Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

extreme malware/adware infection [CLOSED]


  • This topic is locked This topic is locked

#1
Aknightwhosezni

Aknightwhosezni

    New Member

  • Member
  • Pip
  • 2 posts
i get pop ups all over the place and they come every 1 1/2 minutes or so....
most from loadingweb.com and party poker..

i dont see anything too suspicious in the hijack this logs... but just in case ill post it anyway..
every time i start up i see a process called PokaPoka62.exe im sure this is related to the party poker ads... i end the process tree immediately and the ads keep comming back...

i have run every one of the antivirus and security suites you see below... its completely clean according to them... i can assure you its not..

Logfile of HijackThis v1.99.1
Scan saved at 9:50:04 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
F:\Avast\aswUpdSv.exe
F:\Avast\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Stardock\WindowBlinds\wbload.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\Avast\ashMaiSv.exe
F:\Avast\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Avast\ashDisp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Administrator\Desktop\Useful Stuff\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [LogonStudio] "F:\Stardock\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\jolaoa.exe reg_run
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] H:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "g:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\mfrepl40.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - F:\Stardock\WINDOW~1\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Avast\aswUpdSv.exe

please let me know what i can do... thanks

Edited by Aknightwhosezni, 04 August 2005 - 02:52 PM.

  • 0

Advertisements


#2
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder & not on the desktop).
Please create a directory on your c: drive called c:\hijackthis (and download) and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

----------------------------------------

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#3
Aknightwhosezni

Aknightwhosezni

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
heres the winpfind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 7/9/2005 4:03:06 AM 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
69.59.186.63 8/3/2005 11:43:08 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134 8/3/2005 11:43:08 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97 8/3/2005 11:43:08 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77 8/3/2005 11:43:08 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
web-nex 8/3/2005 11:43:08 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
winsync 8/3/2005 11:43:08 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run 8/3/2005 11:43:08 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
PEC2 8/23/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 6/9/2005 3:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 6/9/2005 3:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
Umonitor 8/5/2005 7:29:34 PM 417792 C:\WINDOWS\SYSTEM32\dvkquoui.dll
WinShutDown 8/5/2005 7:29:34 PM 417792 C:\WINDOWS\SYSTEM32\dvkquoui.dll
Umonitor 8/7/2005 4:39:54 PM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown 8/7/2005 4:39:54 PM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
Umonitor 8/7/2005 9:13:26 PM 417792 C:\WINDOWS\SYSTEM32\iz32_32.dll
WinShutDown 8/7/2005 9:13:26 PM 417792 C:\WINDOWS\SYSTEM32\iz32_32.dll
aspack 8/7/2003 2:01:52 PM 126464 C:\WINDOWS\SYSTEM32\lame_enc.dll
PECompact2 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/5/2002 2:40:18 PM 332288 C:\WINDOWS\SYSTEM32\msvcp70.dll
aspack 1/6/2002 5:37:26 AM 194048 C:\WINDOWS\SYSTEM32\msvcr70.dll
aspack 6/2/2004 4:46:12 PM 528896 C:\WINDOWS\SYSTEM32\NCTAudioCompress2.dll
aspack 6/2/2004 4:51:08 PM 622592 C:\WINDOWS\SYSTEM32\NCTAudioFile2.dll
aspack 6/4/2004 1:41:02 PM 150528 C:\WINDOWS\SYSTEM32\NCTAVIFile.dll
aspack 5/12/2004 6:01:08 PM 367616 C:\WINDOWS\SYSTEM32\NCTMPEGFile.dll
aspack 6/4/2004 4:09:32 PM 101376 C:\WINDOWS\SYSTEM32\NCTQuickTimeFile.dll
aspack 6/4/2004 1:40:18 PM 83968 C:\WINDOWS\SYSTEM32\NCTRMFile.dll
aspack 6/8/2004 11:39:16 AM 235520 C:\WINDOWS\SYSTEM32\NCTVideoCompress.dll
aspack 6/8/2004 11:50:56 AM 66560 C:\WINDOWS\SYSTEM32\NCTVideoFile.dll
aspack 6/4/2004 4:08:20 PM 90112 C:\WINDOWS\SYSTEM32\NCTWMVFile.dll
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
Umonitor 8/10/2005 8:01:54 AM 417792 C:\WINDOWS\SYSTEM32\sfndmail.dll
WinShutDown 8/10/2005 8:01:54 AM 417792 C:\WINDOWS\SYSTEM32\sfndmail.dll
winsync 8/23/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder for system and hidden files within the last 60 days...
8/10/2005 8:35:48 AM 54156 C:\WINDOWS\QTFont.qfn
6/14/2005 5:53:04 PM 749 C:\WINDOWS\WindowsShell.Manifest
6/14/2005 5:53:10 PM 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
6/20/2005 12:45:56 PM 59556 C:\WINDOWS\Downloaded Program Files\Doremi.ttf
6/14/2005 5:53:48 PM 67 C:\WINDOWS\Fonts\desktop.ini
7/23/2005 8:34:46 PM 0 C:\WINDOWS\inf\oem27.inf
7/23/2005 8:41:22 PM 0 C:\WINDOWS\inf\oem28.inf
7/23/2005 8:43:28 PM 0 C:\WINDOWS\inf\oem29.inf
6/14/2005 5:53:10 PM 65 C:\WINDOWS\Offline Web Pages\desktop.ini
6/14/2005 5:53:26 PM 242478 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
6/14/2005 5:53:26 PM 19959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
6/14/2005 5:53:26 PM 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
7/26/2005 12:15:56 PM 305145 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
7/26/2005 12:18:24 PM 68327 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
6/14/2005 5:54:20 PM 233472 C:\WINDOWS\repair\ntuser.dat
6/14/2005 5:53:04 PM 749 C:\WINDOWS\system32\cdplayer.exe.manifest
6/14/2005 5:53:10 PM 488 C:\WINDOWS\system32\logonui.exe.manifest
6/14/2005 5:53:04 PM 749 C:\WINDOWS\system32\ncpa.cpl.manifest
6/14/2005 5:53:04 PM 749 C:\WINDOWS\system32\nwc.cpl.manifest
6/14/2005 5:53:04 PM 749 C:\WINDOWS\system32\sapi.cpl.manifest
6/14/2005 5:53:10 PM 488 C:\WINDOWS\system32\WindowsLogon.manifest
6/14/2005 5:53:04 PM 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
8/10/2005 8:47:12 AM 16384 C:\WINDOWS\system32\config\default.LOG
8/10/2005 8:47:08 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
8/10/2005 8:46:50 AM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
8/10/2005 8:47:12 AM 151552 C:\WINDOWS\system32\config\software.LOG
8/10/2005 8:46:54 AM 856064 C:\WINDOWS\system32\config\system.LOG
6/14/2005 12:39:50 PM 1024 C:\WINDOWS\system32\config\TempKey.LOG
6/14/2005 12:39:50 PM 1024 C:\WINDOWS\system32\config\userdiff.LOG
8/9/2005 5:19:36 PM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
6/14/2005 12:41:48 PM 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
6/14/2005 12:41:48 PM 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
6/14/2005 5:53:30 PM 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
6/14/2005 5:53:30 PM 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
6/14/2005 5:53:30 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
6/14/2005 5:53:30 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
6/14/2005 5:53:30 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4LEFKTIF\desktop.ini
6/14/2005 5:53:30 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8XU7OPM7\desktop.ini
6/14/2005 5:53:30 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CX2NW92F\desktop.ini
6/14/2005 5:53:30 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KTIFO1IB\desktop.ini
6/14/2005 5:53:12 PM 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
6/14/2005 12:41:48 PM 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
6/14/2005 5:54:14 PM 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
6/14/2005 5:54:14 PM 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
6/14/2005 5:54:14 PM 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
6/14/2005 5:54:14 PM 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
6/14/2005 5:54:14 PM 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
7/23/2005 8:45:58 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\ae19809c-dd1d-474a-bbf7-ba2ca7d878b1
7/23/2005 8:45:58 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/4/2005 6:51:36 PM 206 C:\WINDOWS\Tasks\RUTASK.job
8/10/2005 8:45:24 AM 6 C:\WINDOWS\Tasks\SA.DAT
7/26/2005 12:22:34 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
7/26/2005 12:22:32 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
7/26/2005 12:22:32 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\A5SPMHMN\desktop.ini
7/26/2005 12:22:32 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\ATOP8LGT\desktop.ini
7/26/2005 12:22:32 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\O7QRMTO1\desktop.ini
7/26/2005 12:22:32 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SX0Z2FKH\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/20/2005 1:00:56 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
6/20/2005 8:47:00 PM 1469 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 4.0.8 Pro.lnk
7/15/2005 1:37:18 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
6/15/2005 2:18:10 PM 1758 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{2473CCD9-71CB-4A08-B070-EC78AA0CC6B1} = C:\WINDOWS\system32\ndevtmsg.dll
{779618F3-278C-4843-9849-E82E7864FFE9} = C:\WINDOWS\system32\ozethk32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = F:\Avast\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqkgqtmg
{32971447-a2db-493d-a7de-13b0ac579bdf} = C:\WINDOWS\system32\jbkdb.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = F:\Avast\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : H:\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
avast! F:\Avast\ashDisp.exe
LogonStudio "F:\Stardock\LogonStudio\logonstudio.exe" /RANDOM
iTunesHelper "H:\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
mscin C:\WINDOWS\system32\m190309.EXE
System service62 C:\WINDOWS\etb\pokapoka62.exe
BullsEye Network C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PopUpStopperFreeEdition "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
Steam "g:\valve\steam\steam.exe" -silent
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
AIM H:\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} = C:\PROGRA~1\COMMON~1\Stardock\mcpcore.dll
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage
= C:\WINDOWS\system32\iMssdo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs wbsys.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/10/2005 8:55:07 AM




======================================================================================





and heres the vbscript report:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"avast!"="F:\\Avast\\ashDisp.exe"
"LogonStudio"="\"F:\\Stardock\\LogonStudio\\logonstudio.exe\" /RANDOM"
"iTunesHelper"="\"H:\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"mscin"="C:\\WINDOWS\\system32\\m190309.EXE"
"System service62"="C:\\WINDOWS\\etb\\pokapoka62.exe"
"BullsEye Network"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- avast
{472083B0-C522-11CF-8763-00608CC02F24}
F:\Avast\ashShell.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- fqkgqtmg
{32971447-a2db-493d-a7de-13b0ac579bdf}
C:\WINDOWS\system32\jbkdb.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
LimeWire 4.0.8 Pro.lnk
Microsoft Office.lnk
Microtek Scanner Finder.lnk
==============================
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
LimeWire 4.0.8 Pro.lnk
Microsoft Office.lnk
Microtek Scanner Finder.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


ALSNDMGR.CPL Realtek Semiconductor Corp.
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

Edited by Aknightwhosezni, 10 August 2005 - 10:02 AM.

  • 0

#4
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Hmm I'm sorry, we'll do that later. First we have to handle the L2M infection.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#5
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP