Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I'm another victim - Need help with WinFix removal [RESOLVED]

Started by crystaldon , Aug 13 2005 01:36 PM

This topic is locked

#1
crystaldon

Posted 13 August 2005 - 01:36 PM

Member

Member
48 posts

Hi, thanks for the help. I've used AdAware, Spybot, Norton antivirus, and every other fix I can get my hands on, but it (and others) keep coming back. Here's the log: Thanks,
Don

Logfile of HijackThis v1.99.1
Scan saved at 3:36:47 PM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\xmxcfh.exe
C:\WINNT\system32\taskmgr.exe
C:\UPGRADES\SpyWareRemover\HijackThis\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINNT\system32\jhlquzel.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\xmxcfh.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [lanbrup] C:\WINNT\system32\lanbrup.exe
O4 - HKLM\..\Run: [oxwlhbd] C:\WINNT\system32\xmxcfh.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D07C78-2CEF-4B1D-B11E-845ED26B11B8}: NameServer = 63.67.120.23
O20 - Winlogon Notify: policies - C:\WINNT\system32\tkpmon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#2
Rawe

Posted 13 August 2005 - 02:11 PM

Visiting Staff

Member
4,746 posts

Hello and welcome!

Can you post me this;

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Uninstall Manager"
Click on the button "Save list"
Copy and paste the List from the notebook onto your post

Post it along with a fresh HiJackThis log.

IMPORTANT; Do NOT reboot after posting your new log unless I ask you to! (One of your infections is changing names on us everytime you reboot.)

- Rawe :tazz:

#3
crystaldon

Posted 13 August 2005 - 02:32 PM

Member

Topic Starter
Member
48 posts

Thanks for the help. Here's the logs.
Don

uninstall list:

ACDSee 7.0 PowerPack
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Reader 7.0
AIM Toolbar
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Deskbar
AOL Instant Messenger
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
Canon CanoScan Toolbox 4.0
Canon CanoScan Toolbox 4.1
CanoScan LiDE20,30 Manual
Command
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDStyler v1.4
HijackThis 1.99.1
Iceows V4.10
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
LANBridge
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft Office 2000 Professional
Nero - Burning Rom (Web installer)
Netscape (7.1)
Norton AntiVirus 2003
Norton WMI Update
NVIDIA Drivers
OIN
OmniPage SE
PCI Audio Driver
QuickTime
RealPlayer Basic
Select CashBack
Select CashBack
SequoiaView
Spybot - Search & Destroy 1.4
Surf Accuracy
Surf SideKick
Ulead iPhoto Express 1.1
USB 2.0 Setup program
USSA RecordNow DX
USSA RecordNow DX Update Manager
Viewpoint Media Player
Win-dh
Windows 2000 Service Pack 4
Windows Media Player system update (9 Series)
WinMX

hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 4:29:13 PM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\xmxcfh.exe
C:\WINNT\system32\taskmgr.exe
C:\UPGRADES\SpyWareRemover\HijackThis\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINNT\system32\jhlquzel.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\xmxcfh.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [lanbrup] C:\WINNT\system32\lanbrup.exe
O4 - HKLM\..\Run: [oxwlhbd] C:\WINNT\system32\xmxcfh.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D07C78-2CEF-4B1D-B11E-845ED26B11B8}: NameServer = 63.67.120.23
O20 - Winlogon Notify: policies - C:\WINNT\system32\tkpmon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4
Rawe

Posted 13 August 2005 - 02:46 PM

Visiting Staff

Member
4,746 posts

Ok, can you first update your Java Runtime Environment;

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java. Exit Control Panel..

Then do the following steps (Strictly, DO NOT reboot unless I ask you to!);

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you will get a warning "Database could not be found!" Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT run a scan yet.

If you are having problems with the updater, you can use this link to manually update Ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: the Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.

Unzip dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.

Please download APT and unzip the contents to a new folder on your desktop.

Open the folder you just created and click on apt.exe and search in the window for xmxcfh.exe.
Open your C:\Windows\system32 folder and search for C:\WINNT\system32\xmxcfh.exe.
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select xmxcfh.exe and Click Kill3
Then immediately delete C:\WINNT\system32\xmxcfh.exe from your system32 folder.

Close APT.

Now do this;

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Command Service (cmdService)

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.

Repeat this step for Service; O23 - Service: System Startup Service (SvcProc)

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open Ewido and do a scan of your system.

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido.

Now scan with HJT and place a checkmark next to each of the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINNT\system32\jhlquzel.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\xmxcfh.exe r
O4 - HKLM\..\Run: [lanbrup] C:\WINNT\system32\lanbrup.exe
O4 - HKLM\..\Run: [oxwlhbd] C:\WINNT\system32\xmxcfh.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - Winlogon Notify: policies - C:\WINNT\system32\tkpmon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.

Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.

Enable show hidden files and folders:

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Now using Windows Explorer locate the following files/folders and delete if present;

C:\Program Files\SurfSideKick 3\
C:\WINNT\system32\jhlquzel.dll
C:\WINNT\system32\xmxcfh.exe
C:\WINNT\system32\lanbrup.exe
C:\WINNT\system32\tkpmon.dll
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\
C:\WINNT\svcproc.exe

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
- Delete Cookies
  This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

- Rawe :tazz:

#5
crystaldon

Posted 13 August 2005 - 03:31 PM

Member

Topic Starter
Member
48 posts

Ok, I tried, but hit problems.

- The Java update didn't work (gave me an invalid link). So, I went out and got it, and installled manually. Now I'm up to 1.5.0_04. They wanted me to re-boot after the installation, but I didn't.

- Ewido did not complain about no database. I attempted to update and got the 'nothing new available' message. So, I went and got both full and daily updates, and did them manually.

- APT - Kill3 worked, but I got a sharing violation when I attempted to delete C:\WINNT\system32\xmxcfh.exe . It wouldn't delete.

- Command Service - All buttons were greyed-out. I couldn't stop the service.

I stopped at this point. What should I do next? Thanks again,
Don

#6
Rawe

Posted 13 August 2005 - 03:37 PM

Visiting Staff

Member
4,746 posts

Post this;

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Check the 2 boxes next to the Box that says "Generate StartupList log"
Click on the button "Generate StartupList log"
Copy and paste the StartupList from the notebook onto your post

Post it along with a fresh (Normal) HijackThis log.

Edited by Rawe, 13 August 2005 - 03:38 PM.

#7
crystaldon

Posted 13 August 2005 - 03:48 PM

Member

Topic Starter
Member
48 posts

Ok, here's the new ones. BTW, I have not re-booted since we started this. Should I? Thanks,
Don

Startup log:

StartupList report, 8/13/2005, 5:45:49 PM
StartupList version: 1.52.2
Started from : C:\UPGRADES\SpyWareRemover\HijackThis\Temp\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINNT\system32\irljay.exe
C:\UPGRADES\SpyWareRemover\HijackThis\Temp\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

(Default) =
SurfSideKick 3 = C:\Program Files\SurfSideKick 3\Ssk.exe
ntdll.dll = C:\WINNT\system32\irljay.exe r
NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
lanbrup = C:\WINNT\system32\lanbrup.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
wfcoadc = C:\WINNT\system32\irljay.exe r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SurfSideKick 3 = C:\Program Files\SurfSideKick 3\Ssk.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[>{D6D8B1C1-148C-4146-A9E4-551607CEF13B}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe C:\WINNT\Nail.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINNT\dsr.dll - {00F1D395-4744-40f0-A611-980F61AE2C59}
(no name) - C:\WINNT\system32\jhlquzel.dll - {71D1708F-973D-4600-AF01-AD86688403AE}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8429.7426967593

[Java Plug-in 1.4.1_02]
InProcServer32 = C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
AOL Connectivity Service: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (autostart)
AOL TopSpeed Monitor: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (autostart)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Command Service: C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe (autostart)
C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
Intel® PC Camera CS110: System32\Drivers\Icam5USB.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
mchInjDrv: \??\C:\WINNT\TEMP\mc21.tmp (disabled)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050810.004\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050810.004\NavEx15.Sys (manual start)
Network Everywhere Fast Ethernet Adapter(NC100): System32\DRIVERS\NC100.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OrangeWare USB 2.0 Root Hub Support: System32\DRIVERS\ousb2hub.sys (manual start)
%OWC_USBEHCD.DeviceDesc%: System32\Drivers\ousbehci.sys (autostart)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\WINNT\System32\Drivers\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\WINNT\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
System Startup Service : C:\WINNT\svcproc.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp1.sys (system)
VIA AGP Bus Filter : System32\DRIVERS\viaagp1.sys (system)
VIA USB Filter: \SystemRoot\System32\Drivers\viausb.sys (manual start)
viaide: System32\DRIVERS\viaide.sys (system)
VIAPFD: \SystemRoot\System32\Drivers\VIAPFD.SYS (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Program Files\Netscape\Netscape\plugins\NPOJI610.dll||C:\Program Files\Netscape\Netscape\plugins\REN33.tmp => C:\Program Files\Netscape\Netscape\plugins\NPOJI610.dll||\

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 29,947 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 5:46:49 PM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINNT\system32\irljay.exe
C:\UPGRADES\SpyWareRemover\HijackThis\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINNT\system32\jhlquzel.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\irljay.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [lanbrup] C:\WINNT\system32\lanbrup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [wfcoadc] C:\WINNT\system32\irljay.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D07C78-2CEF-4B1D-B11E-845ED26B11B8}: NameServer = 63.67.120.23
O20 - Winlogon Notify: policies - C:\WINNT\system32\tkpmon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8
Rawe

Posted 13 August 2005 - 04:03 PM

Visiting Staff

Member
4,746 posts

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you will get a warning "Database could not be found!" Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT run a scan yet.

Unzip dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.

Please download APT and unzip the contents to a new folder on your desktop.

Open the folder you just created and click on apt.exe and search in the window for irljay.exe.
Open your C:\Windows\system32 folder and search for C:\WINNT\system32\irljay.exe.
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select irljay.exe and Click Kill3
Then immediately delete C:\WINNT\system32\irljay.exe from your system32 folder.

Close APT.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open Ewido and do a scan of your system.

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido.

Now scan with HJT and place a checkmark next to each of the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINNT\system32\jhlquzel.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\irljay.exe r
O4 - HKLM\..\Run: [lanbrup] C:\WINNT\system32\lanbrup.exe
O4 - HKLM\..\Run: [wfcoadc] C:\WINNT\system32\irljay.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - Winlogon Notify: policies - C:\WINNT\system32\tkpmon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.

Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.

Enable show hidden files and folders:

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Now using Windows Explorer locate the following files/folders and delete if present;

C:\WINNT\system32\jhlquzel.dll
C:\WINNT\system32\irljay.exe
C:\WINNT\system32\lanbrup.exe
C:\Program Files\SurfSideKick 3\
C:\WINNT\system32\tkpmon.dll

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
- Delete Cookies
  This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

- Rawe :tazz:

#9
crystaldon

Posted 13 August 2005 - 06:55 PM

Member

Topic Starter
Member
48 posts

Well, we were close. Everything worked except

"Now using Windows Explorer locate the following files/folders and delete if present;..."

C:\WINNT\system32\tkpmon.dll

, it gave me a sharing violation when I tried to delete it.

Also, after rebooting and upon running the Ewido full system scan, it found new infections, starting with Look2me. The computer is crashing and rebooting after about 8 minutes of operation, so it's not long enough for Ewido to finish its entire scan. What shall I try next? Thanks again,

Don

Here are the logs:

hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 8:42:23 PM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\UPGRADES\SpyWareRemover\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\tnayui.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D07C78-2CEF-4B1D-B11E-845ED26B11B8}: NameServer = 63.67.120.23
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\tkpmon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido scan report after finishing in safe mode:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:54:31 PM, 8/13/2005
+ Report-Checksum: 148AFE4E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKU\S-1-5-21-1547161642-920026266-839522115-500\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1547161642-920026266-839522115-500\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1547161642-920026266-839522115-500\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
[164] C:\WINNT\system32\tkpmon.dll -> Spyware.Look2Me : Error during cleaning
[360] C:\WINNT\system32\dKdpmesh.dll -> Spyware.Look2Me : Error during cleaning
[592] C:\WINNT\system32\dKdpmesh.dll -> Spyware.Look2Me : Error during cleaning
C:\UPGRADES\SpyWareRemover\HijackThis\Temp\backups\backup-20050812-210711-547.dll -> Spyware.BookedSpace : Cleaned with backup
C:\UPGRADES\SpyWareRemover\HijackThis\Temp\backups\backup-20050812-210712-731.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\UPGRADES\SpyWareRemover\HijackThis\Temp\backups\backup-20050812-214023-680.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\UPGRADES\KeystrokeMacro\KeyboardLogger\BlazingSoftware\i_bpk_lite.exe/Setup.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
C:\UPGRADES\Serials2000\Temp\s2k.hacking.exe -> Dialer.Generic : Cleaned with backup
C:\UPGRADES\Serials2000\s2k.serials2k7.1.zip/s2k.hacking.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\InstallAPS.exe -> TrojanDropper.Small.ul : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\AUNIcons.exe -> TrojanDownloader.Agent.jq : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\SSK_B5 MVSSK 3.EXE -> TrojanDownloader.Small.qn : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\cxtpls_loader.exe -> TrojanDownloader.Apropo.r : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\VCM QOOL_3.exe -> TrojanDropper.Small.kz : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\HelperInstall.exe -> TrojanDropper.Delf.z : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\trgen-fran-default.exe -> Spyware.HotSearchBar.d : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\MTE1NTA6ODoxMg.exe -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\SYSTEM\Cache\installer_MARKETING17.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINDOWS\SYSTEM\sysmonnt.exe -> Trojan.VB.tq : Cleaned with backup
C:\WINDOWS\SYSTEM\AUNPS.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\SYSTEM\PopOops2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM\PopOops.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM\SWLAD2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM\SWLAD1.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\mscb.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\exdl3.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\mac80ex.idf/C:/WINDOWS/SYSTEM/msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\mac80ex.idf/C:/Program Files/BullsEye Network/bin/bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\psis80ex.ax/C:/WINDOWS/SYSTEM/mscb.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\psis80ex.ax/C:/Program Files/CashBack/bin/cashback.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack : Cleaned with backup
C:\WINDOWS\SYSTEM\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack : Cleaned with backup
C:\WINDOWS\SYSTEM\netut80ex.vxd/C:/WINDOWS/SYSTEM/exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\netut80ex.vxd/C:/WINDOWS/SYSTEM/mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\netut80ex.vxd/C:/WINDOWS/SYSTEM/exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\netut80ex.vxd/C:/WINDOWS/SYSTEM/javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\netut80ex.vxd/C:/WINDOWS/SYSTEM/bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\netut80ex.vxd/C:/WINDOWS/SYSTEM/msexreg.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM\netut80ex.vxd/C:/WINDOWS/SYSTEM/instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\TEMP\randreco.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.12:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.44:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.59:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.60:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.61:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.63:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.93:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.94:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.95:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.96:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.98:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.114:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.115:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.117:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.122:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.123:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.133:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.176:C:\WINDOWS\Application Data\Mozilla\Profiles\dlbrett\a3dd71hh.slt\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\WINDOWS\Cookies\don@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\WINDOWS\Cookies\don@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\don@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
C:\WINDOWS\Cookies\don@track-star[1].txt -> Spyware.Cookie.Track-star : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Adbutler : Cleaned with backup
C:\WINDOWS\Cookies\don@adorigin[5].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Cookies\don@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][5].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Cj : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
C:\WINDOWS\Cookies\don@epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\WINDOWS\Cookies\don@adorigin[4].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Trafficvenue : Cleaned with backup
C:\WINDOWS\Cookies\don@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Cookies\don@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Trafficvenue : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\WINDOWS\Cookies\don@trafficvenue[2].txt -> Spyware.Cookie.Trafficvenue : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\WINDOWS\Cookies\don@epilot[2].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\don@specificpop[3].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\WINDOWS\Cookies\don@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][4].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkicod5kbogsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4kgdpihqa2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4qmajogqaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiogazoaogsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlicgaziboq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnysmczgcogsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4wocjibqqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmykgc5chow2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@-1shz2prbmdj6wvny-1sez2pra2dj6wjkoopdziaow-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkykpazmaowudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmyagd5odpqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkychazgdqqidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkysndpgdqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@-1shz2prbmdj6wvny-1sez2pra2dj6wjkyamd5ceow-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoakajwfogmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][3].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygjajofoawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnysodzacogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykmajwaoa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkoqoajakoa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiqmcpgepasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4omdzsboaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliciajelqamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyskc5mgog2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysjd5wbqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliskcpefogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqpczkfqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4sidjcbowwdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiapazefpqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkoogazodpa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyoldzsaoqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyshdjcfqa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyanczedowidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1lazccoamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@-1shz2prbmdj6wvny-1sez2pra2dj6wjmikkdzsgoa-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyuiajogoamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\Cookies\don@-1shz2prbmdj6wvny-1sez2pra2dj6wjliggazihpg-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyeldpmbqaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjligkajweqamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\WINDOWS\Cookies\don@a-1shz2prbmdj6wvny-1sez2pra2dj6wjnysjcjadoa-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyqkc5ogqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyejcjodqqsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygiczslqa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlikmajigowudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4gkcpmcpwqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliohcpwcqasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoskczmhog6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@a-1shz2prbmdj6wvny-1sez2pra2dj6wjnyuodzckpg-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyqkczwboqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkikicjgbowmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4giczkaoasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkosoazccpqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][5].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkowlazskqa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoehcpmlpwmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Cookie.Oewabox : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\Cookies\don@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\0XUZ8DU3\51[1].bin -> TrojanDownloader.Apropo.r : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\0XUZ8DU3\61[1].bin -> TrojanDropper.Small.ul : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\C56JSTAB\68[1].bin -> TrojanDownloader.Small.qn : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\C56JSTAB\44[1].bin -> Spyware.HotSearchBar.d : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\KDYFW1MF\banner[1].cab/banner.dll -> Spyware.Banex : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\0TYZK105\81[1].bin -> TrojanDropper.Small.kz : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\88J09U4Y\87[1].bin -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\8PAB09ER\65[1].bin -> TrojanDownloader.Agent.jq : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\CTM9GTW3\45[1].bin -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\TL0WA9ZC\29[1].bin -> TrojanDropper.Delf.z : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\Helper101.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\autoheal.exe -> Spyware.BargainBuddy.n : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe -> Spyware.Pacer : Cleaned with backup
C:\Program Files\eMule\Incoming\WinFax Pro 10 crack(1).exe -> Dialer.Generic : Cleaned with backup
C:\Program Files\Perfect Keylogger Lite\bpk.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
C:\Program Files\Perfect Keylogger Lite\bsdhooks.dll -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
C:\Program Files\Perfect Keylogger Lite\uninstall.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
C:\Program Files\Perfect Keylogger Lite\lview.exe -> TrojanSpy.Perfectkeylogger.10 : Cleaned with backup
C:\Program Files\TRQHQS6E\t3wei6z6.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\TRQHQS6E\TRQHQS6E.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\Netscape\Netscape\plugins\npzango.dll -> Spyware.WinAD : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfAccuracy\SAcc.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\WINNT\system32\ksdusr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\Pgleuw.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINNT\system32\aqthz.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\nswA.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINNT\system32\jhlquzel.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINNT\system32\lanbrup.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINNT\system32\dfprop.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mzbmctu.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINNT\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINNT\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINNT\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\akwmjaiked.exe -> Adware.BetterInternet : Cleaned with backup
C:\command.exe -> TrojanDropper.Delf.ev : Cleaned with backup

::Report End

#10
Rawe

Posted 14 August 2005 - 06:29 AM

Visiting Staff

Member
4,746 posts

Ok, let's fix your VX2 infection now;

Please download the l2mfix from one of the locations below;

http://www.atribune....oads/l2mfix.exe

http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe

Click the Install - button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!

Double-click the file it downloads and extract the files to its predetermined System32 folder!

- Rawe :tazz:

#11
crystaldon

Posted 14 August 2005 - 06:40 AM

Member

Topic Starter
Member
48 posts

Thanks Rawe, here's the scan report:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\tkpmon.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B3118065-960B-1CF2-5E63-4993F65026FC}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{FEB7DAE0-E111-11D0-BFD7-444553540000}"="ICEOWS"
"{DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2}\InprocServer32]
@="C:\\WINNT\\system32\\mxpmsnsv.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C is DESKSTAR60
Volume Serial Number is 1B5E-1EFF

Directory of C:\WINNT\System32

08/14/2005 08:35a 417,792 mxpmsnsv.dll
08/14/2005 01:54a 417,792 guard.tmp
08/12/2005 09:31p 417,792 tkpmon.dll
08/08/2005 09:28a 401,408 ??oolsv.exe
03/12/2005 10:47p 32 {56D89910-2A7C-4F9F-9D2F-C01E4C3F1B1F}.dat
03/12/2005 01:10p <DIR> dllcache
5 File(s) 1,654,816 bytes
1 Dir(s) 11,801,067,520 bytes free

#12
Rawe

Posted 14 August 2005 - 07:04 AM

Visiting Staff

Member
4,746 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

- Rawe :tazz:

#13
crystaldon

Posted 14 August 2005 - 07:23 AM

Member

Topic Starter
Member
48 posts

Here they are:

L2M log:

L2Mfix 1.03a

Running From:
C:\UPGRADES\SpyWareRemover\L2mFix\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\UPGRADES\SpyWareRemover\L2mFix\l2mfix
System Rebooted!

Running From:
C:\UPGRADES\SpyWareRemover\L2mFix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1120 'explorer.exe'
Killing PID 1120 'explorer.exe'
Error 0x5 : Access is denied.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1172 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\mmvci70.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\mmvci70.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ihxsap.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ihxsap.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\tebyuv.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\tebyuv.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\tkpmon.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\tkpmon.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\mmvci70.dll
Successfully Deleted: C:\WINNT\system32\mmvci70.dll
deleting: C:\WINNT\system32\mmvci70.dll
Successfully Deleted: C:\WINNT\system32\mmvci70.dll
deleting: C:\WINNT\system32\ihxsap.dll
Successfully Deleted: C:\WINNT\system32\ihxsap.dll
deleting: C:\WINNT\system32\ihxsap.dll
Successfully Deleted: C:\WINNT\system32\ihxsap.dll
deleting: C:\WINNT\system32\tebyuv.dll
Successfully Deleted: C:\WINNT\system32\tebyuv.dll
deleting: C:\WINNT\system32\tebyuv.dll
Successfully Deleted: C:\WINNT\system32\tebyuv.dll
deleting: C:\WINNT\system32\tkpmon.dll
Successfully Deleted: C:\WINNT\system32\tkpmon.dll
deleting: C:\WINNT\system32\tkpmon.dll
Successfully Deleted: C:\WINNT\system32\tkpmon.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: mmvci70.dll (deflated 48%)
adding: ihxsap.dll (deflated 48%)
adding: tebyuv.dll (deflated 48%)
adding: tkpmon.dll (deflated 48%)
adding: guard.tmp (deflated 48%)
adding: echo.reg (deflated 7%)
adding: clear.reg (deflated 22%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 61%)
adding: report02.txt (deflated 61%)
adding: lo2.txt (deflated 80%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (deflated 80%)
adding: xfind.txt (deflated 77%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2.reg (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: mmvci70.dll
deleting local copy: mmvci70.dll
deleting local copy: ihxsap.dll
deleting local copy: ihxsap.dll
deleting local copy: tebyuv.dll
deleting local copy: tebyuv.dll
deleting local copy: tkpmon.dll
deleting local copy: tkpmon.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

The following are the files found:
****************************************************************************
C:\WINNT\system32\mmvci70.dll
C:\WINNT\system32\mmvci70.dll
C:\WINNT\system32\ihxsap.dll
C:\WINNT\system32\ihxsap.dll
C:\WINNT\system32\tebyuv.dll
C:\WINNT\system32\tebyuv.dll
C:\WINNT\system32\tkpmon.dll
C:\WINNT\system32\tkpmon.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DE020B39-CFF2-4FAF-A261-67BEC1AB2EA2}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

hjt log

Logfile of HijackThis v1.99.1
Scan saved at 9:23:09 AM, on 8/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\drwtsn32.exe
C:\UPGRADES\SpyWareRemover\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D07C78-2CEF-4B1D-B11E-845ED26B11B8}: NameServer = 63.67.120.23
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#14
Rawe

Posted 14 August 2005 - 07:33 AM

Visiting Staff

Member
4,746 posts

Go to -> Start -> Control Panel -> Add/Remove programs and uninstall the following entries if present;

BullsEye Network
VirtualBouncer.exe (Or VBouncer)
AdDestroyer (Rogue/suspect anti-spyware, see more here;
http://www.spywarewa...ti-spyware.htm)
CashBack
NaviSearch

When finished,

Run a scan with HijackThis and check the following objects for removal;

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

Close any other open windows and/or open browsers, making sure that only HiJackThis is running. Make sure that the above mentioned objects are all checked, then hit "Fix Checked".

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\cfgmgr52.dll
C:\WINNT\system32\exp.exe
C:\WINNT\system32\wintask.exe
C:\WINNT\system32\nvms.dll
C:\WINNT\system32\mscb.dll
C:\WINNT\system32\msbe.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

After the reboot, delete the following folders;

C:\Program Files\BullsEye Network\
C:\Program Files\NaviSearch\
C:\Program Files\CashBack\

Run CleanUp, and reboot.

Post a fresh HiJackThis log.

- Rawe :tazz:

#15
crystaldon

Posted 14 August 2005 - 08:39 AM

Member

Topic Starter
Member
48 posts

Thanks Rawe, it looks like that did it. Some of the installed program were hiding under different names

The BullsEye Network
More CashBack
The AdDestroyer

I went over the entire list and uninstalled other things that didn't look right. I also ran AdAware and SpyBot and rebooted before capturing this log. BTW, both AdAware and SpyBot found entries they wanted to delete. Thanks again for the help, it looks like it is working fine now.
Don

Here's the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:38 AM, on 8/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\UPGRADES\SpyWareRemover\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\l2sudqb2.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{96D07C78-2CEF-4B1D-B11E-845ED26B11B8}: NameServer = 63.67.120.23
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe