Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

>>http://www.searc-h.com/normal/yyy53.html>> RELENTLESS RE


  • Please log in to reply

#1
superspeedfreek

superspeedfreek

    New Member

  • Member
  • Pip
  • 5 posts
Hello, I am not exactly sure about the infections' name in which I (we) are dealing with here. I have been trying to fix this situation for about a week now. It has become most intrusive and annoying to say the least. I have done all of the steps mentioned prior to posting about problem with accompanying log generated by the Hijack-This malware detection software. Which means I've downloaded, adjusted the settings, and ran Lavasofts Adaware SE, & the CWShredder. Downloaded, Installed Exploit Fix, and ran the Spybot S&D, Installed the Ewido antivirus, paused my current antivirus, and scanned the entire system for viruses. Did the Windows Update, installed suggested fixes, rebooted........ tried out the freshly cleaned up system. Disappointed to see that I'm still getting redirected upon opening my browser (which is Firefox) however not getting the IE browser auto-opening advertisements that I was getting earlier. The redirected browser hijacks are generally sending me to:
http://www.searc-h.com/normal/yyy53.html or http://us.dadamobile.com/splash/specialoffer_us3.html .
Here are the logs generated from Ewido & Hijack-This. Hopefully I am going about this procedure properly, if not please correct me, as I wasn't sure if to include the Ewido log but figured overkill is better than the opposite!

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:06:48 AM, 10/27/2005
+ Report-Checksum: FB6E75BB

+ Scan result:

[1836] C:\WINDOWS\system32\ruutetab.dll -> Spyware.Look2Me : Error during cleaning
[192] C:\WINDOWS\system32\ruutetab.dll -> Spyware.Look2Me : Error during cleaning
C:\contextplus.exe -> Trojan.Crypt.t : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wk0t7ywq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.10:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.11:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.18:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.19:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.20:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.21:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.22:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.23:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.24:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.25:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.26:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.27:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.28:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.29:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.33:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.34:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.36:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.52:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.53:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.54:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.55:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.87:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.92:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.113:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.119:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.121:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.122:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.123:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.139:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.140:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.144:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.145:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.195:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.196:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
:mozilla.211:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.212:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.224:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.225:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.226:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.227:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.228:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.239:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.240:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.241:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.242:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.261:C:\Documents and Settings\TMT\Application Data\Mozilla\Firefox\Profiles\46169q1c.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\TMT\Cookies\tmt@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\TMT\Local Settings\Temporary Internet Files\Content.IE5\0STCVWOG\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\TMT\Local Settings\Temporary Internet Files\Content.IE5\SDMN0LM7\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\drin.exe -> TrojanDownloader.Small.bke : Cleaned with backup
C:\drsmartload.exe -> Spyware.SmartLoad : Cleaned with backup
C:\installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\mte3ndi6odoxng.exe -> Spyware.ISearch : Cleaned with backup
C:\Program Files\UltraISO\Patch 7.2x.exe -> Trojan.Agent.jh : Cleaned with backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\msresearch.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\sp2update00.exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\WINDOWS\system32\lvru0999e.dll -> Spyware.Look2Me : Cleaned with backup
C:\ysbinstall_1003585.exe -> TrojanDownloader.IstBar.is : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:28:46 AM, on 10/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\TMT\Desktop\hijack-this\HijackThis.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: SWF To Video Scout - {98417A5E-63A9-46EF-BAF0-50B9042E397F} - C:\Program Files\SWF To Video Scout\flashextract.exe (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128623072639
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\gppsl3771.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

----------------------------------------------------------------------------------------------------------------------------
This is where the log ended, didn't state it was the end of the log but assuming so since there was nothing more. I assure you I have followed the directions given for the spyware & virus software scans which includes making sure all disabled startup processes were running for the scannings & testing. I am more than grateful that this service is offered and don't wish to be any more trouble than I am already. I just want this problem remedied, so I can browse painlessly once again. If there is any info that I failed to provide that you may need, simply ask or request whatever it is that is needed to get all the 411 needed to diagnose or troubleshoot the problem. THANX!!! -ssf-
  • 0

Advertisements


#2
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Danny :tazz:
  • 0

#3
superspeedfreek

superspeedfreek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
It actually finished everything in less than a minute,....hope this alright. It also briefly stating something about not finding the necessary files, but then opened up this log:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g6400ghme64a0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4EF57E1C-B9F0-C82F-C9BD-D895822CB662}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}"="SnagIt"
"{CF74B903-3389-469c-B3B6-0204D204FCBD}"="SnagIt Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{FAD64369-5D8C-486F-A056-E47CD1946879}"=""
"{A8817622-2EB3-45FE-A5AF-BA6B94316894}"=""
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{680A1C3A-F0F3-4DAB-A86A-165684D7D827}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FAD64369-5D8C-486F-A056-E47CD1946879}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAD64369-5D8C-486F-A056-E47CD1946879}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAD64369-5D8C-486F-A056-E47CD1946879}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAD64369-5D8C-486F-A056-E47CD1946879}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcvfw32.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{680A1C3A-F0F3-4DAB-A86A-165684D7D827}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{680A1C3A-F0F3-4DAB-A86A-165684D7D827}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{680A1C3A-F0F3-4DAB-A86A-165684D7D827}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{680A1C3A-F0F3-4DAB-A86A-165684D7D827}\InprocServer32]
@="C:\\WINDOWS\\system32\\fRultrep.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
flash_~1.dll Fri Sep 16 2005 4:05:36p A.... 37,888 37.00 K
mssiwave.dll Fri Oct 21 2005 9:28:36a A.... 45,056 44.00 K
swfext.dll Fri Sep 16 2005 4:05:36p A.... 1,117,184 1.06 M
vnetinst.dll Tue Aug 16 2005 3:23:44a A...R 5,120 5.00 K
xvidcore.dll Sat Sep 24 2005 8:27:42a A.... 843,776 824.00 K
xvidvfw.dll Thu Sep 15 2005 3:38:44a A.... 151,552 148.00 K

6 items found: 6 files, 0 directories.
Total of file sizes: 2,200,576 bytes 2.10 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 487C-0923

Directory of C:\WINDOWS\System32

10/30/2005 04:59 AM <DIR> dllcache
10/26/2005 10:20 PM 3,350 KGyGaAvL.sys
06/18/2005 12:46 AM 104 730602BA39.sys
04/14/2005 03:26 PM <DIR> Microsoft
2 File(s) 3,454 bytes
2 Dir(s) 28,305,174,528 bytes free


####################################################################

BTW, - Thanks for replying, I have randomly been checking in to see if I had any responses, and was beginning to lose hope. I do appreciate your time & help, regardless if this problem gets resolved or not!!
HAPPY HALLOWEEN!! & THANKS AGAIN!!
-ssf-
  • 0

#4
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color="red"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!


Danny :tazz:
  • 0

#5
superspeedfreek

superspeedfreek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
The "fix" had some problems before rebooting and upon reopening, I dunno if this was the norm for this action but nonetheless it managed to complete the task (I guess) Well here are the results:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2028 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 184 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (188 bytes security) (deflated 46%)
adding: boot.ini (124 bytes security) (deflated 30%)
adding: DivXEncSettings.txt (188 bytes security) (deflated 49%)
adding: EyeCandyLog.txt (188 bytes security) (deflated 91%)
adding: lo2.txt (188 bytes security) (deflated 55%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (deflated 27%)
adding: test3.txt (188 bytes security) (deflated 27%)
adding: test5.txt (188 bytes security) (deflated 27%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g6400ghme64a0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FAD64369-5D8C-486F-A056-E47CD1946879}"=-
"{A8817622-2EB3-45FE-A5AF-BA6B94316894}"=-
"{680A1C3A-F0F3-4DAB-A86A-165684D7D827}"=-
[-HKEY_CLASSES_ROOT\CLSID\{FAD64369-5D8C-486F-A056-E47CD1946879}]
[-HKEY_CLASSES_ROOT\CLSID\{A8817622-2EB3-45FE-A5AF-BA6B94316894}]
[-HKEY_CLASSES_ROOT\CLSID\{680A1C3A-F0F3-4DAB-A86A-165684D7D827}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

AND THE HIJACK-THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 6:29:18 PM, on 11/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\TMT\Desktop\hijack-this\HijackThis.exe

O1 - Hosts: net
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: SWF To Video Scout - {98417A5E-63A9-46EF-BAF0-50B9042E397F} - C:\Program Files\SWF To Video Scout\flashextract.exe (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128623072639
O16 - DPF: {FBAA44A9-2AF3-450D-9881-BFE7BE67D852} (GeoPlayer ActiveX Control) - http://www.geoplayer.../GeoPlayerX.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\g6400ghme64a0.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

######################################################################

well there are my results, hope everything is complete!!
and as mentioned before,
I APPRECIATE YOUR HELP!!
Thanks Again,-
-ssf-
  • 0

#6
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Open HijackThis, click the "Scan" button, and check the following items:

O1 - Hosts: net
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\g6400ghme64a0.dll (file missing)


Close all windows except for HijackThis and click the 'Fix Checked' button.

Reboot and post a new log.

Danny :tazz:
  • 0

#7
superspeedfreek

superspeedfreek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Okay, sorry about the hiatus, but I've returned now and have completed the steps requested in the post dated on 11.02.05. Here is the log generated after rebooting:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:27 PM, on 11/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\TMT\Desktop\hijack-this\HijackThis.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: SWF To Video Scout - {98417A5E-63A9-46EF-BAF0-50B9042E397F} - C:\Program Files\SWF To Video Scout\flashextract.exe (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128623072639
O16 - DPF: {FBAA44A9-2AF3-450D-9881-BFE7BE67D852} (GeoPlayer ActiveX Control) - http://www.geoplayer.../GeoPlayerX.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

####################################################################

I do have a couple of questions relating to this log; on the entry listed as
"O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll", - do you know what this plugin is and is it an IE based plugin?<(not a plugin created by Firefox) as I try not to use IE at all and having a plugin for it seems strange, unless it is part of Firefox's extention to "view the current page in IE", I don't know what it is or why it's there.
& the following entry:
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab - This was installed to do a second virus scan at the request of posting a log here at Hijack This, however I uninstalled the software after completing the scan, ...I thought. Is this a leftover registry entry that can be removed as well?

Just wanted to ask about those two entries, thats all for now!!
Thanks!!!!
-ssf-
  • 0

#8
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

To answer your questions:

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll", - do you know what this plugin is and is it an IE based plugin?<(not a plugin created by Firefox)


I recommend you don't uncheck it, because I believe that this is a plugin in Internet Explorer, that shows certain elements on a page that weren't there before. (This is a guess. There is only one O12 that is bad).

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab - This was installed to do a second virus scan at the request of posting a log here at Hijack This, however I uninstalled the software after completing the scan, ...I thought. Is this a leftover registry entry that can be removed as well?


You can remove this, but then if you need to run Housecall again, you'll have to re-download the plugin. (This'll be a snap on broadband).

----------

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

Danny :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP