Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

UMonitor DLL error / Recycle bin problems / VX2

Started by Bobo , Jan 04 2005 08:34 PM

  • This topic is locked This topic is locked

#16
Metallica
Posted 09 January 2005 - 03:05 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Regards,

Pieter
  • 0

Advertisements

#17
Bobo
Posted 09 January 2005 - 04:05 PM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Pieter!

Wow! It worked! Is there something else to do now, or is that it?

Could you please give me the perfect cue for this all to never happen again?

A million thanks for helping me fight fire with fire. Computers: you need to know them to fix them...

Regards.

Bobo :tazz:
  • 0

#18
Metallica
Posted 09 January 2005 - 04:20 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please read:
http://metallica.geekstogo.com/

And I love fighting spyware with all I have in me. :tazz:

Regards,

Pieter
  • 0

#19
Bobo
Posted 10 January 2005 - 07:52 PM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hello Pieter! My recycle bin have the same problem as yesterday... when files are deleted they don't go in the recycle bin.

I tried your routine again :
____________________________________________________________

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f

____________________________________________________________

But when I reboot the problem reappear... Maybe it's because I have turn the system restore ON... I don't know... :tazz:

If your not too tired of me and my endless problem, please help me.

Thank you

Bobo
  • 0

#20
Metallica
Posted 11 January 2005 - 04:48 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you post a new FindIt log and please NOT reboot until I answer.

Regards,

Pieter
  • 0

#21
Bobo
Posted 11 January 2005 - 06:00 AM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Pieter! I'm happy that you're still their for me... Thanks again!

This is my Find It log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Anti-virus-malware\Find It NT-2K-XP

------- System Files in System32 Directory -------
Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

10/01/2005 19:24 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
12/03/2003 12:13 7˙168 Thumbs.db
15/10/2002 22:18 <REP> Microsoft
2 fichier(s) 7˙224 octets
2 R‚p(s) 9˙123˙987˙456 octets libres

------- Hidden Files in System32 Directory -------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

10/01/2005 19:24 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
04/07/2004 18:57 508 ws045380.ocx
12/03/2003 12:13 7˙168 Thumbs.db
25/05/2002 14:24 8˙628 Ridger.GID
22/01/2002 18:10 10˙833 Cnbjhlp.GID
22/12/2001 14:46 488 WindowsLogon.manifest
22/12/2001 14:46 488 logonui.exe.manifest
22/12/2001 14:45 749 nwc.cpl.manifest
22/12/2001 14:45 749 ncpa.cpl.manifest
22/12/2001 14:45 749 sapi.cpl.manifest
22/12/2001 14:45 749 cdplayer.exe.manifest
22/12/2001 14:45 749 wuaucpl.cpl.manifest
12 fichier(s) 31˙914 octets
1 R‚p(s) 9˙123˙983˙360 octets libres

---------- Files Named "Guard" -------------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

14/03/2004 14:00 59 E_S86.tmp
06/02/2002 14:24 59 E_SA7.tmp
28/08/2001 04:00 3˙072 CONFIG.TMP
3 fichier(s) 3˙190 octets
0 R‚p(s) 9˙123˙979˙264 octets libres

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j6j6lg1s16.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
f2af79~1.sys Mon 6 Dec 2004 15:00:52 ..SHR 56 0,05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56 bytes 0,05 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\HDBHO.dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




I will not close or reboot my computer...

Have nice day!

Bobo
  • 0

#22
Metallica
Posted 11 January 2005 - 06:39 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run killbox and select delete on reboot then press the red X button and let it reboot.

C:\WINDOWS\System32\j6j6lg1s16.dll

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX3.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX3.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then doubleclick recyclerem.bat

Your computer will reboot.

Let me know.

Pieter
  • 0

#23
Bobo
Posted 11 January 2005 - 05:08 PM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Pieter! When press X on Killbox menu I get this message just before it normaly reboot (but it don't reboot because of that?!) :

"PendingFileRenameOperations Registry Data has been Removed by External Process!"

Is this message normal? Should I reboot manualy?

Thanks for your efforts.

Bobo
  • 0

#24
Bobo
Posted 11 January 2005 - 05:40 PM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I can't find the j6j6lg1s16.dll files! But it still show up in my second Find It log...
  • 0

#25
Bobo
Posted 11 January 2005 - 06:14 PM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Pieter! I've continued the procedure and my recycle bin seems ok. This is my last Find It log below (j6j6lg1s16.dll file is not their). Do you think that I'm ok now?

Thanks again for all that you have done for me! You're a very good human being! :tazz:

Regards.

Bobo

_________________________________________________________________

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Anti-virus-malware\Find It NT-2K-XP

------- System Files in System32 Directory -------
Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

10/01/2005 19:24 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
12/03/2003 12:13 7˙168 Thumbs.db
15/10/2002 22:18 <REP> Microsoft
2 fichier(s) 7˙224 octets
2 R‚p(s) 9˙123˙450˙880 octets libres

------- Hidden Files in System32 Directory -------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

10/01/2005 19:24 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
04/07/2004 18:57 508 ws045380.ocx
12/03/2003 12:13 7˙168 Thumbs.db
25/05/2002 14:24 8˙628 Ridger.GID
22/01/2002 18:10 10˙833 Cnbjhlp.GID
22/12/2001 14:46 488 WindowsLogon.manifest
22/12/2001 14:46 488 logonui.exe.manifest
22/12/2001 14:45 749 nwc.cpl.manifest
22/12/2001 14:45 749 ncpa.cpl.manifest
22/12/2001 14:45 749 sapi.cpl.manifest
22/12/2001 14:45 749 cdplayer.exe.manifest
22/12/2001 14:45 749 wuaucpl.cpl.manifest
12 fichier(s) 31˙914 octets
1 R‚p(s) 9˙123˙446˙784 octets libres

---------- Files Named "Guard" -------------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

14/03/2004 14:00 59 E_S86.tmp
06/02/2002 14:24 59 E_SA7.tmp
28/08/2001 04:00 3˙072 CONFIG.TMP
3 fichier(s) 3˙190 octets
0 R‚p(s) 9˙123˙442˙688 octets libres

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
f2af79~1.sys Mon 6 Dec 2004 15:00:52 ..SHR 56 0,05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56 bytes 0,05 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\HDBHO.dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

Advertisements

#26
petruccichile
Posted 11 January 2005 - 08:07 PM

petruccichile

    New Member

  • Member
  • Pip
  • 3 posts
hi everybody, this is my first post, weel my english is very bad, i have a problem whit my recicle bin, i have any pop up and UMonitor error to the begin my sistem,


i ejecute the " HIJACTHIS " and this was the result...

Logfile of HijackThis v1.99.0
Scan saved at 23:01:47, on 11-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\ARCHIV~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe
C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Rodrigo\Escritorio\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://results.dashb...Dgz&ver=2.1.0.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=200.72.246.26:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\ARCHIV~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Descargar con Fl&ashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: Descargar todo con Flas&hGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash By FlashFavorite - res://C:\ARCHIV~1\FLASHF~1\FFCom.dll/IeMenu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FlashFavorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\ARCHIV~1\FLASHF~1\FFCom.dll
O9 - Extra 'Tools' menuitem: Flash Favorite - {4335F0BE-9AAF-4023-9929-681B937B814A} - C:\ARCHIV~1\FLASHF~1\FFCom.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://195.190.118.1....chm::/file.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_18_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab30149.cab
O16 - DPF: {F718F66B-7989-4DD8-B00B-BEF1EEECF3A6} - http://juego.rallymo.../jiquique01.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84E5A640-7941-4DD5-B458-371A3F8C8D55}: NameServer = 200.28.4.129 200.28.4.130
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administración de IIS - Unknown - C:\WINDOWS\System32\inetsrv\inetinfo.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Protocolo simple de transferencia de correo (SMTP) - Unknown - C:\WINDOWS\System32\inetsrv\inetinfo.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown - C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Publicación en World Wide Web - Unknown - C:\WINDOWS\System32\inetsrv\inetinfo.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe


Before I ejecute " Find It NT-2K-XP " and the result is this ...


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

El volumen de la unidad C es DISCO WINXP
El nŁmero de serie del volumen es: 74E1-5711

Directorio de C:\WINDOWS\System32

11-01-2005 21:44 <DIR> dllcache
11-01-2005 19:11 224.990 l82slif7182.dll
11-01-2005 18:29 224.990 dynaddr.dll
11-01-2005 18:29 225.266 l6p20g7oe6.dll
11-01-2005 18:26 224.990 rXsppp.dll
11-01-2005 17:45 224.434 h2n00c5mef.dll
11-01-2005 16:29 225.021 jt8q07l5e.dll
11-01-2005 16:12 223.379 MKJT4JLT.DLL
11-01-2005 16:02 224.872 gpr4l39q1.dll
11-01-2005 14:36 223.379 n4l80e3ueh.dll
11-01-2005 13:29 223.379 dfmodemx.dll
11-01-2005 11:26 223.379 lvn2095oe.dll
11-01-2005 05:16 223.099 ir28l5fu1.dll
11-01-2005 03:20 224.721 k226lcfs1f26.dll
10-01-2005 23:55 223.099 me43dmod.dll
10-01-2005 23:55 224.509 h0j4la1q1d.dll
10-01-2005 14:43 223.190 r46ulej91ho.dll
10-01-2005 13:31 222.540 n86qlij518o.dll
09-01-2005 22:01 222.861 kt0ol7d31.dll
09-01-2005 21:37 226.137 kt44l7hq1.dll
09-01-2005 16:32 226.137 o266lcjs1fo6.dll
09-01-2005 14:24 226.137 wgfapi.dll
09-01-2005 02:03 226.137 aza4lghq164e.dll
08-01-2005 20:33 226.137 ilssuba.dll
08-01-2005 20:33 222.565 k4js0e17eh.dll
08-01-2005 18:55 224.307 l66o0gj3e6o.dll
08-01-2005 12:16 225.118 ktn0l75m1.dll
07-01-2005 21:11 224.174 damap.dll
07-01-2005 13:01 224.418 m6julg1916.dll
06-01-2005 23:09 223.232 g0402ahmgd4a2.dll
29-12-2004 11:09 56 2C707E59EB.sys
29-12-2004 11:09 9.394 KGyGaAvL.sys
30-10-2004 23:31 107 SftGrd.cfg
11-10-2004 17:15 <DIR> Microsoft
30-09-1999 20:21 166.672 mstext35.dll
28-09-1999 22:42 1.050.896 msjet35.dll
09-09-1999 23:06 252.688 msexcl35.dll
09-09-1999 23:06 168.720 msltus35.dll
25-08-1999 15:57 415.504 msrepl35.dll
10-06-1999 10:34 24.848 msjter35.dll
10-06-1999 10:34 123.664 msjint35.dll
07-06-1999 19:59 250.128 mspdox35.dll
25-04-1999 18:00 368.912 Vbar332.dll
25-04-1999 18:00 252.176 Msrd2x35.dll
25-04-1999 18:00 287.504 Msxbse35.dll
43 archivos 9.877.866 bytes
2 dirs 2.264.555.520 bytes libres

------- Hidden Files in System32 Directory -------

El volumen de la unidad C es DISCO WINXP
El nŁmero de serie del volumen es: 74E1-5711

Directorio de C:\WINDOWS\System32

11-01-2005 21:44 <DIR> dllcache
11-01-2005 20:10 526 vsconfig.xml
11-01-2005 03:47 4.212 zllictbl.dat
29-12-2004 11:09 56 2C707E59EB.sys
29-12-2004 11:09 9.394 KGyGaAvL.sys
30-10-2004 23:31 107 SftGrd.cfg
19-09-2004 00:45 488 WindowsLogon.manifest
19-09-2004 00:45 488 logonui.exe.manifest
19-09-2004 00:45 749 cdplayer.exe.manifest
19-09-2004 00:45 749 ncpa.cpl.manifest
19-09-2004 00:45 749 wuaucpl.cpl.manifest
19-09-2004 00:45 749 nwc.cpl.manifest
19-09-2004 00:45 749 sapi.cpl.manifest
12 archivos 19.016 bytes
1 dirs 2.264.551.424 bytes libres

------------ Files Named "Guard" ---------------

El volumen de la unidad C es DISCO WINXP
El nŁmero de serie del volumen es: 74E1-5711

Directorio de C:\WINDOWS\System32

11-01-2005 21:22 225.266 guard.tmp
1 archivos 225.266 bytes
0 dirs 2.264.551.424 bytes libres

------ Temp Files in System32 Directory ------

El volumen de la unidad C es DISCO WINXP
El nŁmero de serie del volumen es: 74E1-5711

Directorio de C:\WINDOWS\System32

11-01-2005 21:22 225.266 guard.tmp
11-08-2004 00:41 5.550.080 setb2.tmp
24-08-2001 13:00 2.909 CONFIG.TMP
23-08-2001 09:00 147.483 scrrun.dll.tmp
4 archivos 5.925.738 bytes
0 dirs 2.264.551.424 bytes libres

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{961C19C2-5BD1-4EFA-8105-74248D35A42F}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l6p20g7oe6.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
2c707e~1.sys Wed 29 Dec 2004 11:09:24 ..SHR 56 0,05 K
aza4lg~1.dll Sun 9 Jan 2005 2:03:36 ..S.R 226.137 220,84 K
damap.dll Fri 7 Jan 2005 21:11:18 ..S.R 224.174 218,92 K
dfmodemx.dll Tue 11 Jan 2005 13:29:38 ..S.R 223.379 218,14 K
dynaddr.dll Tue 11 Jan 2005 18:29:14 ..S.R 224.990 219,71 K
g0402a~1.dll Thu 6 Jan 2005 23:09:14 ..S.R 223.232 218,00 K
gpr4l3~1.dll Tue 11 Jan 2005 16:02:38 ..S.R 224.872 219,60 K
h0j4la~1.dll Mon 10 Jan 2005 23:56:00 ..S.R 224.509 219,25 K
h2n00c~1.dll Tue 11 Jan 2005 17:45:20 ..S.R 224.434 219,17 K
ilssuba.dll Sat 8 Jan 2005 20:33:48 ..S.R 226.137 220,84 K
ir28l5~1.dll Tue 11 Jan 2005 5:16:52 ..S.R 223.099 217,87 K
jt8q07~1.dll Tue 11 Jan 2005 16:29:02 ..S.R 225.021 219,75 K
k226lc~1.dll Tue 11 Jan 2005 3:20:54 ..S.R 224.721 219,45 K
k4js0e~1.dll Sat 8 Jan 2005 20:33:48 ..S.R 222.565 217,35 K
kgygaavl.sys Wed 29 Dec 2004 11:09:24 A.SH. 9.394 9,17 K
kt0ol7~1.dll Sun 9 Jan 2005 22:01:38 ..S.R 222.861 217,64 K
kt44l7~1.dll Sun 9 Jan 2005 21:37:06 ..S.R 226.137 220,84 K
ktn0l7~1.dll Sat 8 Jan 2005 12:16:56 ..S.R 225.118 219,84 K
l66o0g~1.dll Sat 8 Jan 2005 18:55:24 ..S.R 224.307 219,05 K
l6p20g~1.dll Tue 11 Jan 2005 18:29:14 ..S.R 225.266 219,98 K
l82sli~1.dll Tue 11 Jan 2005 19:11:30 ..S.R 224.990 219,71 K
lvn209~1.dll Tue 11 Jan 2005 11:26:42 ..S.R 223.379 218,14 K
m6julg~1.dll Fri 7 Jan 2005 13:01:54 ..S.R 224.418 219,16 K
me43dmod.dll Mon 10 Jan 2005 23:56:00 ..S.R 223.099 217,87 K
mkjt4jlt.dll Tue 11 Jan 2005 16:12:46 ..S.R 223.379 218,14 K
n4l80e~1.dll Tue 11 Jan 2005 14:36:38 ..S.R 223.379 218,14 K
n86qli~1.dll Mon 10 Jan 2005 13:31:04 ..S.R 222.540 217,32 K
o266lc~1.dll Sun 9 Jan 2005 16:32:32 ..S.R 226.137 220,84 K
r46ule~1.dll Mon 10 Jan 2005 14:43:56 ..S.R 223.190 217,96 K
rxsppp.dll Tue 11 Jan 2005 18:26:04 ..S.R 224.990 219,71 K
sftgrd.cfg Sat 30 Oct 2004 23:31:44 A.SHR 107 0,10 K
vsconfig.xml Tue 11 Jan 2005 20:10:36 A..H. 526 0,51 K
wgfapi.dll Sun 9 Jan 2005 14:24:32 ..S.R 226.137 220,84 K
zllictbl.dat Tue 11 Jan 2005 3:47:28 ...H. 4.212 4,11 K

34 items found: 34 files, 0 directories.
Total of file sizes: 6.520.892 bytes 6,22 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3apphk"="S3apphk.exe"
"MessengerPlus3"="\"C:\\Archivos de programa\\Messenger Plus! 3\\MsgPlus.exe\""
"Zone Labs Client"="C:\\ARCHIV~1\\ZONELA~1\\ZONEAL~1\\zlclient.exe"
"OfficeGuard RegChecker"="\"C:\\Archivos de programa\\Kaspersky Lab\\Kaspersky Anti-Virus Personal Pro\\ogrc.exe\""
"AVPCC"="\"C:\\Archivos de programa\\Kaspersky Lab\\Kaspersky Anti-Virus Personal Pro\\avpcc.exe\" /wait"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


THANKS FOR YOUR HELP!! I NEED YOU PLIS !!

:tazz:
  • 0

#27
Metallica
Posted 12 January 2005 - 08:11 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
petruccichile,

Please start your own thread. You are confusing me and maybe Bobo as well.

Bobo,

Your FindIt log is clean. Well done. :tazz:

Can you post a HijackThis log please?

Regards,

Pieter
  • 0

#28
Bobo
Posted 12 January 2005 - 04:37 PM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Pieter! This is my new HijackThis log:

_____________________________________________

Logfile of HijackThis v1.99.0
Scan saved at 17:37:06, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\WINABI~1\FOLDER~1\FGLITE.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Anti-virus-malware\HijackThis_1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104624064864
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: FGLITE - WinAbility® Corporation - C:\PROGRA~1\WINABI~1\FOLDER~1\FGLITE.EXE
O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Partage de Bureau ŕ distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone - Unknown - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau ŕ distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte ŕ puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

_____________________________________________

Have nice one!

Thanks.

Bobo
  • 0

#29
Metallica
Posted 13 January 2005 - 05:53 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Doing my happy dance over here. :tazz:

One clean log to go.

Safe surfing,

Pieter
  • 0

#30
Bobo
Posted 13 January 2005 - 06:03 AM

Bobo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thanks a million Pieter! ;) I'm very happy! You rock! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP