Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

uhmm.... help?


  • Please log in to reply

#1
Bobbla

Bobbla

    Member

  • Member
  • PipPip
  • 13 posts
Hallo.. :( here I am.. the bigest smart [bleep] in the world :woot: I downloaded some freeware.. and got some problems.. when registraing.. so I run to the nearest google.. and seached for some stuff to help me with that... so I came by this place where I found a cd-key generator.. and without thinking I downloaded it and used it.. and after that...... I found out that all I had to do was to do a free registrate at the little programs website.. and that problem was solved.... BUT since I was so smart to open that [bleep] file I got some pop ups problems.. :woot: and as always I go to google.. and thats how I ended up here.. moving on to the problem.. :P -> :P <-

I get some nasty pop ups.. (probebly some dirty program :) ) meaning that every now and then(quite often..) my little opera screen pops up becouse it wants to open the following sites..

http://www.ez-saving...rmal/yyy34.html
http://www.deal-pro....rmal/yyy34.html
http://www.savings-c...rmal/yyy34.html
http://www.myfuncard...xdm209&spu=true
http://www.super-cou...rmal/yyy34.html
http://www.cash-coup...rmal/yyy34.html
http://www.free-savi...rmal/yyy34.html
http://www.super-sto...rmal/yyy34.html
http://www.coupon-on...rmal/yyy34.html
http://www.searc-h.c...rmal/yyy34.html
http://www.searc-h.c...rmal/yyy53.html
http://www.virtual-c...rmal/yyy34.html
http://www.deal-nati...rmal/yyy34.html
http://www.great-cou...rmal/yyy34.html
http://www.shop-savi...rmal/yyy34.html
http://www.cool-disc...rmal/yyy34.html
http://www.deal-fory...rmal/yyy34.html
http://www.discount-...rmal/yyy34.html


and here is my HiJackThis file thingy :woot: (hope I did it right)

Logfile of HijackThis v1.99.1
Scan saved at 02:47:41, on 23.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\Logitech\iTouch\iTouch.exe
C:\Programfiler\Logitech\MouseWare\system\em_exec.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
C:\Programfiler\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\program files\redline\gameutil.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\SEC\Natural Color\NaturalColorLoad.exe
C:\Programfiler\Samurize\Client.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\Programfiler\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Opera\Opera.exe
C:\Documents and Settings\Bobbla^\Mine dokumenter\meg\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itavisen.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programfiler\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programfiler\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Programfiler\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eDonkey2000] "C:\Programfiler\eDonkey2000\edonkey2000.exe" -t
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - Startup: Client Default.lnk = C:\Programfiler\Samurize\Client.exe
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Highlight Zone II.lnk = C:\Programfiler\Samsung\Highlight Zone II\Highlight.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Programfiler\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\i024lafq1d2e.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

:P allways look at the bright side of life.. ey? hmm.. now why is there no introduction thread around here for thouse that ain't computer experts? :tazz: :rofl:

edit.. hmm.. someone? out there? :help:
edit nr.2.. bleep? thats whats the nastyest way to censore something I have ever seen hrhrhr makes me.. giggle :rofl:.. come on anyone?

Edited by Bobbla, 22 October 2005 - 07:30 PM.

  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello and welcome to Geeks to Go:tazz:

I see you have been infected by malware. Lets get you fixed up.
Please follow the directions as closely as you can . Lets begin

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

  • 0

#3
Bobbla

Bobbla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Hello and welcome to Geeks to Go:woot:

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


thanks :woot: and what will happen if I press 2 and enter? :tazz: just wondering I'm not doing it yet :woot:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i024lafq1d2e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Brukere
(ID-IO) ALLOW Read BUILTIN\Brukere
(ID-NI) ALLOW Read BUILTIN\Privilegerte brukere
(ID-IO) ALLOW Read BUILTIN\Privilegerte brukere
(ID-NI) ALLOW Full access BUILTIN\Administratorer
(ID-IO) ALLOW Full access BUILTIN\Administratorer
(ID-NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access OPPRETTER EIER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{713C3DAA-BF54-F0F6-1C07-B6240DFA117C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Egenskapsside for multimediefil"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM skannerbehandling"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-sikkerhetsside"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Egenskapsside for OLE DOC-fil"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Skallutvidelse for deling"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermkort"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermtype"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Kontrollpanelsutvidelse for skjermpanorering"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-sikkerhetsside"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilitetsside"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Diskkopieringsutvidelse"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Skallutvidelser for Microsoft Windows-nettverksobjekter"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM skjermbehandling"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM skriverbehandling"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Skallutvidelser for filkomprimering"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Skallutvidelse for Web-skriver"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Hurtigmeny for kryptering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Koffert"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Ikonutvidelse for HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Skrifter"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Skriversikkerhetsside"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Skallutvidelse for deling"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-utvidelse"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign-utvidelse"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Nettverkstilkoblinger"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Nettverkstilkoblinger"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Skannere og kameraer"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Skannere og kameraer"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Skannere og kameraer"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Skannere og kameraer"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Skannere og kameraer"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Grensenittutvidelser for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft-datakobling"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Planlagte oppgaver"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Oppgavelinje og Start-meny"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="S›k"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hjelp og st›tte"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Kj›r..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internett"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-post"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative verkt›y"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internett-verkt›ylinje"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Nedlastingsstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="B†ndproxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft-tjeneste for tidligere URL-adresser"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Logg"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Midlertidige Internett-filer"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft-binding for URL-s›k"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Velkomstbilde for Internet Explorer 4.0"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internett"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-b†nd"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Mappe for ActiveX-hurtigbuffer"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Abonnementsmappe"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Behandling av skallprogrammer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerator for installerte programmer"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin Programpubliserer"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Uttrekking av miniatyrbilder i GDI+-filer"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Behandling av informasjon om miniatyrbilder"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Uttrekking av HTML-miniatyrbilder"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Veiviser for Web-publisering"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestille utskrifter via Weben"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Veiviserobjekt for skallpublisering"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="F† en passport-veiviser"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Brukerkontoer"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Mappe for Frakoblede filer"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="Etter &personer..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanalfil"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanalsnarvei"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Kanalbehandlingsobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Property Sheet Shell Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{9991AB78-358E-4366-9B09-138661731253}"="Firegraphic"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{265FF7B9-53D4-4559-B622-4644BBE8A1A3}"=""
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{265FF7B9-53D4-4559-B622-4644BBE8A1A3}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{265FF7B9-53D4-4559-B622-4644BBE8A1A3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{265FF7B9-53D4-4559-B622-4644BBE8A1A3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{265FF7B9-53D4-4559-B622-4644BBE8A1A3}\InprocServer32]
@="C:\\WINDOWS\\system32\\kddhela2.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ati2cqag.dll Wed 31 Aug 2005 3:42:50 A.... 233 472 228,00 K
ati2dvag.dll Wed 31 Aug 2005 4:42:54 A.... 238 592 233,00 K
ati2edxx.dll Wed 31 Aug 2005 4:37:22 A.... 39 936 39,00 K
ati2evxx.dll Wed 31 Aug 2005 4:37:12 A.... 46 080 45,00 K
ati3duag.dll Wed 31 Aug 2005 4:28:36 A.... 2 429 824 2,32 M
atiddc.dll Wed 31 Aug 2005 4:35:46 A.... 53 248 52,00 K
atidemgr.dll Wed 31 Aug 2005 6:33:32 A.... 258 048 252,00 K
atiiiexx.dll Wed 31 Aug 2005 7:08:36 A.... 307 200 300,00 K
atikvmag.dll Wed 31 Aug 2005 4:10:36 A.... 147 456 144,00 K
atioglx1.dll Wed 31 Aug 2005 5:57:50 A.... 6 684 672 6,38 M
atioglxx.dll Wed 31 Aug 2005 4:57:00 A.... 4 718 592 4,50 M
atipdlxx.dll Wed 31 Aug 2005 4:37:44 A.... 106 496 104,00 K
atitvo32.dll Wed 31 Aug 2005 3:47:46 A.... 17 408 17,00 K
ativvaxx.dll Wed 31 Aug 2005 4:23:04 A.... 600 672 586,59 K
cmdlin~2.dll Thu 13 Oct 2005 20:43:06 A.... 98 304 96,00 K
dwsenh.dll Fri 21 Oct 2005 20:27:42 ..S.R 234 272 228,78 K
i024la~1.dll Sun 23 Oct 2005 0:28:50 ..S.R 234 948 229,44 K
jt0s07~1.dll Sat 22 Oct 2005 2:35:30 ..S.R 234 272 228,78 K
kddhela2.dll Sun 23 Oct 2005 0:34:30 ..... 234 948 229,44 K
mcobjs.dll Sat 22 Oct 2005 20:53:50 ..S.R 234 948 229,44 K
msstdfmt.dll Thu 25 Aug 2005 19:18:16 A.... 118 784 116,00 K
mv2sl9~1.dll Sun 23 Oct 2005 0:32:48 ..S.R 234 272 228,78 K
mzc42u.dll Fri 21 Oct 2005 22:21:42 ..S.R 234 272 228,78 K
oemdspif.dll Wed 31 Aug 2005 4:37:34 A.... 73 728 72,00 K
srntf16.dll Sun 23 Oct 2005 0:30:48 ..S.R 234 272 228,78 K
tqpmon.dll Fri 21 Oct 2005 21:31:24 ..S.R 234 272 228,78 K

26 items found: 26 files (8 H/S), 0 directories.
Total of file sizes: 18 282 988 bytes 17,43 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sun 23 Oct 2005 0:37:30 ..S.R 234 948 229,44 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 234 948 bytes 229,44 K
**********************************************************************************
Directory Listing of system files:
Volumet i stasjon C er uten navn.
Volumserienummeret er ECEA-6796

Innhold i C:\WINDOWS\System32

23.10.2005 00:37 234˙948 guard.tmp
23.10.2005 00:32 234˙272 mv2sl9f71.dll
23.10.2005 00:30 234˙272 SRntf16.dll
23.10.2005 00:28 234˙948 i024lafq1d2e.dll
22.10.2005 20:53 234˙948 mcobjs.dll
22.10.2005 02:35 234˙272 jt0s07d7e.dll
21.10.2005 22:21 234˙272 mzc42u.dll
21.10.2005 21:31 234˙272 tqpmon.dll
21.10.2005 20:27 234˙272 dwsenh.dll
16.09.2005 17:36 <DIR> dllcache
12.03.2005 02:15 8 fgxp7.dll
28.12.2004 18:07 285 TBPS.ini
21.12.2004 06:54 <DIR> Microsoft
11 fil(er) 2˙110˙769 byte
2 mappe® 1˙739˙124˙736 byte ledig


uhmm... here it is.. hmm.. I see there are some norwagian words here and there.. I'll translate em if you want me too :P (and I hope it dosen't matter where I run the file from.. shoulden't.. anyways.. if you need help I'll do my best.. couse your helping me.. so if you want me to translate something for you I'll do it.. hmm.. if I only had the english version..) cheers! :)
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts

thanks and what will happen if I press 2 and enter? just wondering I'm not doing it yet


Your machine will explode...lol...just kidding :tazz: . There is a certain order in which the steps need to be ran

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.
  • 0

#5
Bobbla

Bobbla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Your machine will explode...lol...just kidding :woot: . There is a certain order in which the steps need to be ran

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.


explode :) I did as you said.. option 2 --> reboot.. --> and then opneing secound.bat after sitting in the darkness for 6 hours without anything happening :woot:

anyways :woot: here we go!!

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Bobbla^\Mine dokumenter\meg\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Brukere
(ID-IO) ALLOW Read BUILTIN\Brukere
(ID-NI) ALLOW Read BUILTIN\Privilegerte brukere
(ID-IO) ALLOW Read BUILTIN\Privilegerte brukere
(ID-NI) ALLOW Full access BUILTIN\Administratorer
(ID-IO) ALLOW Full access BUILTIN\Administratorer
(ID-NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access OPPRETTER EIER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administratorer
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Brukere
(ID-IO) ALLOW Read BUILTIN\Brukere
(ID-NI) ALLOW Read BUILTIN\Privilegerte brukere
(ID-IO) ALLOW Read BUILTIN\Privilegerte brukere
(ID-NI) ALLOW Full access BUILTIN\Administratorer
(ID-IO) ALLOW Full access BUILTIN\Administratorer
(ID-NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access OPPRETTER EIER



Setting up for Reboot


Starting Reboot!

Setting Directory
C:\Documents and Settings\Bobbla\Mine dokumenter\meg\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Bobbla^\Mine dokumenter\meg\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 336 'explorer.exe'
Killing PID 336 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dwsenh.dll
1 fil(er) ble kopiert.
Backing Up: C:\WINDOWS\system32\jt0s07d7e.dll
1 fil(er) ble kopiert.
Backing Up: C:\WINDOWS\system32\mcobjs.dll
1 fil(er) ble kopiert.
Backing Up: C:\WINDOWS\system32\mv2sl9f71.dll
1 fil(er) ble kopiert.
Backing Up: C:\WINDOWS\system32\mzc42u.dll
1 fil(er) ble kopiert.
Backing Up: C:\WINDOWS\system32\SRntf16.dll
1 fil(er) ble kopiert.
Backing Up: C:\WINDOWS\system32\tqpmon.dll
1 fil(er) ble kopiert.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 fil(er) ble kopiert.
deleting: C:\WINDOWS\system32\dwsenh.dll
Successfully Deleted: C:\WINDOWS\system32\dwsenh.dll
deleting: C:\WINDOWS\system32\jt0s07d7e.dll
Successfully Deleted: C:\WINDOWS\system32\jt0s07d7e.dll
deleting: C:\WINDOWS\system32\mcobjs.dll
Successfully Deleted: C:\WINDOWS\system32\mcobjs.dll
deleting: C:\WINDOWS\system32\mv2sl9f71.dll
Successfully Deleted: C:\WINDOWS\system32\mv2sl9f71.dll
deleting: C:\WINDOWS\system32\mzc42u.dll
Successfully Deleted: C:\WINDOWS\system32\mzc42u.dll
deleting: C:\WINDOWS\system32\SRntf16.dll
Successfully Deleted: C:\WINDOWS\system32\SRntf16.dll
deleting: C:\WINDOWS\system32\tqpmon.dll
Successfully Deleted: C:\WINDOWS\system32\tqpmon.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: dwsenh.dll (140 bytes security) (deflated 4%)
adding: jt0s07d7e.dll (140 bytes security) (deflated 4%)
adding: mcobjs.dll (140 bytes security) (deflated 5%)
adding: mv2sl9f71.dll (140 bytes security) (deflated 4%)
adding: mzc42u.dll (140 bytes security) (deflated 4%)
adding: SRntf16.dll (140 bytes security) (deflated 4%)
adding: tqpmon.dll (140 bytes security) (deflated 4%)
adding: guard.tmp (140 bytes security) (deflated 5%)
adding: clear.reg (140 bytes security) (deflated 37%)
adding: echo.reg (140 bytes security) (deflated 13%)
adding: direct.txt (140 bytes security) (deflated 2%)
adding: lo2.txt (140 bytes security) (deflated 79%)
adding: readme.txt (140 bytes security) (deflated 52%)
adding: report.txt (140 bytes security) (deflated 66%)
adding: test.txt (140 bytes security) (deflated 68%)
adding: test2.txt (140 bytes security) (deflated 27%)
adding: test3.txt (140 bytes security) (deflated 17%)
adding: test5.txt (140 bytes security) (deflated 27%)
adding: xfind.txt (140 bytes security) (deflated 62%)
adding: backregs/265FF7B9-53D4-4559-B622-4644BBE8A1A3.reg (140 bytes security) (deflated 70%)
adding: backregs/EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA.reg (140 bytes security) (deflated 70%)
adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
adding: backregs/shell.reg (140 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Brukere
(ID-IO) ALLOW Read BUILTIN\Brukere
(ID-NI) ALLOW Read BUILTIN\Privilegerte brukere
(ID-IO) ALLOW Read BUILTIN\Privilegerte brukere
(ID-NI) ALLOW Full access BUILTIN\Administratorer
(ID-IO) ALLOW Full access BUILTIN\Administratorer
(ID-NI) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access NT-MYNDIGHET\SYSTEM
(ID-IO) ALLOW Full access OPPRETTER EIER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

Restoring Windows Update Certificates.:

deleting local copy: dwsenh.dll
deleting local copy: jt0s07d7e.dll
deleting local copy: mcobjs.dll
deleting local copy: mv2sl9f71.dll
deleting local copy: mzc42u.dll
deleting local copy: SRntf16.dll
deleting local copy: tqpmon.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dwsenh.dll
C:\WINDOWS\system32\jt0s07d7e.dll
C:\WINDOWS\system32\mcobjs.dll
C:\WINDOWS\system32\mv2sl9f71.dll
C:\WINDOWS\system32\mzc42u.dll
C:\WINDOWS\system32\SRntf16.dll
C:\WINDOWS\system32\tqpmon.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{265FF7B9-53D4-4559-B622-4644BBE8A1A3}"=-
"{EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA}"=-
[-HKEY_CLASSES_ROOT\CLSID\{265FF7B9-53D4-4559-B622-4644BBE8A1A3}]
[-HKEY_CLASSES_ROOT\CLSID\{EB3CAD74-DF59-4E9D-9222-F6AD484D3BBA}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



and here comes the HiJackThis log thingy :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 00:24:56, on 24.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\Logitech\iTouch\iTouch.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Logitech\MouseWare\system\em_exec.exe
C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\program files\redline\gameutil.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\SEC\Natural Color\NaturalColorLoad.exe
C:\Programfiler\Samurize\Client.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Bobbla^\Mine dokumenter\meg\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itavisen.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programfiler\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programfiler\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Programfiler\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eDonkey2000] "C:\Programfiler\eDonkey2000\edonkey2000.exe" -t
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - Startup: Client Default.lnk = C:\Programfiler\Samurize\Client.exe
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Highlight Zone II.lnk = C:\Programfiler\Samsung\Highlight Zone II\Highlight.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Programfiler\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

there you go :P
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Good now on to the next step :tazz:

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

Post a new hijack log when you are done please

Thanks
:)
  • 0

#7
Bobbla

Bobbla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Lets see... here we go :)

Logfile of HijackThis v1.99.1
Scan saved at 04:13:08, on 24.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\Logitech\iTouch\iTouch.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\Logitech\MouseWare\system\em_exec.exe
C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
C:\Programfiler\DU Meter\DUMeter.exe
C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\program files\redline\gameutil.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\SEC\Natural Color\NaturalColorLoad.exe
C:\Programfiler\Samurize\Client.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\Programfiler\Opera\Opera.exe
C:\Programfiler\foobar2000\foobar2000.exe
C:\Documents and Settings\Bobbla^\Mine dokumenter\meg\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itavisen.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programfiler\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programfiler\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Programfiler\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eDonkey2000] "C:\Programfiler\eDonkey2000\edonkey2000.exe" -t
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - Startup: Client Default.lnk = C:\Programfiler\Samurize\Client.exe
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Highlight Zone II.lnk = C:\Programfiler\Samsung\Highlight Zone II\Highlight.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Programfiler\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

soo.. does everything look like it should? :woot: gah.. its 4:16 am/0416.. and school starts later today.. so see you later today :tazz:
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Almost done, just another step or two :tazz:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

tsa



Please delete these folders using Windows Explorer(if present):

C:\PROGRAM files\COMMON files\tsa



Reboot

Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

Thanks :)
  • 0

#9
Bobbla

Bobbla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
uhmm... I did almost do all of the stuff you asked me to do.... but after booting in to safe mode there were no sign of tsa.. guess thats a good thing.... hmm... and for some unknown reason I can't use panda active scan..

anyways.. here is a HiJackThis log..


Logfile of HijackThis v1.99.1
Scan saved at 05:05:54, on 24.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\Programfiler\Logitech\iTouch\iTouch.exe
C:\Programfiler\D-Tools\daemon.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\Logitech\MouseWare\system\em_exec.exe
C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
C:\Programfiler\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
C:\program files\redline\gameutil.exe
C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\SEC\Natural Color\NaturalColorLoad.exe
C:\Programfiler\Samurize\Client.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\Programfiler\foobar2000\foobar2000.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\Opera\Opera.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bobbla^\Mine dokumenter\meg\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itavisen.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programfiler\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programfiler\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Programfiler\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eDonkey2000] "C:\Programfiler\eDonkey2000\edonkey2000.exe" -t
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - Startup: Client Default.lnk = C:\Programfiler\Samurize\Client.exe
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Highlight Zone II.lnk = C:\Programfiler\Samsung\Highlight Zone II\Highlight.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\Programfiler\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

and there is no need to thank me.. I should thank you

Thank you :tazz:
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
That log looks good. How is the computer running?
  • 0

#11
Bobbla

Bobbla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
how is it running? as allways.. backwards :) nah.. its running as allways.. so far I don't have any pop ups.. you know.. I never have problems with my computer.. NEVER!! in my case the weak point is located between the keyboard and the chair :woot: gah.. I just happend to do something stupid this time.. hmm.. I got to get up in about 3 hours now.. so I'll see you later :tazz:
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Sorry for the late reply

Congratulations

your system is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.

And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#13
Bobbla

Bobbla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
uhmm.. Thanks :woot: and about thouse programs fo yours.... if you look at my HiJackThis log you'll see that I got most of the programs that you recommand :tazz: but thanks anyways :)

when it comes to virus's and stuff like that its all about doing the right thing.. most of the time its the person useing the computers fault.. not the computers if you know what I mean :woot: gah.. enough of my talk... THANK YOU FOR HELPING ME :woot:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP