Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Another winfixer victim :( [RESOLVED]

Started by my_6th_sense , Aug 25 2005 06:49 AM

  • This topic is locked This topic is locked

#1
my_6th_sense
Posted 25 August 2005 - 06:49 AM

my_6th_sense

    Member

  • Member
  • PipPip
  • 15 posts
I hope someone here can help me out...I already looked at other posts on this board but couldn't solve the problem myself...

Here is my hijack this logfile!

Logfile of HijackThis v1.99.1
Scan saved at 14:48:09, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Indentix\WinGet\WinGet.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wouter\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO:  - {371C6960-302C-45D0-9504-50B820247439} - C:\Program Files\Indentix\WinGet\WinIE.dll
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system32\bits\askb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with &WinGet - res://C:\Program Files\Indentix\WinGet\WinIE.dll/300
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107081003921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: askb - C:\WINDOWS\system32\bits\askb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Thnx in advance!!
  • 0

Advertisements

#2
Rawe
Posted 25 August 2005 - 06:54 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

Next:

Please download the l2mfix from one of the locations below;

http://www.atribune....oads/l2mfix.exe

http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe

Click the Install - button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!

Double-click the file it downloads and extract the files to its predetermined System32 folder!

- Rawe :tazz:
  • 0

#3
my_6th_sense
Posted 25 August 2005 - 07:01 AM

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay, here's the log you asked for :tazz:

L2MFIX find log 1.04
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\askb]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\bits\\askb.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschappenvenster van multimediabestand"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerbeheer"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Het tabblad Beveiliging"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Eigenschappenblad voor OLE-docbestand"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldschermadapter"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Monitor"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldscherm-panning"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Het tabblad Beveiliging"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibiliteitspagina"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Knipselgegevensverwerker van shell"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Schijfkopieer-uitbreiding"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-uitbreidingen voor Microsoft Windows Network-objecten"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-monitorbeheer"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerbeheer"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-uitbreidingen voor bestandscompressie"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shell-uitbreiding voor Web Printer"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Snelmenu Codering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Werkmap"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-pictogramuitbreiding"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profiel"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Het tabblad Beveiliging voor printers"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-extensie"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto-handtekeningextensie"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netwerkverbindingen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netwerkverbindingen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners en camera's"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners en camera's"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners en camera's"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners en camera's"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners en camera's"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-uitbreidingen voor Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplande taken"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taakbalk en menu Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Zoeken"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Uitvoeren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Lettertypen"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Systeembeheer"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet-werkbalk"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Downloadstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Uitgebreide shell-map"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Uitgebreide shell-map 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft-browserbalk"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Zoekbalk"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Mediabalk"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Zoeken binnen deelvenster"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Zoeken op het web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Hulpprogramma met opties voor registerboomstructuur"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adres"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoAanvullen"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU-lijst voor AutoAanvullen"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Aangepaste MRU-lijst voor AutoAanvullen"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Toegankelijk"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Pop-upbalk Volgen"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Parser voor adresbalk"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lijst voor AutoAanvullen: Microsoft Geschiedenis"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lijst voor AutoAanvullen: Microsoft Shell-map"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft-container met meervoudige lijst voor AutoAanvullen"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Sitemenu van shell-band"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Gebruikersondersteuning"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globale mapinstellingen"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url-geschiedenisservice"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Geschiedenis"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url-zoeken Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-welkomstscherm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Het Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Cachemap van ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Map met abonnementen"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Toepassingsbeheer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Programma voor inventarisatie van ge‹nstalleerde toepassingen"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI- en bestandsextractieprogramma voor miniaturen"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informatie over de handler voor miniatuurweergaven (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-extractie voor miniatuurweergaven"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Wizard Webpublicaties"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Afdrukken via het web bestellen"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell-object voor publicatiewizard"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Wizard Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Gebruikersaccounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanaal-bestand"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanaal-snelkoppeling"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Handler-object voor kanalen"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Map Off line bestanden"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{330417E8-EF62-4047-82BE-D8305CEFF572}"="AMEncShlExt extension"
"{DBD1A1E2-6334-4734-8A0C-F00F5A345ECF}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"="CopyToCD shell extension"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{A5110426-177D-4e08-AB3F-785F10B4439C}"="Sony Ericsson File Manager"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Sun 3 Jul 2005 4:17:06 A.... 1.020.416 996,50 K
cdfview.dll Sun 3 Jul 2005 4:17:06 A.... 151.552 148,00 K
gccoll~1.dll Tue 12 Jul 2005 15:35:14 A.... 126.680 123,71 K
gcunco~1.dll Tue 12 Jul 2005 15:35:10 A.... 95.448 93,21 K
hashlib.dll Tue 12 Jul 2005 15:35:14 A.... 117.976 115,21 K
hhsetup.dll Fri 27 May 2005 4:08:56 A.... 41.472 40,50 K
icm32.dll Wed 29 Jun 2005 3:53:10 A.... 254.976 249,00 K
iepeers.dll Sun 3 Jul 2005 4:17:06 A.... 251.392 245,50 K
inseng.dll Sun 3 Jul 2005 4:17:06 A.... 96.768 94,50 K
itircl.dll Fri 27 May 2005 4:08:56 A.... 155.136 151,50 K
itss.dll Fri 27 May 2005 4:08:56 A.... 137.216 134,00 K
kerberos.dll Wed 15 Jun 2005 19:51:08 A.... 295.936 289,00 K
mscms.dll Wed 29 Jun 2005 3:53:10 A.... 74.240 72,50 K
mshtml.dll Wed 20 Jul 2005 5:12:58 A.... 3.012.096 2,87 M
mshtmled.dll Sun 3 Jul 2005 4:17:08 A.... 448.512 438,00 K
msrating.dll Sun 3 Jul 2005 4:17:08 A.... 146.432 143,00 K
pngfilt.dll Sun 3 Jul 2005 4:17:08 A.... 39.424 38,50 K
shdocvw.dll Sun 3 Jul 2005 4:17:08 A.... 1.483.776 1,41 M
shlwapi.dll Sun 3 Jul 2005 4:17:08 A.... 474.112 463,00 K
tapisrv.dll Fri 8 Jul 2005 18:29:38 A.... 249.344 243,50 K
umpnpmgr.dll Thu 30 Jun 2005 4:07:22 A.... 119.296 116,50 K
urlmon.dll Sun 3 Jul 2005 4:17:10 A.... 605.184 591,00 K
wininet.dll Sun 3 Jul 2005 4:17:10 A.... 661.504 646,00 K

23 items found: 23 files, 0 directories.
Total of file sizes: 10.058.888 bytes 9,59 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Het volume in station C heeft geen naam.
Het volumenummer is D01A-DA1F

Map van C:\WINDOWS\System32

02/07/2005 10:21 <DIR> DLLCACHE
16/04/2005 13:14 10.856 KGyGaAvL.sys
28/01/2005 11:20 3.547 akjmx.log
25/01/2005 04:18 9.939 javakk.exe
11/01/2005 16:11 401.408 w?nword.exe
30/12/2004 22:12 10.059 apiwr.exe
21/04/2004 21:49 <DIR> Microsoft
5 bestand(en) 435.809 bytes
2 map(pen) 10.236.440.576 bytes beschikbaar

Edited by my_6th_sense, 25 August 2005 - 07:02 AM.

  • 0

#4
Rawe
Posted 25 August 2005 - 07:02 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

- Rawe :tazz:
  • 0

#5
my_6th_sense
Posted 25 August 2005 - 07:08 AM

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
after reboot, lm2fix didn't continue and no log was showed, but here's a new hijack log file...

Logfile of HijackThis v1.99.1
Scan saved at 15:07:47, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Indentix\WinGet\WinGet.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Wouter\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO:  - {371C6960-302C-45D0-9504-50B820247439} - C:\Program Files\Indentix\WinGet\WinIE.dll
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system32\bits\askb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wouter\Bureaublad\l2mfix\second.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with &WinGet - res://C:\Program Files\Indentix\WinGet\WinIE.dll/300
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107081003921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: askb - C:\WINDOWS\system32\bits\askb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


thanks 4 the help!

Edited by my_6th_sense, 25 August 2005 - 07:09 AM.

  • 0

#6
Rawe
Posted 25 August 2005 - 07:14 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Reboot into normal mode and post the Ewido log.

- Rawe :tazz:
  • 0

#7
my_6th_sense
Posted 25 August 2005 - 07:43 AM

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hello,
I'm on another computer right now...
Scan is only completed 30% so far...after 20minutes, is this normal?

thanks
  • 0

#8
Rawe
Posted 25 August 2005 - 07:53 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
It will take a while. Just be patient and post the log once the scan is finished :tazz:
  • 0

#9
my_6th_sense
Posted 25 August 2005 - 09:12 AM

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok, here's the post :tazz:

---------------------------------------------------------
ewido security suite - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 17:04:51, 25/08/2005
+ Rapport samenvatting: 1C1F7A40

+ Scan resultaten:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Schoongemaakt met een backup
HKLM\SOFTWARE\IST -> Spyware.ISTBar : Schoongemaakt met een backup
HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Schoongemaakt met een backup
HKU\S-1-5-21-3399214811-4080963341-1148649159-1006\Software\Bundles -> Spyware.SecondThought : Schoongemaakt met een backup
HKU\S-1-5-21-3399214811-4080963341-1148649159-1006\Software\SCom -> Dialer.Generic : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-1049fee6-446ade80.class -> Trojan.ClassLoader.Dummy.d : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5db50b5e-1a71b7c3.class -> Trojan.ClassLoader.Dummy.d : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7227c885-6a9cdb45.class -> Trojan.ClassLoader.Dummy.d : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-287bd75b-71283a1f.class -> Trojan.Byteverify : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-28b7d374-401726b0.class -> Trojan.Byteverify : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-40da00fc-18e404c6.class -> Trojan.Byteverify : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Bureaublad\backups\backup-20050201-184706-937.dll -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Bureaublad\Macromedia_Dreamweaver_MX_2004_v7[1].0_by_Core\vkz.exe -> TrojanDownloader.INService.i : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Bureaublad\Macromedia_Flash_MX_2004_by_RCF\gka.exe -> TrojanDownloader.INService.i : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Bureaublad\MSNBlockDetect\MSNBlockDetect.exe -> Backdoor.Optix.Pro.f : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Bureaublad\MSNBlockDetect\MSNBlockDetect.zip/MSNBlockDetect.exe -> Backdoor.Optix.Pro.f : Fout gedurende het schoonmake
C:\Documents and Settings\Wouter\Cookies\wouter@2o7[2].txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickhype : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@advertising[1].txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@atdmt[2].txt -> Spyware.Cookie.Atdmt : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@bfast[1].txt -> Spyware.Cookie.Bfast : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@fastclick[1].txt -> Spyware.Cookie.Fastclick : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@findwhat[1].txt -> Spyware.Cookie.Findwhat : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@hitbox[2].txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Itrack : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Onestat : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@statcounter[1].txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@targetnet[2].txt -> Spyware.Cookie.Targetnet : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\wouter@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\account_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\error-mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{10E7B31E-FCD3-4031-8C75-F003275D6075}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{148048C7-B6E8-45E0-A64E-63AD3E58A28B}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{209FAE3B-EB59-4560-B473-99B4FED3343D}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{223D40DA-1B88-47A2-A956-7BB6AFD3092F}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{249320DB-E593-4392-AEAD-3424AD3ECFB9}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{25F138A7-D5E8-4007-A240-DCD31F89F5F6}\mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{2D500FF5-1C10-481C-B261-40A6CB3DE59B}\error-mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{5D9E9EF0-48AB-4299-BCE8-11C3C13386C1}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{5F2B675A-5898-46CF-8658-DE2D43914FEB}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{602781E8-8D30-4289-8CBD-3F86B592CE15}\mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{619427EE-EE95-4DEC-BB1A-840C79717DAA}\account_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{61DE4BFF-691B-402D-A94A-EEF8EA3151A6}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{681FFE7D-68AD-459E-92F1-F6145B153BA2}\account_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{7437BCB2-A36B-4100-87E1-32DC7192D269}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{883E1B39-E0B9-46D0-88EC-51877F61058A}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{8900F0F0-98FE-4C67-AA97-83F5A47B84EE}\mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{A429DA21-782E-4E22-B032-6099D8448525}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{B40C14C0-0094-4342-8ECA-539F8DF8D7FB}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{B4272301-9B2F-4EA9-96AF-FE4ED6F58DDE}\error-mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{DF0B600E-78E9-4353-B03F-72CAD95E90E4}\mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{E7ED336E-331B-4F5D-A230-5CE28FF57932}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{E9A8683A-DC63-44DE-8455-4B8759859578}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{EA7A07ED-D6EA-431C-BE50-41867E8D901B}\error-mail_info.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{EE86BF0F-DFAC-4728-BF65-C9A4C32BFD1A}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{F3DA17FE-C63A-4888-835C-C8C0ABFF50EE}\account_info-text.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{F4DA4F21-745F-4546-9FD8-01BCC46A7C35}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Documents and Settings\Wouter\Local Settings\Application Data\IM\Identities\{E51332F3-F1A9-492D-92BC-4E3F827DA968}\Message Store\Attachments\{FE06D5EB-19C4-4AD1-80E8-3C1A8B54CCB9}\our_secret.zip/Winzipped-Text_Data.txt .pif -> Worm.Sober.p : Schoongemaakt met een backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6DE31B86-E700-425A-BF0F-13EFEE\9C72F791-E910-44B8-88AB-A70ADC -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8FA18DAE-EAB6-4919-B4AB-7FA4F6\ECCD68DB-0DDB-4302-BD8F-495A54 -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C591F5D1-16CD-46DF-8EA1-708B83\E1BAA820-E246-4FA0-8B50-09448C -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CFD9CEB0-B7BC-4C4F-ABE7-E387BD\4C8CC889-E005-4081-B8FD-B1E619 -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\Program Files\Serv-U\ServUDaemon.exe -> Backdoor.ServU-based : Schoongemaakt met een backup
C:\System Volume Information\_restore{F89817AF-0A8C-4752-B403-11B3333F859B}\RP429\A0040365.ini:vkxcby -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\System Volume Information\_restore{F89817AF-0A8C-4752-B403-11B3333F859B}\RP430\A0040401.ini:vkxcby -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\System Volume Information\_restore{F89817AF-0A8C-4752-B403-11B3333F859B}\RP431\A0040473.ini:vkxcby -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\System Volume Information\_restore{F89817AF-0A8C-4752-B403-11B3333F859B}\RP438\A0040810.ini:vkxcby -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\System Volume Information\_restore{F89817AF-0A8C-4752-B403-11B3333F859B}\RP441\A0041557.ini:vkxcby -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\System Volume Information\_restore{F89817AF-0A8C-4752-B403-11B3333F859B}\RP442\A0041579.dll -> Spyware.Altnet : Schoongemaakt met een backup
C:\System Volume Information\_restore{F89817AF-0A8C-4752-B403-11B3333F859B}\RP447\A0041743.ini:vkxcby -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22DO+YOU+BELIEVE+IN+A+GOD+THAT+BRINGS+YOU+DOWN%22&133.xml:ikykx -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22EXTACY+IT+REALLY+GETS+ME+GOING%22&97.xml:tudgsy -> Spyware.OneMoreSearch : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22GOTTO+ACTIVATE+THE+TAKE+INSANE%22&708.xml:nkwcg -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22I+DON%27T+KNOW+WHAT+THIS+WORLD+IS+COMING+TO+I+DON%27T+UNDERSTAND+FROM%22&618.xml:lttqo -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22I+HOPE+WE+COME+TOGETHER%22&622.xml:asqsc -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22I+HOPE+WE+COME+TOGETHER%22&622.xml:prflq -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22NOTHING%27S+LEFT+FOR+ME+TO+FEEL%22&917.xml:rosyj -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22WHEN+NOTHING%27S+LEFT+FOR%22&717.xml:ocqtmd -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22XTC+IT+REALLY+GETS+ME+GOING%22&130.xml:hdjypn -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\b2_t_%22YOU+TRY+TO+KEEP+ME+IN+A+DREAM%22&135.xml:yrobqc -> Spyware.OneMoreSearch : Schoongemaakt met een backup
C:\WINDOWS\b2_t_JUMP%3A+THE+NEW+HARDSTYLE&46.xml:qxpfpz -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\b2_t_WANNEER+BLOK+2%3F&992.xml:uzldfw -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\b2_t_WEREN%27T&442.xml:vtpxl -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\bundles\HelperInstaller.exe -> TrojanDropper.Delf.z : Schoongemaakt met een backup
C:\WINDOWS\bundles\txdesuf.exe -> Backdoor.Agent.bg : Schoongemaakt met een backup
C:\WINDOWS\DBJDGJHQ.ini:ykhsa -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\Direct Connect Setup Log.txt:myfdks -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\DirectX.log:bpooy -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\DtcInstall.log:uqgts -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\Groensteen.bmp:itabbq -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\internet.exe:apupw -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\internet.exe -> Dialer.Generic : Schoongemaakt met een backup
C:\WINDOWS\iun6002.exe:sqmuy -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\javahe32.exe -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\KB828035.log:lnbae -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\KB835732.log:uywdu -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\magix(2).ini:fiixcn -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\magix(2).ini:porwa -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\magix(3).ini:fiixcn -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\magix(3).ini:porwa -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\magix.ini:fiixcn -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\magix.ini:porwa -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\MSDFMAP.INI:cjnxhn -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\MSGSOCM.LOG:qklizz -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\musicmaker.INI:ptkgm -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\NeroDigital.ini:vkxcby -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\Prairie.bmp:fqdya -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\Q329909.log:mmgeie -> Spyware.OneMoreSearch : Schoongemaakt met een backup
C:\WINDOWS\REX Shared Library.dll:lmjhnw -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\Robota.INI:emumhh -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\SchedLgU.Txt:yqwwu -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\smscfg.ini:csruk -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\svcpack.log:utkzn -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\124788.exe/inst.EXE -> TrojanDropper.Small.mf : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\124788.exe/124788.exe -> Not-A-Virus.Pornware.Downloader.Tibsystems.a : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\apiwr.exe -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\BE352.exe -> Dialer.Generic : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\bits\askb.dll -> Trojan.Agent.cs : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\bmk13.exe -> Trojan.Favadd.a : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\dktibs.exe -> TrojanDownloader.Small.mx : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\javakk.exe -> Backdoor.Small.dc : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\wіnword.exe -> Spyware.PurityScan : Schoongemaakt met een backup
C:\WINDOWS\TASKMAN.EXE:nudeh -> TrojanDownloader.Agent.ap : Schoongemaakt met een backup
C:\WINDOWS\TASKMAN.EXE:sibdcr -> Spyware.OneMoreSearch : Schoongemaakt met een backup
C:\WINDOWS\toolbar.exe -> Trojan.LowZones.y : Schoongemaakt met een backup
C:\WINDOWS\twain_32.dll:gobxi -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\Windows Update.log:vshfv -> TrojanDownloader.Agent.bc : Schoongemaakt met een backup
C:\WINDOWS\WINNT.BMP:ytlyr -> Backdoor.Small.dc : Schoongemaakt met een backup


::Einde rapport
  • 0

#10
Rawe
Posted 25 August 2005 - 09:16 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Wow it cleaned alot. :tazz:

Can you run this online scan and post it's results here along with a FRESH HiJackThis log:

Panda Activescan
  • 0

Advertisements

#11
my_6th_sense
Posted 25 August 2005 - 09:37 AM

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok, doing the scan now, but it will take a while :)
And the winfixer (which seemed to be gone for a while now) appeared again :tazz:
thanks for the help :)
  • 0

#12
my_6th_sense
Posted 25 August 2005 - 09:40 AM

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-573e8439.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-573e8439.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-573e8439.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-573e8439.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-6d80566c.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-6d80566c.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-6d80566c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-162a7bbe-6d80566c.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-5b729df9.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-5b729df9.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-5b729df9.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-5b729df9.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-71aea2d0.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-71aea2d0.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-71aea2d0.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-190119e9-71aea2d0.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-569820f2-4be6ad25.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv156.jar-8e3574-77e2e00c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv156.jar-8e3574-77e2e00c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv156.jar-8e3574-77e2e00c.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv156.jar-8e3574-77e2e00c.zip[Parser.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv157.jar-9c4cf5-447bec86.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv157.jar-9c4cf5-447bec86.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv157.jar-9c4cf5-447bec86.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Wouter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv157.jar-9c4cf5-447bec86.zip[Parser.class]
Virus:Bck/OptixPro.R Disinfected C:\Documents and Settings\Wouter\Bureaublad\MSNBlockDetect\MSNBlockDetect.zip[MSNBlockDetect.exe]
  • 0

#13
Rawe
Posted 25 August 2005 - 09:43 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok.. In the Java cache.

Please do the following:

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

IF the updating function doesn't work and you DON'T have the latest version of Java, please install the latest version here (uninstall your older one first though);

http://www.java.com/...load/manual.jsp

Then try the Java cache clearing..

Then post a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#14
my_6th_sense
Posted 25 August 2005 - 10:04 AM

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
once again, a new hijack file :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 18:04:01, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Indentix\WinGet\WinGet.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Wouter\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO:  - {371C6960-302C-45D0-9504-50B820247439} - C:\Program Files\Indentix\WinGet\WinIE.dll
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system32\bits\askb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wouter\Bureaublad\l2mfix\second.bat
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with &WinGet - res://C:\Program Files\Indentix\WinGet\WinIE.dll/300
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107081003921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: askb - C:\WINDOWS\system32\bits\askb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

#15
Rawe
Posted 25 August 2005 - 10:20 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Now I know what's the infection.

Please download VundoFix.zip to your desktop.
  • Double-click VundoFix.zip and extract it to your C:\ directory.
  • Copy the instructions below and paste them into Notepad for reference.
    • All other windows need to be closed while doing this fix!
  • Navigate to the new folder C:\VundoFix
  • Double click on KillVundo.bat
    • When it starts running it will tell you that you need an active internet connection then ask you to press any key once you do.
  • Please press any key to continue.
  • Wait for HiJackThis to open.
  • When HiJackThis opens, click Do a system scan only. Place a check next to the following items, if found:

    O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\system32\bits\askb.dll

    O20 - Winlogon Notify: askb - C:\WINDOWS\system32\bits\askb.dll
  • Once they all have a check next to them, click the FIX CHECKED button, then close HiJackThis.
You will once again be prompted to press any key. Upon doing so this time you will receive a "Blue Screen Of Death". Don't worry, this is normal! Let the computer reboot. If it doesn't boot straight to windows, manually turn the computer off and then back on.

Once the computer is rebooted post a new HiJackThis log as well as the contents of vundofix.txt which can be found in this folder: C:\VundoFix
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP