId
Sleep
CreateThread
DisableThreadLibraryCalls
lstrcpyA
SetUnhandledExceptionFilter
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
lstrlenA
lstrcatA
HeapFree
WriteFile
ReadFile
HeapAlloc
GetProcessHeap
CreateFileA
GetWindowsDirectoryA
lstrcmpA
GlobalFree
GlobalAlloc
MultiByteToWideChar
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
LockResource
SizeofResource
LoadResource
FindResourceA
VirtualQuery
GetTickCount
GetVolumeInformationA
WideCharToMultiByte
GetVersionExA
FindClose
FindFirstFileA
GetFileSize
HeapReAlloc
GetLastError
HeapDestroy
HeapCreate
IsBadReadPtr
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
GetModuleHandleA
FindNextFileA
FindNextFileW
WriteProcessMemory
VirtualProtect
Module32Next
Module32First
FlushInstructionCache
VirtualAlloc
ReadProcessMemory
IsBadCodePtr
GetCurrentProcess
LoadLibraryW
LoadLibraryExA
LoadLibraryExW
RtlUnwind
KERNEL32.dll
CallWindowProcA
CallWindowProcW
IsWindowUnicode
SetForegroundWindow
ShowWindowAsync
CreateWindowExA
GetWindowLongA
PostMessageA
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExA
GetWindowThreadProcessId
SetWindowLongA
SetWindowLongW
GetWindowTextA
GetClassNameA
EnumWindows
wsprintfA
GetClientRect
SendMessageA
SetWindowPos
DefWindowProcA
DestroyWindow
SetTimer
RegisterClassA
UpdateWindow
ShowWindow
KillTimer
PostQuitMessage
DispatchMessageA
TranslateMessage
GetMessageA
GetSystemMetrics
RegisterClassExA
IsWindowVisible
GetWindowRect
FindWindowExA
IsWindow
RegisterWindowMessageA
FindWindowA
USER32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyA
RegSetValueExA
RegOpenKeyA
RegEnumValueA
RegEnumValueW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyW
RegOpenKeyW
RegOpenKeyExW
ADVAPI32.dll
ExtractIconExA
SHELL32.dll
OleSetContainedObject
OleCreate
OleUninitialize
OleInitialize
ole32.dll
OLEAUT32.dll
HookLib.dll
FireCoolPopup
BindIEBrowser
CoolGetVersion
SendSomethingToHookLib
SetHook
iih
S%IB
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
shlwapi.dll
imagehlp.dll
wininet.dll
user32.dll
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
StrStrA
ImageDirectoryEntryToData
InternetQueryDataAvailable
SetWindowLongA
RegCreateKeyExW
ExtractIconExA
OleSetContainedObject
!This program cannot be run in DOS mode.
Rich
.text
.rdata
.data
.coden
.adata
qPA
nqr
chw8v!H
B$`LPa
i|pp
AK-w
MIT(#
t'FS
mKX
zVIg
VgephDF
W6fO
GCc"
PFm.
MH2V
Cay
xLb
VUu
fLP10
pxP
X`e\jsg(
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
shlwapi.dll
user32.dll
wnsprintfA
wsprintfA
!This program cannot be run in DOS mode.
URich
.text
.rdata
.data
.reloc
.coden
.adata
RkM
qQb
8;hRm
xEb
MtxJ
OOV@
7w%fm
vgXT
qI,LW
dfgghh
masdfey
winsync
dl.web-nexus.net
open
rec_run
*\shellex\ContextMenuHandlers\%s
CLSID\%s\ProgId
ThreadingModel
Apartment
CLSID\%s\InProcServer32
CLSID\%s
yfgmqtnxks
xeroiuerjf
.class
Cool
Clr Class
njapoarblqp
.exe
upqwvbakyg
.dat
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
_mymeanmap_
SHLWAPI.dll
WININET.dll
RpcStringFreeA
UuidToStringA
UuidCreate
RPCRT4.dll
CopyFileA
Sleep
GetModuleFileNameA
lstrlenA
CreateThread
GetSystemDirectoryA
lstrcatA
GetWindowsDirectoryA
CloseHandle
GetVolumeInformationA
GetVersionExA
OpenFileMappingA
KERNEL32.dll
wsprintfA
USER32.dll
RegSetValueExA
RegCloseKey
RegSetValueA
RegCreateKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
RecoverClient.dll
DllCanUnloadNow
DllRegisterServer
DllUnregisterServer
hau
f9Da
U9Nr
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
rpcrt4.dll
user32.dll
advapi32.dll
shell32.dll
UuidCreate
wsprintfA
RegCloseKey
ShellExecuteA
]kSW
VirtualAlloc
VirtualFree
PQVS
CCS
SWj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
SUV
D4l|M
QSV
SVW
SUV
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
shlwapi.dll
wininet.dll
iphlpapi.dll
user32.dll
advapi32.dll
shell32.dll
StrStrA
InternetGetConnectedState
GetAdaptersInfo
IsWindowVisible
RegSetValueA
ShellExecuteA




Here's the HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:07:49 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\jlbqjn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program Files\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jlbqjn.exe reg_run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com...cpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn....v45/yacscom.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112891736921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\smrstr.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#4
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Actually, in the Track qoo 1 folder, there's a Report.txt file that says:





REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"LTMSG"="LTMSG.exe 7"
"AVG7_EMC"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"winsync"="C:\\WINDOWS\\system32\\jlbqjn.exe reg_run"


Is that all that's supposed to show?
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Thats OK,we can do this another way as well!

First,on TrackQoo,Mak sure you extracted all on the Zip Folder!

2nd,Let it run for a bit and see if produces a larger log!

Now,Lets have a look at a HijackThis StartUp List Log!

Hijackthis StartUp Log:
Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!


Go ahead and Get Pocket Killbox as well,we are going to need it!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.


Lets see what the startup list log shows us!
  • 0

#6
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
HJT:

StartupList report, 7/17/2005, 1:47:02 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\jlbqjn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WScript.exe
C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Vaughn Brines\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
LTMSG = LTMSG.exe 7
AVG7_EMC = C:\Program Files\Grisoft\AVG Free\avgemc.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
winsync = C:\WINDOWS\system32\jlbqjn.exe reg_run

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*No subkeys found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

SuperAdBlockerBHO Class - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll - {00000000-6C30-11D8-9363-000AE6309654}

--------------------------------------------------

Enumerating Task Scheduler jobs:

RUTASK.job

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...kr.cab31267.cab

[{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]
CODEBASE = http://static.windup.../bridge-c18.cab

[iCC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pcpConnCheck.dll
CODEBASE = http://pcpitstop.com...cpConnCheck.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\yacscom.dll
CODEBASE = http://jcs.chat.dcn....v45/yacscom.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...D0C/wmv9dmo.cab

[ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ActiveX.ocx
CODEBASE = http://www.icannnews.../ST/ActiveX.ocx

[EPUImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
CODEBASE = http://tools.ebayimg...l_v1-0-3-24.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://spaces.msn.co...ad/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1112891736921

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/s...nfo/webscan.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\rsvpsp.dll
Protocol #17: C:\WINDOWS\system32\rsvpsp.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Rezident Driver: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Microsoft Registry Viewer: "C:\WINDOWS\dumpreg.exe" (disabled)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5bv.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: System32\DRIVERS\fetnd5.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (manual start)
Agere Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (disabled)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
Maya 6 PLE Documentation Server: "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf" (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (disabled)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (disabled)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
rdriv: \??\C:\WINDOWS\system32\rdriv.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (disabled)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (disabled)
SABProcEnum: \??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys (manual start)
Super Ad Blocker Service: "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE" (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SBP-2 Transport/Protocol Bus Driver: System32\DRIVERS\sbp2port.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (disabled)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sygate Personal Firewall: C:\Program Files\Sygate\SPF\smc.exe (autostart)
SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{511D7260-E7EA-45A1-831C-8503B5E05704} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (disabled)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (disabled)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (disabled)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (disabled)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (disabled)
wpsdrvnt: \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (disabled)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 34,324 bytes
Report generated in 0.062 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




Do you want something from Killbox too?
  • 0

#7
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Im not sure How i Missed it in the first place but you appear to have the Look2me Infection as well!

This will take a few more steps to complete that earlier anticipated!

Please download the l2mfix from here
http://www.atribune....oads/l2mfix.exe

http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!


Sorry about missing that on the first post!
  • 0

#8
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
On l2mfix.bat, it comes up with the error message, and I do number 5 like you say, and it comes up with this:

C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\fixautont.html.url

Windows cannot find 'C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix\fixautont.html.url'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. I click Okay and l2mfix.bat closes. I try number 1 again, and just click 'Ignore' when the error comes up, and I get this in a notepad file:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\smrstr.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DC1EF475-A732-BA68-CA22-CCAB411163BC}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B4B3001E-0F56-4E51-8250-BDE11547EC55}"="Super Ad Blocker Toolbar"
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"
"{FAE81FA4-373D-4DFD-A3AF-BBFB18487751}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FAE81FA4-373D-4DFD-A3AF-BBFB18487751}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAE81FA4-373D-4DFD-A3AF-BBFB18487751}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAE81FA4-373D-4DFD-A3AF-BBFB18487751}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAE81FA4-373D-4DFD-A3AF-BBFB18487751}\InprocServer32]
@="C:\\WINDOWS\\system32\\wcnrnr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 7000-E2FD

Directory of C:\WINDOWS\System32

07/17/2005 11:41 AM 417,792 wcnrnr.dll
07/16/2005 09:02 AM 417,792 mhvidc32.dll
07/15/2005 10:29 PM 417,792 svcbase.dll
07/15/2005 09:29 PM <DIR> dllcache
07/15/2005 09:22 PM 417,792 qidit.dll
07/15/2005 06:22 PM 417,792 rfgsvc.dll
07/15/2005 05:19 PM 417,792 npwddi.dll
07/15/2005 04:33 PM 417,792 wtnsta.dll
07/14/2005 02:31 PM 417,792 ayptif.dll
07/14/2005 02:24 PM 417,792 smrstr.dll
07/14/2005 10:13 AM 417,792 msc40.dll
07/11/2005 10:53 PM 417,792 mvrapi.dll
07/11/2005 09:27 PM 417,792 swsinv.dll
07/11/2005 09:27 PM 417,792 sbi_ci.dll
07/11/2005 08:12 PM 417,792 mvi.dll
07/11/2005 08:12 PM 417,792 myhtmled.dll
07/11/2005 06:50 PM 417,792 mic40u.dll
07/11/2005 06:50 PM 417,792 moicda.dll
07/11/2005 05:30 PM 417,792 kcdusx.dll
07/11/2005 05:30 PM 417,792 kscom.dll
07/11/2005 04:00 PM 417,792 amdiosrv.dll
07/09/2005 09:01 PM 417,792 guard.tmp
04/07/2005 09:36 AM <DIR> Microsoft
21 File(s) 8,773,632 bytes
2 Dir(s) 52,270,346,240 bytes free




I still think Web-Nexus and the 6 letter.exe needs to be fixed. The 6 letter.exe is still in my HJT, and I'm still getting popups from Web-Nexus.
  • 0

#9
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I tried the second download link you gave me, and the 2nd step worked to fix the files, but it wants me to reboot now. What should I do? Earlier today, you told me not to reboot until we had something fixed.
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Yeap thats the l2m Infection!!

We will get to the Qoologic Infection after Look2me is Dead!

Hang in there with me!

Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the Results of Option2 and a fresh HijackThis log,them proceed with the Instructions below!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link-> Clean everthing it finds and make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Kaspersky

Delete everything the Online Scan finds!

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!
Exit Program!


Post back with a fresh HijackThis log and the reports from Ewido and Kaspersky!
  • 0

Advertisements


#11
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
L2M:


L2Mfix 1.03a

Running From:
C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Vaughn Brines\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1856 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1216 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\amdiosrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\amdiosrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ayptif.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ayptif.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iietppui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iietppui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kcdusx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kcdusx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kscom.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kscom.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lVprxy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lVprxy.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhvidc32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mhvidc32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mic40u.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mic40u.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\moicda.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\moicda.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msc40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\msc40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvrapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvrapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myhtmled.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\myhtmled.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\npwddi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\npwddi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qidit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qidit.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rfgsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rfgsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sbi_ci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sbi_ci.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smrstr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smrstr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\svcbase.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\svcbase.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swsinv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wcnrnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wcnrnr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtnsta.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtnsta.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\amdiosrv.dll
Successfully Deleted: C:\WINDOWS\system32\amdiosrv.dll
deleting: C:\WINDOWS\system32\amdiosrv.dll
Successfully Deleted: C:\WINDOWS\system32\amdiosrv.dll
deleting: C:\WINDOWS\system32\ayptif.dll
Successfully Deleted: C:\WINDOWS\system32\ayptif.dll
deleting: C:\WINDOWS\system32\ayptif.dll
Successfully Deleted: C:\WINDOWS\system32\ayptif.dll
deleting: C:\WINDOWS\system32\iietppui.dll
Successfully Deleted: C:\WINDOWS\system32\iietppui.dll
deleting: C:\WINDOWS\system32\iietppui.dll
Successfully Deleted: C:\WINDOWS\system32\iietppui.dll
deleting: C:\WINDOWS\system32\kcdusx.dll
Successfully Deleted: C:\WINDOWS\system32\kcdusx.dll
deleting: C:\WINDOWS\system32\kcdusx.dll
Successfully Deleted: C:\WINDOWS\system32\kcdusx.dll
deleting: C:\WINDOWS\system32\kscom.dll
Successfully Deleted: C:\WINDOWS\system32\kscom.dll
deleting: C:\WINDOWS\system32\kscom.dll
Successfully Deleted: C:\WINDOWS\system32\kscom.dll
deleting: C:\WINDOWS\system32\lVprxy.dll
Successfully Deleted: C:\WINDOWS\system32\lVprxy.dll
deleting: C:\WINDOWS\system32\lVprxy.dll
Successfully Deleted: C:\WINDOWS\system32\lVprxy.dll
deleting: C:\WINDOWS\system32\mhvidc32.dll
Successfully Deleted: C:\WINDOWS\system32\mhvidc32.dll
deleting: C:\WINDOWS\system32\mhvidc32.dll
Successfully Deleted: C:\WINDOWS\system32\mhvidc32.dll
deleting: C:\WINDOWS\system32\mic40u.dll
Successfully Deleted: C:\WINDOWS\system32\mic40u.dll
deleting: C:\WINDOWS\system32\mic40u.dll
Successfully Deleted: C:\WINDOWS\system32\mic40u.dll
deleting: C:\WINDOWS\system32\moicda.dll
Successfully Deleted: C:\WINDOWS\system32\moicda.dll
deleting: C:\WINDOWS\system32\moicda.dll
Successfully Deleted: C:\WINDOWS\system32\moicda.dll
deleting: C:\WINDOWS\system32\msc40.dll
Successfully Deleted: C:\WINDOWS\system32\msc40.dll
deleting: C:\WINDOWS\system32\msc40.dll
Successfully Deleted: C:\WINDOWS\system32\msc40.dll
deleting: C:\WINDOWS\system32\mvi.dll
Successfully Deleted: C:\WINDOWS\system32\mvi.dll
deleting: C:\WINDOWS\system32\mvi.dll
Successfully Deleted: C:\WINDOWS\system32\mvi.dll
deleting: C:\WINDOWS\system32\mvrapi.dll
Successfully Deleted: C:\WINDOWS\system32\mvrapi.dll
deleting: C:\WINDOWS\system32\mvrapi.dll
Successfully Deleted: C:\WINDOWS\system32\mvrapi.dll
deleting: C:\WINDOWS\system32\myhtmled.dll
Successfully Deleted: C:\WINDOWS\system32\myhtmled.dll
deleting: C:\WINDOWS\system32\myhtmled.dll
Successfully Deleted: C:\WINDOWS\system32\myhtmled.dll
deleting: C:\WINDOWS\system32\npwddi.dll
Successfully Deleted: C:\WINDOWS\system32\npwddi.dll
deleting: C:\WINDOWS\system32\npwddi.dll
Successfully Deleted: C:\WINDOWS\system32\npwddi.dll
deleting: C:\WINDOWS\system32\qidit.dll
Successfully Deleted: C:\WINDOWS\system32\qidit.dll
deleting: C:\WINDOWS\system32\qidit.dll
Successfully Deleted: C:\WINDOWS\system32\qidit.dll
deleting: C:\WINDOWS\system32\rfgsvc.dll
Successfully Deleted: C:\WINDOWS\system32\rfgsvc.dll
deleting: C:\WINDOWS\system32\rfgsvc.dll
Successfully Deleted: C:\WINDOWS\system32\rfgsvc.dll
deleting: C:\WINDOWS\system32\sbi_ci.dll
Successfully Deleted: C:\WINDOWS\system32\sbi_ci.dll
deleting: C:\WINDOWS\system32\sbi_ci.dll
Successfully Deleted: C:\WINDOWS\system32\sbi_ci.dll
deleting: C:\WINDOWS\system32\smrstr.dll
Successfully Deleted: C:\WINDOWS\system32\smrstr.dll
deleting: C:\WINDOWS\system32\smrstr.dll
Successfully Deleted: C:\WINDOWS\system32\smrstr.dll
deleting: C:\WINDOWS\system32\svcbase.dll
Successfully Deleted: C:\WINDOWS\system32\svcbase.dll
deleting: C:\WINDOWS\system32\svcbase.dll
Successfully Deleted: C:\WINDOWS\system32\svcbase.dll
deleting: C:\WINDOWS\system32\swsinv.dll
Successfully Deleted: C:\WINDOWS\system32\swsinv.dll
deleting: C:\WINDOWS\system32\swsinv.dll
Successfully Deleted: C:\WINDOWS\system32\swsinv.dll
deleting: C:\WINDOWS\system32\wcnrnr.dll
Successfully Deleted: C:\WINDOWS\system32\wcnrnr.dll
deleting: C:\WINDOWS\system32\wcnrnr.dll
Successfully Deleted: C:\WINDOWS\system32\wcnrnr.dll
deleting: C:\WINDOWS\system32\wtnsta.dll
Successfully Deleted: C:\WINDOWS\system32\wtnsta.dll
deleting: C:\WINDOWS\system32\wtnsta.dll
Successfully Deleted: C:\WINDOWS\system32\wtnsta.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: amdiosrv.dll (164 bytes security) (deflated 48%)
adding: ayptif.dll (164 bytes security) (deflated 48%)
adding: iietppui.dll (164 bytes security) (deflated 48%)
adding: kcdusx.dll (164 bytes security) (deflated 48%)
adding: kscom.dll (164 bytes security) (deflated 48%)
adding: lVprxy.dll (164 bytes security) (deflated 48%)
adding: mhvidc32.dll (164 bytes security) (deflated 48%)
adding: mic40u.dll (164 bytes security) (deflated 48%)
adding: moicda.dll (164 bytes security) (deflated 48%)
adding: msc40.dll (164 bytes security) (deflated 48%)
adding: mvi.dll (164 bytes security) (deflated 48%)
adding: mvrapi.dll (164 bytes security) (deflated 48%)
adding: myhtmled.dll (164 bytes security) (deflated 48%)
adding: npwddi.dll (164 bytes security) (deflated 48%)
adding: qidit.dll (164 bytes security) (deflated 48%)
adding: rfgsvc.dll (164 bytes security) (deflated 48%)
adding: sbi_ci.dll (164 bytes security) (deflated 48%)
adding: smrstr.dll (164 bytes security) (deflated 48%)
adding: svcbase.dll (164 bytes security) (deflated 48%)
adding: swsinv.dll (164 bytes security) (deflated 48%)
adding: wcnrnr.dll (164 bytes security) (deflated 48%)
adding: wtnsta.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 23%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 88%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 60%)
adding: test.txt (164 bytes security) (deflated 90%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 87%)
adding: backregs/FAE81FA4-373D-4DFD-A3AF-BBFB18487751.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: amdiosrv.dll
deleting local copy: amdiosrv.dll
deleting local copy: ayptif.dll
deleting local copy: ayptif.dll
deleting local copy: iietppui.dll
deleting local copy: iietppui.dll
deleting local copy: kcdusx.dll
deleting local copy: kcdusx.dll
deleting local copy: kscom.dll
deleting local copy: kscom.dll
deleting local copy: lVprxy.dll
deleting local copy: lVprxy.dll
deleting local copy: mhvidc32.dll
deleting local copy: mhvidc32.dll
deleting local copy: mic40u.dll
deleting local copy: mic40u.dll
deleting local copy: moicda.dll
deleting local copy: moicda.dll
deleting local copy: msc40.dll
deleting local copy: msc40.dll
deleting local copy: mvi.dll
deleting local copy: mvi.dll
deleting local copy: mvrapi.dll
deleting local copy: mvrapi.dll
deleting local copy: myhtmled.dll
deleting local copy: myhtmled.dll
deleting local copy: npwddi.dll
deleting local copy: npwddi.dll
deleting local copy: qidit.dll
deleting local copy: qidit.dll
deleting local copy: rfgsvc.dll
deleting local copy: rfgsvc.dll
deleting local copy: sbi_ci.dll
deleting local copy: sbi_ci.dll
deleting local copy: smrstr.dll
deleting local copy: smrstr.dll
deleting local copy: svcbase.dll
deleting local copy: svcbase.dll
deleting local copy: swsinv.dll
deleting local copy: swsinv.dll
deleting local copy: wcnrnr.dll
deleting local copy: wcnrnr.dll
deleting local copy: wtnsta.dll
deleting local copy: wtnsta.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\amdiosrv.dll
C:\WINDOWS\system32\amdiosrv.dll
C:\WINDOWS\system32\ayptif.dll
C:\WINDOWS\system32\ayptif.dll
C:\WINDOWS\system32\iietppui.dll
C:\WINDOWS\system32\iietppui.dll
C:\WINDOWS\system32\kcdusx.dll
C:\WINDOWS\system32\kcdusx.dll
C:\WINDOWS\system32\kscom.dll
C:\WINDOWS\system32\kscom.dll
C:\WINDOWS\system32\lVprxy.dll
C:\WINDOWS\system32\lVprxy.dll
C:\WINDOWS\system32\mhvidc32.dll
C:\WINDOWS\system32\mhvidc32.dll
C:\WINDOWS\system32\mic40u.dll
C:\WINDOWS\system32\mic40u.dll
C:\WINDOWS\system32\moicda.dll
C:\WINDOWS\system32\moicda.dll
C:\WINDOWS\system32\msc40.dll
C:\WINDOWS\system32\msc40.dll
C:\WINDOWS\system32\mvi.dll
C:\WINDOWS\system32\mvi.dll
C:\WINDOWS\system32\mvrapi.dll
C:\WINDOWS\system32\mvrapi.dll
C:\WINDOWS\system32\myhtmled.dll
C:\WINDOWS\system32\myhtmled.dll
C:\WINDOWS\system32\npwddi.dll
C:\WINDOWS\system32\npwddi.dll
C:\WINDOWS\system32\qidit.dll
C:\WINDOWS\system32\qidit.dll
C:\WINDOWS\system32\rfgsvc.dll
C:\WINDOWS\system32\rfgsvc.dll
C:\WINDOWS\system32\sbi_ci.dll
C:\WINDOWS\system32\sbi_ci.dll
C:\WINDOWS\system32\smrstr.dll
C:\WINDOWS\system32\smrstr.dll
C:\WINDOWS\system32\svcbase.dll
C:\WINDOWS\system32\svcbase.dll
C:\WINDOWS\system32\swsinv.dll
C:\WINDOWS\system32\swsinv.dll
C:\WINDOWS\system32\wcnrnr.dll
C:\WINDOWS\system32\wcnrnr.dll
C:\WINDOWS\system32\wtnsta.dll
C:\WINDOWS\system32\wtnsta.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FAE81FA4-373D-4DFD-A3AF-BBFB18487751}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FAE81FA4-373D-4DFD-A3AF-BBFB18487751}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



HJT:


Logfile of HijackThis v1.99.1
Scan saved at 8:43:46 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\jlbqjn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vaughn Brines\My Documents\Devin\progsiened\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program Files\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jlbqjn.exe reg_run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com...cpConnCheck.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn....v45/yacscom.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112891736921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{273FFE4E-BAD7-4AB8-946F-08987352374E}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

*downloads the programs*

*reboots*
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks good so far,lets have a look at what Ewido and Kaspersky find!
  • 0

#13
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Ewido found nothing.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:57:34 PM, 7/17/2005
+ Report-Checksum: 9689A07E

+ Scan result:

No infected objects found.



Kaspersky won't work. On the download screen, it says Failed to load Kaspersky Anti-Virus Web Scanner ActiveX control!

You must have administrative rights on this computer; you also must have the IE security settings to the Medium level.

I have both of those, so I don't see why it doesn't work. On Battlefield 1942, it also said I can't play because I don't have administrative rights. But I do. Gah! Help me out.
  • 0

#14
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I found this:


Download and run this file from any location, it will check for adware that stops you from being able to play on PB servers. The VX2 adware edits your user rights when it infects your computer, and many programs do not repair this when they remove it.

http://www.greyknigh...Finder(126).exe

Click the "Find VX2.betterinternet info" button to make sure that you don't have this adware. If there are no files listed, go on to the last step. If you find the adware files, (it is usually 3 random named dll files) Select all the files found.

Press 'Delete These Files'. The program will delete all files but one that will be deleted on reboot. Allow program to reboot. Once Restarted:

Press 'Guardian.reg'.
Press 'User Agent'.
Press 'Restore Policy'.
Clicking on "find vx2.BetterInternet info" again should show all fields blank.
If you have no adware files, just click on the "Restore Policy" Button


I'm going into safe mode right now.

--------------------------------------------------------------------------------
  • 0

#15
Brines

Brines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Kaspersky STILL won't work, so I'm trying the www.pandasoftware.com scanner. I'm gonna need help with the administrator issue later. Okay, it looks like the Panda one will let me update with ActiveX.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP