Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help in eliminating these spywares


  • Please log in to reply

#1
samy

samy

    Member

  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:32:55 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\gktm4r02.exe
C:\WINDOWS\system32\efsdfgxg.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\winstall.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool2.exe
C:\Program Files\ipee\othb.exe
C:\WINDOWS\system32\n?pdb.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\vxgamet2.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxgame6.exe
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\maxd1.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau8l.hpwis.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels32.exe
O2 - BHO: C:\WINDOWS\q6604316.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q6604316.dll
O2 - BHO: (no name) - {A9BAC50C-7DB0-2342-98EE-27B7613935E0} - C:\WINDOWS\system32\cujv.dll
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\windows\wtwain.dll,_mainRD
O4 - HKLM\..\Run: [gktm4r02] C:\WINDOWS\system32\gktm4r02.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\system32\efsdfgxg.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\system32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [Aaou] "C:\Program Files\ipee\othb.exe" -vt mt
O4 - HKCU\..\Run: [Qwvx] C:\WINDOWS\system32\n?pdb.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=5062
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - (no file)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\pdnppagn.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q4434496.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\q6604316.dll
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Please print these instructions out, or write them down, as you can't read them during the fix.

Download smitRem.exe and save the file to your desktop.
Double-click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6)

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

Close it, we'll use it later on.

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

===================================================
Run a scan with HiJackThis and check the following objects for removal;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels32.exe
O2 - BHO: C:\WINDOWS\q6604316.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q6604316.dll
O2 - BHO: (no name) - {A9BAC50C-7DB0-2342-98EE-27B7613935E0} - C:\WINDOWS\system32\cujv.dll
O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\windows\wtwain.dll,_mainRD
O4 - HKLM\..\Run: [gktm4r02] C:\WINDOWS\system32\gktm4r02.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\system32\efsdfgxg.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [Aaou] "C:\Program Files\ipee\othb.exe" -vt mt
O4 - HKCU\..\Run: [Qwvx] C:\WINDOWS\system32\n?pdb.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=5062
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - (no file)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\pdnppagn.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q4434496.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\q6604316.dll
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)


Close any other open windows and/or open browsers, making sure that only HiJackThis is running. Make sure that the above mentioned objects are all checked, then hit "Fix Checked".
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Launch Ad-aware SE:

Set up the Configurations as follows:
  • Click the Gear wheel at the top of the Ad-Aware window
  • Click General > Safety & Settings: Check (Green) all three.
  • Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
Click on "Proceed"
Click on "Scan Now"
Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
Select "Search for low-risk threats"
Run the scanner using the Full Scan (Perform full system scan) mode.
When the scan has completed, select Next.
In the Scanning Results window, select the "Scan Summary" tab.
Check the box next to every "target family" for removal.
Click "Next", Click "OK".
Close it.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Navigate to, and delete the following files IF present:

C:\WINDOWS\blank.mht
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\cujv.dll
c:\windows\wtwain.dll,_mainRD
C:\WINDOWS\system32\gktm4r02.exe
C:\WINDOWS\system32\efsdfgxg.exe
c:\windows\system32\mdms.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\ipee\othb.exe
C:\WINDOWS\system32\n?pdb.exe <= Be careful with this one, ONLY delete the file with the ?
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
C:\WINDOWS\system32\sysvcs.exe
C:\WINDOWS\system32\pdnppagn.dll
C:\WINDOWS\q4434496.dll
C:\WINDOWS\q6604316.dll
C:\WINDOWS\tcpG4T.dll


Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Boot up into normal mode and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know how's it running now. :tazz:

Edited by Rawe, 11 October 2005 - 07:18 AM.

  • 0

#3
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Panda Activescan Log

Incident Status Location

Adware:adware/cws.searchmeup No disinfected C:\Documents and Settings\All Users\Start Menu\Spyware Remover.url
Adware:adware/azesearch No disinfected C:\Documents and Settings\All Users\Start Menu\PopUp Blocker.url
Adware:adware/azesearch No disinfected C:\Documents and Settings\sharif\Favorites\SPORTS\Auto racing.url
Adware:adware/look2me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Adware:adware/cws No disinfected C:\Documents and Settings\sharif\Favorites\[bleep] Real Girls.url
Adware:adware/cws.searchmeup No disinfected C:\Documents and Settings\sharif\Favorites\Today's Specials.url
Adware:adware program No disinfected C:\WINDOWS\flag.bla
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Adware:adware/ist.istbar No disinfected C:\Documents and Settings\sharif\Favorites\Adult Sites
Adware:adware/ilookup No disinfected C:\Documents and Settings\sharif\Favorites\Gambling
Adware:adware/mediatickets No disinfected Windows Registry
Adware:Adware/MediaTickets No disinfected C:\HJT\backups\backup-20051011-204848-558
Adware:Adware/MediaTickets No disinfected C:\HJT\backups\backup-20051011-204848-558.inf
Adware:Adware/MediaTickets No disinfected C:\HJT\backups\backup-20051013-210406-574
Adware:Adware/MediaTickets No disinfected C:\HJT\backups\backup-20051013-210406-574.inf
Virus:Trj/Hooker.N Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll
Virus:Trj/Hooker.N Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll
Adware:Adware/PurityScan No disinfected C:\Program Files\ipee\othb.exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\mtjet35.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\ndsdexts.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\oheaccrc.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\pdnppagn.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\pntorsvc.dll

  • 0

#4
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hijakthis log

Logfile of HijackThis v1.99.1
Scan saved at 4:29:02 AM, on 15/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau8l.hpwis.com/
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\tvrmmgr.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

#5
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
smitfiles


smitRem log file
version 2.6

by noahdfear

The current date is: Thu 13/10/2005
The current time is: 21:06:55.52

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


Pre-run Files Present


~~~ Program Files ~~~

SpySheriff


~~~ Shortcuts ~~~

SpySheriff
Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~

zlbw.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:
  • 0

#6
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:53:11 PM, 13/10/2005
+ Report-Checksum: 7DB57F3F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0774F696-D801-4C18-81A7-A3A32B8BEF19} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0774F696-D801-4C18-81A7-A3A32B8BEF19}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1E6AC766-9094-4BCF-ABD3-39E2EAEA5FCD} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1E6AC766-9094-4BCF-ABD3-39E2EAEA5FCD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2A8A997F-BB9F-48F6-AA2B-2762D50F9289} -> Spyware.SmartShopper : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2A8A997F-BB9F-48F6-AA2B-2762D50F9289}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{454B4812-E572-4703-A1BB-63490809EAC0} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{454B4812-E572-4703-A1BB-63490809EAC0}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{580A1F3F-89B4-433B-BBDB-B97AEB13F3FC} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A798E2B4-B6A0-4B96-8C53-8EC7A3B0895A} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A798E2B4-B6A0-4B96-8C53-8EC7A3B0895A}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{175816A5-219E-4079-B2F9-53C501C409BA}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1C1793E0-1034-4CAC-837D-AA545F6961BF}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{34F4D917-31E4-464C-B8B3-84C1CE76B395} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{34F4D917-31E4-464C-B8B3-84C1CE76B395}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{5D16197A-1EAA-45AF-B29A-69F1AA055E87}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{5D9C84E7-FA45-49E2-A0B8-B6B5E9A4F6BE}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A61A950-C325-4F44-BA64-273180FF3464}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B53D4CD4-406D-43CC-8244-7893D72236DD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B671426C-5C1A-48AC-9652-BC9402B1C404}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B9BB3219-F84C-4060-966B-4A1E73E24226}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E82431BF-E8A2-45CA-8361-E5517588CDA1}\TypeLib\\ -> Spyware.RelatedLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F786CB18-3809-4E49-BC99-9A66DA47DB8B}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\PrevAdX.Installer\CLSID\\ -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl\CLSID\\ -> Spyware.SmartShopper : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl.1\CLSID\\ -> Spyware.SmartShopper : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71EFE583-62FE-4419-9918-CA3B683F7B36} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{842D315A-7E1E-448B-96E8-9E76D1820BE2} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B5901229-25CC-43C9-B604-3BB6AC2B48A5} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C83DAED4-0611-4F7A-978E-7FEAFCB2F91B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\PI -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\PI\3.2 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\Hotbar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\Hotbar\Install -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{946B3E9E-E21A-49c8-9F63-900533FAFE14}\\ClsidExtension -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E77EDA01-3C56-4a96-8D08-02B42891C169}\\ClsidExtension -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PrevAdX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PrevAdX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperReports by Hotbar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\Install -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\ShopperReports\PostInstaller -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Internet Explorer\Explorer Bars\{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Internet Explorer\Explorer Bars\{A798E2B4-B6A0-4B96-8C53-8EC7A3B0895A} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A8A997F-BB9F-48F6-AA2B-2762D50F9289} -> Spyware.SmartShopper : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39DA2444-065F-47CB-B27C-CCB1A39C06B7} -> Spyware.PurityScan : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{946B3E9E-E21A-49C8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E77EDA01-3C56-4A96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\ShopperReports\Install -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\ShopperReports\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3150264513-1181600528-1028485384-1013\Software\ShopperReports\ShopperReports\PostInstaller -> Spyware.HotBar : Cleaned with backup
[1696] C:\WINDOWS\system32\ndsdexts.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\sharif\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\sharif\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\sharif\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\sharif\Cookies\sharif@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloumcpseoaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\sharif\My Documents\photo.zip/photo.jpg .scr -> Worm.Mabutu.a : Cleaned with backup
C:\Documents and Settings\test\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nocheat.jar-67b60e84-3f4475f4.zip/Matrix.class -> TrojanDownloader.OpenConnection.s : Cleaned with backup
C:\WINDOWS\adsldpbc.dll -> TrojanDownloader.Delf.lh : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HbInstIE.dll -> Spyware.HotBar : Cleaned with backup
C:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\q10071942.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q10445620.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q10485537.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q11291055.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q11668518.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q11729135.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q12495076.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q12919066.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q12974145.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q14149125.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q14247406.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q14911281.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q15379634.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q17845159.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q18485340.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q1923626.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q1993987.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q21289272.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q21344742.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q21384349.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q21402124.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q21454199.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q21756944.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q2665382.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q2929332.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q3019571.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q3113927.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q3143910.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q3217736.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q4344547.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q5483134.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q5492818.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q5569258.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q6688287.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q6736236.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q6736766.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q6795481.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q713756.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q780993.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q7978522.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q800430.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q8021854.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q805618.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\q8166963.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q8775248.dll -> TrojanDownloader.Delf.wp : Cleaned with backup
C:\WINDOWS\q9230162.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\258291.exe -> TrojanDropper.Small.age : Cleaned with backup
C:\WINDOWS\system32\ahsldp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\awitvo32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cMpesnpn.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ctbcatq.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gktm4r02.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\hjfinst.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ibwphbk.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\IhagXpr5.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ixq.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mfutb.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mhhtml.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\MIJINT35.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mitlsapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mnvcrt20.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mtcshext.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvcorier.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mwdimap.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\myihnd.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\myjet40.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nntlogon.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\tjrmsrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ucpnpmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\uidmxfrm.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\unrdpa.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\uodmxfrm.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\vx.tll -> Adware.SpySheriff : Cleaned with backup
C:\WINDOWS\system32\w -> TrojanProxy.Cimuz.ai : Cleaned with backup
C:\WINDOWS\system32\wfnmp32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wontrust.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ztoolb011.dll -> Spyware.Zbar : Cleaned with backup
C:\WINDOWS\system32\ztoolbar.bmp -> Spyware.TNS-Search : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.o : Cleaned with backup
C:\WINDOWS\tool3.exe -> Trojan.Qhost.n : Cleaned with backup
C:\WINDOWS\tool4.exe -> Trojan.Qhost.n : Cleaned with backup
C:\WINDOWS\tool5.exe -> Trojan.Qhost.n : Cleaned with backup
C:\WINDOWS\zfj21b0n.exe -> TrojanDownloader.Agent.wn : Cleaned with backup
C:\winld32.dll -> TrojanDownloader.Small.anu : Cleaned with backup


::Report End
  • 0

#7
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for your help. Even though the number of pop ups etc have reduced, there are still some like spotresults and winfixer and others that still popup.
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Looks like we have done some HUGE steps forward.

Let's clean up what's left.. :tazz:

Please download the l2mfix from one of the locations below;

http://www.atribune....oads/l2mfix.exe

http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe

Click the Install - button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!

Double-click the file it downloads and extract the files to its predetermined System32 folder!


Also post a fresh HijackThis log (Don't attach) along with L2Mfix log.
  • 0

#9
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\cciconfg.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4FC4A801-9D02-D848-D695-AFD63A7D9CB6}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{259F616C-A300-44F5-B04A-ED001A26C85C}"="SolidConverter extension"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"="{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
"{D66DC78C-4F61-447F-942B-3FB6980118CF}"="{D66DC78C-4F61-447F-942B-3FB6980118CF}"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{421CAFDF-D425-4E19-81F3-F5B86412068D}"=""
"{A3C63D76-E2A0-424C-A88C-0FDFC86F70DB}"=""
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{421CAFDF-D425-4E19-81F3-F5B86412068D}]
@=""
"IDEx"="ST015"

[HKEY_CLASSES_ROOT\CLSID\{421CAFDF-D425-4E19-81F3-F5B86412068D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{421CAFDF-D425-4E19-81F3-F5B86412068D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{421CAFDF-D425-4E19-81F3-F5B86412068D}\InprocServer32]
@="C:\\WINDOWS\\system32\\nntlogon.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A3C63D76-E2A0-424C-A88C-0FDFC86F70DB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3C63D76-E2A0-424C-A88C-0FDFC86F70DB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3C63D76-E2A0-424C-A88C-0FDFC86F70DB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A3C63D76-E2A0-424C-A88C-0FDFC86F70DB}\InprocServer32]
@="C:\\WINDOWS\\system32\\hkfcisp2.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
birdihuy.dll Tue 11 Oct 2005 20:28:26 A.... 62 0.06 K
cciconfg.dll Sat 15 Oct 2005 8:56:58 ..... 417,792 408.00 K
cujv.dll Thu 29 Sep 2005 5:55:08 A.... 122,880 120.00 K
gwfspi~1.dll Mon 29 Aug 2005 13:27:06 A.... 23,304 22.76 K
hkfcisp2.dll Sat 15 Oct 2005 21:49:08 ..S.R 417,792 408.00 K
legitc~1.dll Mon 29 Aug 2005 13:27:12 A.... 520,968 508.76 K
mtjet35.dll Fri 14 Oct 2005 8:19:56 ..S.R 417,792 408.00 K
ndsdexts.dll Thu 13 Oct 2005 20:56:30 ..S.R 417,792 408.00 K
oheaccrc.dll Fri 14 Oct 2005 3:30:38 ..S.R 417,792 408.00 K
pdnppagn.dll Thu 15 Sep 2005 15:39:00 ..S.R 417,792 408.00 K
pncrt.dll Sat 23 Jul 2005 16:03:58 A.... 278,528 272.00 K
pndx5016.dll Sat 23 Jul 2005 16:04:08 A.... 6,656 6.50 K
pndx5032.dll Sat 23 Jul 2005 16:04:08 A.... 5,632 5.50 K
pntorsvc.dll Fri 14 Oct 2005 22:42:50 A.S.R 417,792 408.00 K
rmoc3260.dll Sat 23 Jul 2005 16:04:46 A.... 176,167 172.04 K
tvrmmgr.dll Fri 14 Oct 2005 22:24:40 ..... 417,792 408.00 K

16 items found: 16 files (6 H/S), 0 directories.
Total of file sizes: 4,476,533 bytes 4.27 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Fri 14 Oct 2005 4:16:40 ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 5C9B-F7F5

Directory of C:\WINDOWS\System32

15/10/2005 09:49 PM 417,792 hkfcisp2.dll
15/10/2005 09:24 AM <DIR> dllcache
14/10/2005 10:42 PM 417,792 pntorsvc.dll
14/10/2005 08:19 AM 417,792 mtjet35.dll
14/10/2005 04:16 AM 417,792 guard.tmp
14/10/2005 03:30 AM 417,792 oheaccrc.dll
13/10/2005 08:56 PM 417,792 ndsdexts.dll
29/09/2005 05:55 AM 401,408 n?pdb.exe
15/09/2005 03:38 PM 417,792 pdnppagn.dll
11/10/2003 11:52 PM <DIR> Microsoft
11/10/2003 06:39 AM 32 {2DB522E1-A7FC-4D00-BFF3-3C58D6866E8E}.dat
06/04/2001 03:43 AM 94,208 msstkprp.dll
10 File(s) 3,420,192 bytes
2 Dir(s) 12,323,606,528 bytes free
  • 0

#10
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:04:05 PM, on 15/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau8l.hpwis.com/
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129332238148
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\cciconfg.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

Advertisements


#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Okay, good.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#12
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1132 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 308 'rundll32.exe'
Killing PID 1476 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\mtjet35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mtjet35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ndsdexts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ndsdexts.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oheaccrc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oheaccrc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pccrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pccrt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pdnppagn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pdnppagn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pntorsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pntorsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tvrmmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tvrmmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\mtjet35.dll
Successfully Deleted: C:\WINDOWS\system32\mtjet35.dll
deleting: C:\WINDOWS\system32\mtjet35.dll
Successfully Deleted: C:\WINDOWS\system32\mtjet35.dll
deleting: C:\WINDOWS\system32\ndsdexts.dll
Successfully Deleted: C:\WINDOWS\system32\ndsdexts.dll
deleting: C:\WINDOWS\system32\ndsdexts.dll
Successfully Deleted: C:\WINDOWS\system32\ndsdexts.dll
deleting: C:\WINDOWS\system32\oheaccrc.dll
Successfully Deleted: C:\WINDOWS\system32\oheaccrc.dll
deleting: C:\WINDOWS\system32\oheaccrc.dll
Successfully Deleted: C:\WINDOWS\system32\oheaccrc.dll
deleting: C:\WINDOWS\system32\pccrt.dll
Successfully Deleted: C:\WINDOWS\system32\pccrt.dll
deleting: C:\WINDOWS\system32\pccrt.dll
Successfully Deleted: C:\WINDOWS\system32\pccrt.dll
deleting: C:\WINDOWS\system32\pdnppagn.dll
Successfully Deleted: C:\WINDOWS\system32\pdnppagn.dll
deleting: C:\WINDOWS\system32\pdnppagn.dll
Successfully Deleted: C:\WINDOWS\system32\pdnppagn.dll
deleting: C:\WINDOWS\system32\pntorsvc.dll
Successfully Deleted: C:\WINDOWS\system32\pntorsvc.dll
deleting: C:\WINDOWS\system32\pntorsvc.dll
Successfully Deleted: C:\WINDOWS\system32\pntorsvc.dll
deleting: C:\WINDOWS\system32\tvrmmgr.dll
Successfully Deleted: C:\WINDOWS\system32\tvrmmgr.dll
deleting: C:\WINDOWS\system32\tvrmmgr.dll
Successfully Deleted: C:\WINDOWS\system32\tvrmmgr.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: mtjet35.dll (188 bytes security) (deflated 48%)
adding: ndsdexts.dll (188 bytes security) (deflated 48%)
adding: oheaccrc.dll (188 bytes security) (deflated 48%)
adding: pccrt.dll (188 bytes security) (deflated 48%)
adding: pdnppagn.dll (188 bytes security) (deflated 48%)
adding: pntorsvc.dll (188 bytes security) (deflated 48%)
adding: tvrmmgr.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 37%)
adding: lo2.txt (188 bytes security) (deflated 85%)
adding: smitfiles.txt (188 bytes security) (deflated 68%)
adding: smitfiles2.txt (188 bytes security) (deflated 65%)
adding: test.txt (188 bytes security) (deflated 84%)
adding: test2.txt (188 bytes security) (deflated 16%)
adding: test3.txt (188 bytes security) (deflated 16%)
adding: test5.txt (188 bytes security) (deflated 16%)
adding: xfind.txt (188 bytes security) (deflated 80%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: mtjet35.dll
deleting local copy: mtjet35.dll
deleting local copy: ndsdexts.dll
deleting local copy: ndsdexts.dll
deleting local copy: oheaccrc.dll
deleting local copy: oheaccrc.dll
deleting local copy: pccrt.dll
deleting local copy: pccrt.dll
deleting local copy: pdnppagn.dll
deleting local copy: pdnppagn.dll
deleting local copy: pntorsvc.dll
deleting local copy: pntorsvc.dll
deleting local copy: tvrmmgr.dll
deleting local copy: tvrmmgr.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\cciconfg.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\mtjet35.dll
C:\WINDOWS\system32\mtjet35.dll
C:\WINDOWS\system32\ndsdexts.dll
C:\WINDOWS\system32\ndsdexts.dll
C:\WINDOWS\system32\oheaccrc.dll
C:\WINDOWS\system32\oheaccrc.dll
C:\WINDOWS\system32\pccrt.dll
C:\WINDOWS\system32\pccrt.dll
C:\WINDOWS\system32\pdnppagn.dll
C:\WINDOWS\system32\pdnppagn.dll
C:\WINDOWS\system32\pntorsvc.dll
C:\WINDOWS\system32\pntorsvc.dll
C:\WINDOWS\system32\tvrmmgr.dll
C:\WINDOWS\system32\tvrmmgr.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{421CAFDF-D425-4E19-81F3-F5B86412068D}"=-
"{A3C63D76-E2A0-424C-A88C-0FDFC86F70DB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{421CAFDF-D425-4E19-81F3-F5B86412068D}]
[-HKEY_CLASSES_ROOT\CLSID\{A3C63D76-E2A0-424C-A88C-0FDFC86F70DB}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

  • 0

#13
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:25:19 PM, on 15/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau8l.hpwis.com/
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129332238148
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\cciconfg.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

#14
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Looks pretty good now. :)

Run a scan with HiJackThis and check the following object for removal:

O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\cciconfg.dll

Close ALL other open windows except for HiJackThis and hit FIX CHECKED.

Now..

1) Please download the Killbox by Option^Explicit.

2) Save it to your desktop.

3) Run Killbox.exe.

4) Select "Delete on Reboot".

5) Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\cciconfg.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

Reboot.

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot again.

Post a fresh HiJackThis log once finished. :tazz:
  • 0

#15
samy

samy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:28:44 PM, on 16/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau8l.hpwis.com/
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129332238148
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\cciconfg.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP